Magento Security Patch SUPEE-6788 installation

Magento has released a new security patch that affects many parts of Magento and as a result will affect your store. You should use various good practices when installing this patch or else it will negatively affect your store.

Preparing to install the SUPEE-6788 patch

Before you install the Magento security patch you MUST install all previous security patches. This will ensure that it can be properly installed. In addition, you should follow these other recommendations:

  1. Create a development environment and install the patch there first. The patch causes many core Magento changes that will break extensions and customizations
  2. Only after your development environment has been fully tested should you move the changes to production

What are some of the behavior changes of Magento after the patch?

  1. Bypassing the admin.html module for admin URLs will no longer work. Any extension that does this will no longer work after installing the patch.
  2. SQL field names and quoted field names will no longer be allowed with collection filtering. Any extension that makes use of this will not work after the patch
  3. The magento CMS system now uses a whitelist system of allowed block / config directives

If you are using any extensions that are affected they will not work. So, ensure you wait to update until any of these issues are resolved with your store.

Okay, I am ready. What are the installation steps?

Download the patch and you will have an sh file. Upload this to your magento root directory and run the following in shell. Replace [file name] with the actual name of the downloaded sh file.

Secure Magento admin login with two-factor authentication

Two-Factor-AuthenticationTwo-Factor Authentication is a great way to secure your Magento admin area. Imagine if a hacker or someone else gains access to your backend? Not only could they destroy data and harass customers, but they could steal valuable business data and the end result could be customers lose confidence in your store. The best two factor authentication is using Google authenticator for Magento.

What is two-factor authentication?

Two-factor authentication increases the security of your Magento login by requiring an additional authentication method. Normally, you would input your password only. With two-factor authentication that is compatible with Google authenticator you would also input a 1 time access code in addition. This access code changes every 60 seconds, so it is nearly impossible to hack your login. By combining these two methods (two factors) your login is much more secure.

How do I enable two factor authentication for Magento?

You should install the Two-Factor Authentication Magento Extension for your store and then go to System -> Permissions -> Users and enable it for specific users.

Great! What else can I do for a secure backend?

In addition to using the Google Authenticator Magento extension you can change your store admin URL. Leaving your store admin URL at yourstore.com/admin is bad for security. To resolve this, simply edit the file at app/etc/local.xml and change contact us.


Quick Overview

Protect your store from key loggers, connection sniffing, unprotected wifi connections, and other threats with our two-factor authentication system. If you ever login to your store over wifi or on a public computer, then you urgently need this extension.


Magento Bot Blocker and Anti-Spam Captcha Released

Extendware’s Magento Anti-Spam Captcha is important for every store because spam reduces productivity, wastes server resources, and can make your site look unprofessional (in the case of spam reviews that advertise other Web sites). Magento Anti-spam Captcha fixes this by putting a CAPTCHA on your most important forms.

The only problem is that CAPTCHAs can annoy users and discourage your customers from performing certain activities. We have worked to solve this by implementing three new features in Spam and Bot Protection:

  • OpenCaptcha Support – Previously, only Google reCAPTCHA was supported, which some users found too difficult. Now we support OpenCaptcha, which is much easy for users to solve while still protecting from bots (reCAPTCHA is still supported for those that want it).
  • Unlocked Actions – After solving 1 CAPTCHA, you may configure for the next X actions to NOT require a CAPTCHA. This means that if a user writes a review on your Web site and solves a CAPTCHA, this will prove they are human. They will not be asked to solve another CAPTCHA until they perform X actions (X more reviews, X more contacts, etc).
  • Only Ask Guests – This feature has always existed, but has been under utilized. With this option only customers who are not logged in will be asked to solve a CAPTCHA. Logged in customers will not be asked.

With these changes we are confident that your store will find a better balance between protection from spammers and bots and between ensuring the user experience of your live, human customers is as good as possible.