Keeping your website secure
Every so often Magento releases a new security patch which fixes vulnerabilities in websites and prevents hacking.
A number of paches have been released in 2015. Each time a new comes out we send out an email to all of our clients advising them of the patch.
For crucial patches, or patches that MUST be installed, we will automatically do this for each website that we host.The client must specifically make a request if they do not want the patch installed, and are given this opportunity when we email them with details about the patch.
How do we determine if a patch is crucial?
A patch may be considered crucial if not installing the patch poses a high security risk to our servers.
We may also consider the patch crucial if the risk of hacking is critically high if the patch is not installed or if not installing the patch leaves a high risk of sensitive data being stolen.
All patches released by Magento are important and should be installed on all client websites. However some patches may not be considered as crucial. In this case the client will be asked to provide their approval for the patch to be installed on their website/s. If they do not give their request then we will not install the patch.
Vulnerability for non-patched websites
Websites that are missing patches are at a higher risk of being hacked. A perfect example of this is the Guruincsite malware (Neutrino exploit kit) which took advantage of websites which did not have a certain patch installed that was released in early 2015. http://magento.com/security/news/important-security-update
Emailing the client
When a new patch is released, we email our clients straight away. It is important to alert our clients quickly
- So that we are efficient in our job
- Websites are at risk as soon as a new patch is released
When we email, we give certain information
- The patch number/name
- A link to Magento's page about the patch
- The time it will take to install
- A general summary of the patch
- If it is crucial or optional
- Highlight the importance of website security