On October 27, 2015, Magento released a patch, SUPEE-6788, which addresses protection against security related issues such as information leaks and remote code execution. These types of threads can compromise a site in many ways such as potentially having malware scripts running on your server or having sensitive information stolen. This patch allows Magento store owners to protect against these security compromises but, unlike most patches, it can be tricky to implement. There are a few things you need to know before implementing this patch.
First, Know The Magento Version You Are Currently Using
When you log into your magento admin panel, you will see the Magento version listed on the footer/bottom of the page. If you are on Community (Free) Edition, you may be on version 22.214.171.124, for example. If you are on Community, and happen to have version 126.96.36.199 installed, which as of this moment is the most updated version, then your site is patched. Any version before this requires the patch or an upgrade of the Magento software. If you are on Enterprise (Paid) version, then you are safe if you are using anything previous to version 188.8.131.52 then you will also need this patch applied.
Second, Make Sure You Know Which Modules Need To Be Upgraded
Most 3rd party modules that Magento stores depend on have been impacted by this patch. Many of these extensions have updates applied to their software that require you to upgrade in order to be fully compatible with the patch. If you have not done so, make note of all of the 3rd party extensions you have purchased and contact the developer to request an update, if necessary. You can also request that they install this for you to ensure it is installed properly. They will then be able to test it against the patch and make sure you are up to date.
Third, Pay Attention To Your Theme
We happen to develop many sites with Ultimo and there have been conflicts with this theme and the patch. Make sure that if you have a custom theme to request an udpated version that is suited to work with this patch.
Have all of this confirmed before going forward with either the application of the new patch or before you go ahead and upgrade Magento. It is also recommended to make sure your web host sets up a development site, which is a copy of your live site. So if your live site is:
your web host would create
If you have access to your domain registrar, you can create a sub domain ‘A Record’ and point it to the IP of your server. Your web host can give you this information. Then they can assist in making sure the dev. sub domain works as well as clone the database and files from your live site. This way, you can run your patch tests and module upgrades and theme upgrade in a safe environment and know for sure what may or may not go wrong against your live site.
What Else Should You Know?
One of the issues with this patch upgrade is modules, when you try to view their settings in the Magento admin area, either do not load or cause errors. This is because there is a new setting that requires those modules to be upgraded. The setting is found in System –> Config –> System –> Admin and under ‘Security’ tab you will see an option:
“Admin routing compatibility mode” –> If this is set to ‘enabled’ it can provide protection against one of the noted exploits. Unfortunately some modules will need to have this update applied that allows this setting to not interfere with functionality of the module. That is why you will be contacting the module developers. Odds are they have already addressed this. From our experience, most of the key modules our clients depend on have the necessary updates. But you need to test each module when it’s upgraded, to ensure that when you are logged into the admin, if this setting is ‘enabled’, make sure you can edit the settings of those newly updated modules. If not, contact the developer and have them look into it. You can usually tell something isn’t right when you click on the module settings and see a white blank page or an error output instead of the form fields/tabs/settings you would normally see.
Another thing to consider is that if you have had custom work done, to ensure they were done properly using child themes and not editing core files. Otherwise, those files will be overwritten. The odds are this is not the case, but it is good to know this.
While it may seem a bit stressful, this patch is an important one and if you plan properly, you can have a smooth transition in applying necessary security to your website. It is important to make sure that every 3rd party developer does their part and make sure they take the time to implement the fix and test it for you. If you have any questions or need help updating your site, please contact us to learn more about how we handle the upgrade process.