by Cozmot | Oct 8, 2020 | Magento2
Nearly 2000 Magento 1 stores around the globe have been hacked in the largest ever Magecart attack since 2015. The hackers could interrupt the payment information of the store customers by injecting malicious code.
According to the Sansec research report, almost 2000 Magento stores’ security has been compromised with the Magecart attack. The highlights of this hack are:
- 1904 distinct Magento stores with a unique keylogger on the checkout page.
- 10 stores attacked on Friday
- 1058 stores attacked on Saturday
- 603 stores attacked on Sunday
- 233 stores attacked on Monday
All these stores are identified to be run on the Magento 1 version, the support for which has already been stopped since June 30, 2020, by Adobe. The company no longer offers security patches, though there are the third party like MageOne that offers security patches, giving merchants the time required for the Magento 2 migration.
Largest-Ever Magecart Campaign resulting in 2000 Magento stores hacked!
This automated campaign resulted in compromising approximately 10,000 customers’ sensitive data. The hackers breached the Magento 1 stores and injected malicious code to access the payment card details from the checkout form entered by the customers.
The attack uses the “Magento Connect” section, now, marketplace, of Magento, also known as the downloader, to inject JavaScript code into the store that loads malware. Magento Connect is the page where you could install extensions in the store.
Willem de Groot, founder of Sanguine Security (SanSec) identifies this campaign as the largest ever hack since 2015.
The research also says that this campaign may be related to a recent Magento 1 0day (exploit) that was put up for sale a few weeks ago on a hacking forum. A user identified as “z3r0day” announced selling a Magento 1 “remote code execution” exploit method with an instruction video priced at $5,000. He also stated that no admin rights are necessary to inject this code in the JS file!
Is your Magento 1 store security breached?
Check if there has been an attack by searching the server log files for access to the download directory.
It would look like this:
/downloader/index.php?A=connectInstallPackageUpload&maintenance=1&archive_type=0&backup_name=
However, if you have blocked access to the downloader directory in your store or this directory does not exist in your store at all, your store is safe.
In several of the hacked stores a mysql.php file was found in the root directory. Also, search for the files that are not part of the Magento installation and remove them.
Do inform your recent customers about this security breach so that they could take the caution to change their passwords and prevent any loss.
What can Magento 1 store owners do to avoid such security attacks?
- Open the
.htaccess file that is located in the root folder of your Magento installation.Add the following line at the beginning
RedirectMatch 404 ^/downloader/.*$
"downloader" , which is located in your root directory. Or simply rename it.
To prevent such attacks, you can prevent the access to downloader folder from all IPs except yours. But that’s only prevention, not a guaranteed solution!
The ultimate solution is to select the best Magento 2 migration agency and migrate your store to Magento 2. It is recommended to hire certified Magento developers for this task as the store’s security and data is concerned. Avoid any common Magento migration mistakes and let the experts handle this task while you can focus on new business strategy and how to make the most out of the latest Magento 2 version!
However, for time being, while you are planning the migration process, there’s an option to secure your Magento 1 stores. Cozmot has partnered with Mage One where our customers can avail the sustainable bug bounty program under which get access to the security patches for the store.
Earlier, payments processors like Visa and PayPal did request the merchants to migrate to Magento 2 as with the end of life for Magento 1, such security hacks were foreseen.
Better now than never, get the developers to the task and offer a secure shopping platform to the customers!
Security cannot be overlooked as it goes hands in hands with customer experience. And if you fail in it, you are out of business soon.
Therefore, stay secure, stay safe! (Pun intended 😉)
Do share the post far and wide via social media and alert the Magento 1 store owners!
Thank you.]]>
by Cozmot | Oct 8, 2020 | Magento2
disable checkout in Magento 2 can be helpful when you want to allow customers to browse the site, check the products and its prices, add them to cart but restrict the checkout and place an order.
You can have your own reasons to do so, be it issues in the inventory of products or shipping, etc. Also, if your product is still in the testing stage and you only want your customers to check demo but not yet purchase it, you can disable checkout.
Or, if you opt for any third party checkout solutions for Magento 2 store, disabling the default Magento 2 one page checkout makes sense.
Whatever it is, disabling checkout in Magento 2 is easy as shown here:
Steps to Disable Checkout in Magento 2:
- Login to Magento 2 admin panel
- Navigate to Stores > Settings > Configuration
- Under Sales, select Checkout
- Expand Checkout Options section
- Set No in the Enable Onepage Checkout field to disable the checkout for existing customers.
- Click Save Config button
That’s it.
If you have queries, feel free to ask in the Comment section below. I would like to solve your problem.
Don’t forget to share this post with Magento Community via Social Media.
Thank you.]]>
by Cozmot | Oct 8, 2020 | Magento2
disable guest checkout in Magento 2.
Benefits of restricting guest checkout in Magento 2:
- Collect maximum customer data in the registration form that can be used for effective marketing strategy
- Easy repeat purchase for the customers
- Get updates on ongoing offers and sales in the store
- Avail the benefits of the upgraded customer group
- Get relevant product recommendations
Collecting maximum customer data can be even easier in Magento 2 if you restrict guest checkout as the default Magento 2 allows configuring customer accounts. So, the admin can easily mandate the fields required and let customers sign up!
However, if you think that disabling guest checkout can slow down the purchase process, Meetanshi’s Magento 2 Guest to Customer extension can be a win-win situation for your business. It allows the admin to auto-convert guests to registered customers after the checkout step is finished.
For now, you can simply disable guest checkout in Magento 2 store as shown here:
Steps to Disable Guest Checkout in Magento 2:
- Login to Magento 2 admin panel
- Navigate to Stores > Settings > Configuration
- Under Sales, select Checkout
- Expand Checkout Options area
- Set No in Allow Guest Checkout to disable the checkout for guests.
- Click Save Config
That’s it.
If you want to go one step ahead and restrict visitors to access store pages until registration, you can check Magento 2 Force Login where the admin can control the access to store and display an alert message for compulsory login.
If you have doubts, feel free to ask a question in the Comments section below.
Let me help you to solve your problem.
Do consider sharing this post with Magento Community via Social Media.
Thank you.]]>
by Cozmot | Oct 8, 2020 | Magento2
configure Magento 2 quote lifetime depending on the type of business, their products, and market demand.
The below method shows the stepwise method for the same.
Once you configure the cart quote lifetime in Magento 2 store, if a customer leaves the cart unattended, the price automatically updates after the set days in quote lifetime.
Steps to Configure Magento 2 Quote Lifetime:
- Login to Magento 2 admin panel
- Navigate to Stores > Settings > Configuration
- Under Sales, select Checkout
- Expand Shopping Cart area
- In Quote Lifetime(days), enter the days for quote lifetime based on your requirement.
- Click Save Config
That’s it.
If you have a question or need more help, feel free to ask in the Comment section below. I’d be happy to help.
Do consider sharing this post with Magento Community via social media.
Thanks.]]>
by Cozmot | Oct 8, 2020 | Magento2
Steps to Show Prefix Field in Magento 2:
- Login to Magento 2 admin panel
- Navigate to Stores > Settings > Customers
- Under Customer, select Customer Configuration
- Expand Name and Address Options
- Set Required in the field “Show Prefix”
- Enter the Prefix Dropdown Options that you want to appear in the list using a semicolon separator.
- Save the configuration
That’s it.
In the frontend, the prefix field is displayed in the registration form:
Also, the prefix field is displayed when the customer adds new address in the “My Account” section:
If you have queries, feel free to ask in the Comment section below.
I would like to solve your problem.
Also, do share this post with Magento Community via social media.
Thank you.]]>
