Magento Security Patches Installation – The Complete Guide

By |

Magento 1,

With Magento 1 EOL on June 30, ’20, Magento 2 Migration is highly recommended. Secure your store against potential vulnerabilities and offer the latest features that Magento 2 offers by downloading Magento 2 NOW!

Table of Contents

What is a Magento Security Patch?

Magento platform is loaded with state-of-the-art functionality having the flexibility of open-source software. Apart from having numerous benefits of an open-source platform, the one major drawback is security threats and vulnerabilities. Now when a loophole is found, Magento steps into action to solve the security issue. As soon as the update is developed and tested, the fix to the version is released named as a SUPEE patch.

What Does SUPEE Mean?

Magento internally uses the JIRA system for bug tracking and the patches are released to provide support tickets, Magento security patches are named SUPEE Patches. Each SUPEE patch contains a self-installing script containing updates to all the security issues. The patch files locate the code to update the existing Magento code files and save the result.

How to Install Magento Security Patches?

Due to variations in server access and hosting environments, there is no universal way for Magento security patches installation.

There are 3 methods to install Magento security patches and I have shared all the 3 of them, you can choose any of them as per your convenience and access.

  1. With SSH
  2. Run a Script
  3. Without SSH

Before Patch Installation:

We would not want to lose our data! Sometimes, it may happen that already installed extensions are not compatible with the new patch. So it is advisable to have a backup in case of data loss.

Patch Downloads:

If you are using the “With SSH” or “Run a Script” method, download the security patch from here. If you are using the “Without SSH” method, you can directly download pre-patched files from here.

You must know the version of your Magento to download the correct patch. You can know your Magento version from Magereport

With SSH

  1. Using Secure Shell (SSH) is the most recommended way to apply the patch.
  2. Run the following commands in SSH console:
    .SH extension
    .patch extension
    For Linux OS or Ubuntu derived machines:
    On Linux OS or Ubuntu-derived machines, using sh will throw an error as sh is supposed to be used only with purely POSIX compliant scripts and Magento scripts are not 100% POSIX compliant. Instead, on Ubuntu and derived OSes such as Linux Mint, you should use
  3. Disable the compiler if the store is already compiled.
  4. To apply the patch, move the patch file to your Magento directory.

Run a Script

  1. To apply the patch, move the patch file to your Magento directory.
  2. Disable the compiler if the store is already compiled.
  3. Create a file named “patch.php” with the following script:
  4. Upload the patch.php file to the Magento root folder.
  5. Run the script from the browser.
    You will get the success message.
  6. Delete the “patch.php” file from the Magento server once the patch is installed successfully.
  7. If you get the following error message, ask your hosting provider to install missing tools or try another method for Magento patch installation.
    “Error! Some required system tools, that are utilized in this sh script, are not installed; Tool (s) “patch” is (are) missed, please install it(them).

Without SSH

Simply extract the pre-patched files below and upload them to your Magento root folder. You can also download these Pre Patched files from GitHub.

Magento SUPEE 11155June 25, 20191.5.0.0-1.9.4.1Includes security enhancements to provide security against cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.
Magento SUPEE Patch Release Date Version Affected Issues Addressed
Magento SUPEE 11346 June 22, 2020 1.5.0.0-1.9.4.4 Contains multiple security enhancements to secure your Magento stores from cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.
Magento SUPEE 11314 April 29, 2020 1.5.0.0-1.9.4.4 Contains multiple security enhancements to secure your Magento stores from cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.
Magento SUPEE 11295 January 28, 2020 1.5.0.0-1.9.4.3 Contains multiple security enhancements to secure your Magento stores from cross-site scripting, arbitrary code execution, sensitive data disclosure vulnerabilities, and other security issues.
Magento SUPEE 11219 October 8, 2019 1.5.0.0-1.9.4.2 Contains multiple security enhancements to secure your Magento stores from remote code execution, cross-site scripting, cross-site request forgery, and other vulnerabilities.
Magento SUPEE 11086 March 26, 2019 1.5.0.0-1.9.4.0 Contains multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF), and other vulnerabilities.
Magento SUPEE 10975 November 28, 2018 1.5.0.0-1.9.3.10 Contains functional fixes and multiple security enhancements to provide security against remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF), and other vulnerabilities. This release also provides support for PHP 7.2.
Magento SUPEE 10888 September 19, 2018 1.5.0.0-1.9.3.9 Contains multiple security enhancements to provide security against cross-site scripting (XSS), cross-site request forgery (CSRF), and other vulnerabilities.
Magento SUPEE 10752 June 27, 2018 1.5.0.0-1.9.3.8 Multiple security enhancements that help close authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF), and other vulnerabilities.
Magento SUPEE 10570 v2 Mar 28, 2018 1.5.0.1-1.9.3.7 Install Magento SUPEE 10570 v2 released to solve the issue of incomplete checkout while customers try to register during checkout.
Magento SUPEE 10415 Nov 28, 2017 1.5.0.1-1.9.3.6 Vulnerable issues like remote code execution, cross-site scripting, and cross-site request forgery issues.
Magento SUPEE 10266 Sep 14, 2017 1.5.0.1-1.9.3.4 Unauthorized data leak and authenticated Admin user remote code execution vulnerabilities.
Magento SUPEE 9767 V2 May 30, 2017 1.5.0.1-1.9.3.3 Remote code execution, information leaks, cross-site scripting, etc
Magento SUPEE 9652 Feb 7, 2017 1.5.0.1-1.9.3.1 Attacks abusing Zend library vulnerability
Magento SUPEE 8788 V2 Oct 11, 2016 1.5.0.1-1.9.2.4 Remote code execution, information leaks, cross-site scripting, Zend framework and payment vulnerabilities
Magento SUPEE 7405 Feb 23, 2016 1.4.0.0-1.9.2.3 Upload file permissions, merging carts, and SOAP APIs
Magento SUPEE 6788 Oct 27, 2015 1.4.0.0-1.9.2.1 Remote code execution, information leaks, and cross-site scripting
Magento SUPEE 6482 Aug 4, 2015 1.4.0.0-1.9.2.0 SSRF Vulnerability in WSDL file, Autoloaded File Inclusion in Magento SOAP API, Cross-site Scripting
Magento SUPEE 6285 Feb 27, 2018 1.4.0.0-1.9.1.1 Information leaks, request forgeries, and cross-site scripting
Magento SUPEE 5994 July 07, 2015 1.4.1.0-1.9.1.1 Admin Path Disclosure, Customer Address Leak through Checkout, Customer Information Leak through Recurring Profile, etc.
Magento SUPEE 5344 February 09, 2015 1.4.0.0-1.9.1.0 Remote code execution vulnerability known as the “shoplift bug” that allows hackers to obtain Admin access to a store
Magento SUPEE 1533 October 03, 2014 1.4.0.0-1.9.0.1 Execution of arbitrary code on Magento server, change of the permission of existing files to world-writable

After installing the patches using one of the above methods, flush the Magento cache from Cache Management in the backend. Also, flush the OPcode or APC cache.

It is always good to test your work before marking it complete! Do check if the patches are installed properly from here.

However, with the nearing of Magento 1 end of life, it is strongly recommended to migrate to the latest Magento 2.4.6 rather than installing Magento SUPEE patches. Upgrading to the latest Magento 2 version is recommended by experts owing to the security and advanced features.

Reverting an Installed Patch

Sometimes it’s necessary to revert the installed patch. You can use the same patch that you used to install the patch for reverting the patch, simply use it with -R flag.

Follow the above steps to secure your Magento store. However, to install the Magento patch, keen knowledge, expertise, and experience are required. If you are a newbie to patch installation or if you want to escape this tiring task of patch installation, you can always check our Magento Security Patches Installation Service to get professional help 🙂

Which Magento SUPEE Patches do I need to install in my Magento store?

The Magento stores that are not updated to the latest version needs to be patched with the SUPEE patches for security purpose. With so many SUPEE patches available, it may happen that you are confused about which patch to install and which are not required.

To help you out with this Magento security patches installation, we have prepared a sheet that you can refer to prior to installing the Magento security patches.

Feel free to share this sheet with Magento 1 store owners!

Meetanshi Partners with Mage One!

Magento 1 End of Life has left many Magento 1 store owners hanging around, confused, and under the threat of security attacks.

We understand the efforts and time you have dedicated to your store and how difficult it is to migrate to Magento 2 all of a sudden.

Merchants need time to plan out the migration process and for the time being, caring about their store security is what Meetanshi will look after!

Yes, Meetanshi has collaborated with Mage One to offer permanent and competent support to the Magento 1 customers.

Meetanshi and Mage One Partnership aim to provide the merchants with more time to migrate to Magento 2 and ensure the security of the store in the process.

Have a secured Magento store!

Magento Security Patches Installation Service

Keep the security of your Magento store updated to the highest level using our Magento Security Patches Installation Service.

View Service
5
(based on 13 Reviews)
Magento Security Patches Installation – The Complete GuideAuthor Magento Badge

Sanjay Jethva

Sanjay is the co-founder and CTO of Meetanshi with hands-on expertise with Magento since 2011. He specializes in complex development, integrations, extensions, and customizations. Sanjay is one the top 50 contributor to the Magento community and is recognized by Adobe.

His passion for Magento 2 and Shopify solutions has made him a trusted source for businesses seeking to optimize their online stores. He loves sharing technical solutions related to Magento 2 & Shopify.

Leave a Reply

Your email address will not be published. Required fields are marked *