Ten ideas to fix Magento's reverse brand ambassadors


Ecommerce people have been making long hours, as more stores were hacked in 2016. Magento saw a rise of Shoplift and brute force attacks. Stores that follow best practices should not worry. But a majority of stores do not keep up with patches and strong passwords, and get hacked sooner or later. These negligent merchants become reverse brand ambassadors. Which is ultimately a bad thing for everybody but.. Demandware.

The bottomline is: how to secure thousands of badly maintained stores? Nobody has found a really good solution yet, and - interestingly - there has been little public debate so far. Here are 10 ideas to get the conversation started!

  1. Crawl all 300K contact forms of vulnerable stores to reach the beneficial owner. So far, Magento has been contacting people who entered an email on the download page (ie, technicians). The response rate has been “very low”. Academic research claims only 5.8% of actual website owners can be reached in case of a vulnerability issue. Now, I think we have an edge with Magento because of the standardized contact form implementation (easy to scrape). Second, the recipient of the contact form has likely a larger interest in fixing the site than the tech who did the initial install but is no longer on the project.

  2. Encourage hosting companies (HSPs) to enforce secure installations. Magento Inc could promote HSPs that actively engage in protecting their merchants’ security. All of Magento’s official hosting partners are “committed to security” but few actively block the latest threats. HSPs can leverage intrusion prevention systems (IPS), and assist their customers with patching and incident response. Hacked, abandoned stores should be locked-down pro-actively to stop them spreading malware.

  3. Publish a nematode: a friendly, autonomous worm that crawls the Internet and fixes vulnerable stores. Slightly unconventional, but nevertheless proven valuable in the past. A well written nematode would fix all Shoplift-susceptible stores globally within 30 minutes. In fact, this is slowly happening right now, but by the bad guys: hacker groups are already closing the Shoplift hole after they got in, to keep competing hackers out.

  4. Government could tighten incident disclosure laws, so that hacked stores would actually notify their customers upon data theft. At the moment, this is certainly not the case, and merchants get away with sloppy maintenance. (Proof: I have placed canary orders at stores that I knew were hacked, and I was never notified afterwards. Were you ever?) This would be a great incentive for merchants to spend money on maintenance. Current laws are lobbied down to be very vague, and where the law actually dicates disclosure, enforcement agencies are seriously understaffed (eg in Holland).

  5. Set up a malware signature collection, and empower system administrators to easily detect security breaches (and submit new signatures). So far, two HSPs have shared their malware rules: NBS and Byte. The effectivity of these rules would get a boost if more HSPs joined. Both Magemojo and Lexiconn have already pledged to contribute.

  6. Set up a searchable archive of ecosystem vulnerabilities, similar to wpvulndb for Wordpress. At the moment, only Magento Inc and a few vendors have processes to disclose vulnerability information. And this information is not standardized or even accessible from a single place. Most vendors fix security bugs but write a small note deep in their release notes (if at all). Standardizing and vetting security announcements is quite a lot of work, but let’s start with a low-effort centralized repository of statements. Once we have that, somebody will publish a n98-magerun plugin the same day.

  7. Implement and enforce an immutable document root in Magento (and offload somewhat volatile data such as media to a CDN). This would prohibit attackers to hide malware on the server. The required technical changes are no deal breaker for the Magento core, but several 3rd party modules assume a writeable document root. Supporters include Max Pronko, Ivan Cherpurnyi and Fabrizio Branco.

  8. Magento could enforce Content Security Policy headers by default. This would make it harder for hackers to inject malicious javascript in a site. Scott Arciszewski has written a proposal for this. Max Chadwick also has a few insights on restricting “Miscellaneous HTML” in the backend.

  9. Magento could encourage Google to block compromised sites in Chrome. At the moment, Google’s Safe Browsing team has about 10% of compromised stores in its filter. Blocking is a rude measure, but without it, the hijacking of private data continues and total damage increases.

  10. Magento Inc could hire more vulnerability researchers to find bugs before they get released. Magento has many top of the bill engineers already, but hunting security flaws is a specialized art. To identify the best Magento bug hunters globally, one would simply have a look at the credits in the latest patch releases. I posit that if Magento Inc paid the best bug hunter $200k per year and s/he would find just a single RCE exploit in unreleased code, it would be an absolute bargain.

  11. Organize a dedicated MageStackDay to increase patch rates globally. Or, as Anna Völkl called it, a MagePatchDay! Enthusiastic volunteers would teach merchants why and how to get their security on par. Especially the “why”.

  12. Give small time merchants a discount for Shopify. The long tail of Magento installations are people who chose Magento just because it is a “free download”, but have only 3 SKUs. They will not pay an agency $20k for proper maintenance and will certainly not pay Magento Inc for an Enterprise license. So it would be good for everybody if these stores converted to a SaaS solution with zero maintenance.

Yes, more than ten, the ideas just kept coming! I must still have missed a couple though. Are you a concerned professional? What works and what doesn’t?

I am the founder of MageReport, a free service to check the security and performance of your store. Get updated on my new posts via Twitter: