How to Clean a Hacked Magento Site

Introduction

Sucuri is committed to helping Magento website administrators identify and clean their hacked ecommerce sites. We put together this guide to help users of the open-source Magento Community Edition CMS in the process of identifying and cleaning a Magento hack. This is not meant to be an all-encompassing guide but should address most of the infections we see.

  • Blocklist warnings by Google, Bing, McAfee, etc.
  • Customer concerns about strange credit card activity.
  • Lost sales or abnormal checkout page behavior.
  • Spam keywords in product listings and SERPs.
  • Host suspends your store for malicious activity.
  • File modifications or Magento core integrity issues.
  • New or unknown admin users in Magento backend.

1

Identify Hack

1.1 - PCI Compliance Considerations

Whenever an ecommerce website is hacked, one of the primary concerns is customer credit card data. If you process payments within Magento, you may have to respond to a possible data breach, including implications regarding Payment Card Industry (PCI) compliance.

If you suspect credit card data is being stolen, you can contact your bank to inquire about virtual credit cards. These can be used to test purchases on your site before cleaning the hack. Stolen credit cards are often used within 12 hours, so this exercise may indicate if further investigation is required. This is not a 100% reliable method, but it is one step you can take on your own before seeking help from a PCI Forensic Investigator (PFI).

In order to maintain PCI compliance in the event of a data breach, you must follow the requirements, specifically PCI DSS Requirement 12.10: Implement an incident response plan. Part of this requirement involves preserving evidence.

Immediately back up your hacked Magento site including:

  • Server log files
  • Magento file system
  • Magento database
  • Custom files and configurations

1.2 - Scan your Site

There are free online tools you can use to scan your Magento installation remotely. These can help you identify credit card swipers, malicious payloads, intermediary domains, and other security issues.

To scan Magento for malware and security issues:

  1. Visit the SiteCheck website.
  2. Enter your Magento website URL.
  3. Click Scan Website.
  4. If the site is infected, a warning message will display.
  5. Note any payloads and locations (if available).
  6. Note any blocklist warnings.
  7. Scan all other websites being hosted on the same server.
  8. We recommend scanning all websites on the server because cross-site contamination is one of the leading causes of reinfection. We also encourage every website owner to isolate their hosting, SFTP/FTP, and SSH accounts.

Scan Results Example

Note

A remote security scanner browses your site, but does not have access to the server. Some issues cannot be detected in a browser (i.e., backdoors, phishing, and server-based scripts). The most comprehensive approach to scanning includes both remote and server-side scanners. Learn more about how remote scanners work.

1.3 - Check Core File Integrity

Any new or recently modified files on your server may be part of the hack. Your Magento file system should also be checked thoroughly for malware injections.

You can find all Magento 1.x and Magento 2.x versions on GitHub. Using an SSH terminal, you can download Magento locally. The following commands use Magento version 2.1.3 as an example of the clean files and public_html as an example of where your Magento installation is located on the server.

To check core file integrity with SSH commands:
				
					$ mkdir magento-2.1.3
$ cd magento-2.1.3
$ wget https://github.com/magento/magento2/archive/2.1.3.tar.gz
$ tar -zxvf 2.1.3.tar.gz
				
			

The final diff command will compare the clean Magento files with your installation. The output will also report additional modules you have added, and these can be compared with known good files in a similar manner. Remember to remove the known good files from your server after testing.

You can also use a free tool developed by Amasty to check Magento core file integrity, though be careful not to remove patches or modules flagged as a false positive. This tool only checks the most vital folders, so be sure to continue with other steps in this guide.

To manually check recently modified files:

  • Log into your Magento web server.
  • If using SSH, you can list all files modified in the last 15 days using this command:
				
					$ find ./ -type f -mtime -15
				
			
  • If using SFTP, review last modified date column for all files on the server.
  • Note any files that have been recently modified.


Unfamiliar modifications in the last 7-30 days may be suspicious and require further investigation.

Note

Some malware infections hide by changing the file modification date. You can also try using other online scanners and Magento extensions to look for indicators of compromise, malicious payloads, and security issues.

1.4 - Audit User Logs

Hackers often create malicious user accounts on compromised Magento sites. Verify all of your Magento user accounts, especially administrators.

To check for malicious users in Magento:

  1. Log into your Magento admin panel.
  2. Click System on the menu item and under Permissions select Users or All Users.
  3. Review the list, especially ones with an abnormal or recent ID number.
  4. Delete any unfamiliar users that may have been created by hackers.

Hacked Admin

Hacked Admin

If you are comfortable parsing your server logs, you can search for requests to the administrator area. User accounts that have logged in from suspicious time zones or geographic areas may be compromised. You can also use the Amasty Admin-Actions Log plugin (free trial) which logs all admin actions across your Magento installation (especially useful for large stores with many admin users).

1.5 - Check for Reports

If your website was blocklisted by Google or other website security authorities, you can use their diagnostic tools to check the security status of your Magento site.

To check your Google Transparency Report:

  1. Visit the Safe Browsing Site Status website.
  2. Enter your site URL and click the icon to search.
  3. On this page you can check:
    • Site Safety Details: information about malicious redirects, spam and downloads.
    • Testing Details: most recent Google scan date with malware detected.

Google Transparency Report

You should also check if any customers have reported fraudulent purchases shortly after ordering something from your site. This can give you an indication of whether or not your site has been infected with a credit card swiper.

Additional Resouces

Free webmaster tools can be used to check security ratings and reports for your website. If you do not already have accounts for these free monitoring tools, we highly recommend that you sign up:

2

Fix Hack

In the previous step, you collected information about potentially compromised customer data, user accounts, malware locations, and payloads. In this step, you will remove the Magento hack and restore your ecommerce website to a clean state.

Pro Tip:

The best way to identify hacked files is by comparing the current state of the site with fresh installation files or a clean backup. Any differences between the two versions can help you identify what has been modified by hackers.

Note

Some of these steps require webserver and database access. If you are not comfortable with manipulating database tables or editing PHP, please seek assistance from a professional Incident Response Team member to completely remove Magento malware.

2.1 - Clean Hacked Website Files

If any scans or diagnostic pages above revealed malicious domains or payloads, you can start by looking for those files on your Magento web server. Comparing infected files with known good files (from official sources or reliably clean backups) can help you identify and remove malicious changes.

When comparing your files with a good copy, be sure to use the same version of your Magento core files and extensions, including any applied patches.

To manually remove a malware infection from your Magento files:

  1. Log into your server via SFTP or SSH.
  2. Create a backup of the site files before making changes.
  3. Search your files for reference to malicious domains or payloads noted.
  4. Identify recently changed files and confirm whether they are legitimate.
  5. Review files flagged by the diff command during the core file integrity check.
  6. Restore or compare suspicious files with clean backups or official sources.
  7. Remove any suspicious or unfamiliar code from your custom files.
  8. Test to verify the site is still operational after changes.

Caution

Be careful not to overwrite the database configuration file local.xml in Magento 1.x, or app/etc/env.php in Magento 2.x because this will break your site!

If you can’t find the malicious content, try searching the web for any spam, payloads, or malicious domain names that you found in the first step. Chances are that another Magento user has already figured out how those pieces are involved in the hack you are attempting to clean.

It is advisable to reinstall all extensions after a hack to ensure they are functional and free of residual malware. If you have deactivated themes, components, modules, or plugins, we recommend you remove them from your web server.

  • fwrite
  • file_put_contents
  • FILE_APPEND
  • mail(
  • file_get_contents
  • curl
  • script (including an external file)
  • http.open
  • http.send
  • this[“eval”]li>

Diff Tools to Compare Files

2.2 - Clean Hacked Database Tables

To remove a malware infection from your Magento database, you can log into the admin area and open the CMS or Content section in order to edit static blocks, posts, and pages on your site. This interface offers some access to modify the content of the database and is usually effective. You can also open a low-level database admin panel such as PHPMyAdmin, or tools like Search-Replace-DB and Adminer.

Caution

Manually removing “malicious” code from your website files can be extremely hazardous to the health of your website. Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.

To manually remove a malware infection from Magento database tables:

  1. Log into your database admin panel.
  2. Make a backup of the database before making changes.
  3. Search for suspicious content (i.e., spammy keywords, links).
  4. Open the table that contains suspicious content.
  5. Manually remove any suspicious content.
  6. Test to verify the site is still operational after changes.
  7. Remove any database access tools you may have uploaded.

You can manually search your Magento database for common, malicious PHP functions such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Additionally, the most common location for Magento malware is the core_config_data table. Within this table, they specifically target the site’s footer and header area (i.e. design/head/includes and design/footer/absolute_footer).

Database Scan Example

Caution

Note that these functions are also used by Magento extensions for legitimate reasons, so be sure to back up, test, or seek assistance so you do not accidentally break your ecommerce site.

2.3 - Remove Hidden Backdoors

Hackers almost always leave a way to get back into your site if the original vulnerability is patched. More often than not, we find more than one backdoor on hacked Magento sites.

Backdoors are often located in new files named to look like official Magento core files. Attackers can also inject backdoors and malware into core Magento locations like the footer area.

To check for injections in the Magento footer:

  • Log into your Magento admin panel.
  • Click CMS or Content on the menu item.
  • Select Static Blocks or Blocks from the list.
  • Click to open the Footer Links block.
  • Review the content for malware.

Hacked Admin

Hacked Admin

Caution

  • These functions can also be used legitimately by Magento extensions, so be sure to test any changes because you could break your site by removing benign functions. Always remember to compare files using the same Magento version and applied patches.
  • Always remember to compare files using the same Magento version.

To remove backdoors by comparing Magento files:

  1. Confirm your Magento version in the bottom righthand corner of your dashboard.
  2. Download the same version of known good core files from the official Magento Community.
  3. Log into your server via SFTP or SSH.
  4. Create a backup of the site files before making changes.
  5. In your FTP client, compare your site with the known good download.
  6. Investigate any new files on your server that do not match the known good files.
  7. Investigate any files that are not the same size as the known good files.
  8. Remove any suspicious content or replace the file with a known good copy.
  9. Log into the Magento admin panel.
  10. Click System on the menu item and under Tools select Cache Management.
  11. Click Flush Magento Cache (and Flush Cache Storage on Magento 1.x).
  12. Test any changes.

Backdoor Example

Backdoor Example

The majority of malicious code we see uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it’s very rare to see encoding in the official Magento repository.

It is critical that all backdoors are closed to successfully clean a Magento hack, otherwise your site will be reinfected quickly.

2.4 - Reset User Passwords

You should reset all user passwords with unique, strong passwords to avoid reinfection. If your Magento version is unpatched, you may want to patch your site first. Attackers can steal your Magento user credentials from the backend if your patches are not up to date.

To remove user passwords in Magento:

  1. Log into your Magento Administrator area.
  2. Click System on the menu item and under Permissions select Users or All Users.
  3. Click on any user in the list.
  4. Enter a new password for the user in the New Password and Password Confirmation fields.
  5. Enter your password in the Your Password field (if using Magento 2.x).
  6. Click Save User.


You should reduce the number of user accounts with an administrator role for Magento. This extends to your FTP accounts and website systems. Only give users the access they need for as long as they need it. This is known as the concept of least privileged access.

Magento: Change User Password

Magento: Change User Password

You might also consider adding an extension to Magento to enable two-factor authentication (2FA).

Note

All accounts should use strong passwords. A good password is built around three components – complexity, length, and uniqueness. Some say it’s too difficult to remember multiple passwords. This is true. That’s why password managers were created!

2.5 - Fix Malware Settings

If you were blocklisted by Google, McAfee, Yandex (or any other web spam authorities), you can request a review after the hack has been fixed. Google is now limiting repeat offenders who knowingly host/spread malware on their site to one review request every 30 days. Be sure your site is clean before requesting a review!

Blocklist Warning

To remove malware warnings on your site:

  1. Call your hosting company and ask them to remove the suspension.
    • You may need to provide details about how you removed the malware.
  2. Fill in a review request form for each blocklisting authority.
    • ie. Google Search Console, McAfee SiteAdvisor, Yandex Webmaster.
    • The review process can take several days.

Note

You should have only one antivirus actively protecting your system to avoid conflicts.


If your Magento admin user’s computers are not clean, your site can get reinfected easily.

Security Recommendation

Not using that Magento module or extension? Remove it from your installation.

Get help removing malware and Magecart infections.

Worried about malware on your Magento website? Our pros are here to help.

3

Post Hack

In this final step, you will secure Magento to prevent future hacks. You will also perform essential steps to enhance the security of your Magento store and ecommerce data.

3.1 - Update & Reset Configuration Settings

Unpatched and outdated software is one of the leading causes of infection, and it is important to remove any known vulnerable extensions. Passwords should also be reset to ensure you are not reinfected if hackers gained access to your credentials.

You should update all Magento software including core files, components, templates, modules, and plugins. You can also check your extensions for known vulnerabilities by using the free Mage Report tool.

To apply Magento patches and updates:

  • Make sure you have a recent backup of your site.
  • Download the patches specific to your Magento version from the Magento Downloads page.
  • Upload the .sh or .patch files to your Magento root directory.
  • If your Magento store is compiled, disable the compiler under System > Tools > Compilation.
  • Connect to your site via SSH and run the matching command below for the patch file extension:
				
					sh example_patch_name_12345.sh
				
			
				
					patch --p0 example_patch_name_12345.patch
				
			
				
					unzip -o example_patch_name_12345.zip
				
			
				
					tar -zxf example_patch_name_12345.zip

				
			
				
					tar.bz2 tar -jxf example_patch_name_12345.zip

				
			

Caution

Some Magento patches are more complicated to install than others. Be sure to consult the official documentation for the patches you require. We recommend testing in a separate development environment first.

  • Test the Magento store to confirm functionality.
  • Run the compiler if you disabled it in step 4.


Magento has a built-in caching system which should be reset once the website is clean.

To reset the cached version of your Magento website:

  1. Make sure you have a recent backup of your site.
  2. Log into your Magento admin panel.
  3. Click System on the menu item and under Tools select Cache Management.
  4. Click Flush Magento Cache (and Flush Cache Storage on Magento 1.x).

Magento: Change User Password

Magento: Change User Password

Magento 2.x is the current and most stable version of Magento. Users on Magento 1.x should strongly consider upgrading their Magento store.

If in the first step SiteCheck identified other outdated software on your server (i.e., Apache, cPanel, PHP), you should update those to ensure you have any available security patches.

3.2 - Set Backups

Strong passwords will help prevent brute force attacks and ensure the integrity of your Magent

Backups function as a safety net. Now that your Magento site is clean and you’ve taken some important post-hack steps, make a backup! Having a good backup strategy is at the core of a good security posture.

Here are some tips to help you with website backups:

Location

Store Magento backups in an off-site location. Never store backups (or old versions) on your server; they can be hacked and used to compromise your real site.

Automatic

Ideally, your backup solution should run automatically at a frequency that suits the needs of your website.

Redundancy

EV certificates require even more documentation for the Certificate Authority to validate the organization. Visitors will see the name of the business inside the address bar (in addition to clicking the lock icon).

Testing

Try the restore process to confirm your website functions correctly.

File Types

Some backup solutions exclude certain file types such as videos and archives.

Did you know?

Sucuri offers its customers an affordable system for secure website backups.

3.3 - Scan Your Computer

Have all Magento users run a scan with a reputable antivirus program on their operating systems.

Magento can be compromised if a user with an infected computer has access to the dashboard. Some infections are designed to jump from a computer into text editors or FTP clients.

Here are some antivirus programs we recommend:

Paid

BitDefender, Kaspersky, Sophos, F-Secure.


Free

MalwarebytesAvastMicrosoft Security EssentialsAvira.

Note

You should have only one antivirus actively protecting your system to avoid conflicts.


If your Magento admin user’s computers are not clean, your site can get reinfected easily.

Did you know?

Sucuri offers its customers an affordable system for secure website backups. Easily restore your site at any time.

3.4 - Website Firewall

You can harden your Magento site by restricting file permissions and using custom .htaccess rules. You can also disable the downloader and change the admin backend URL, and take steps to prevent cacheleak and other implementation vulnerabilities. We recommend that you review the official Magento Security Best Practices for more information.

All ecommerce sites must use the HTTPS protocol. This can be accomplished by using an SSL certificate to verify your business and encrypt all transmitted data from the customer, including login pages and checkout pages. This also makes it easier to detect scripts and iframe injections that use the HTTP protocol, as this will cause mixed content warnings on your site. We give free SSL certificates to all Sucuri customers and can also work with any existing certificate.

Magento is becoming a bigger target for hackers as it gains more users and becomes a more mature open-source CMS option for web stores. Even if your payments are processed off-site, you should strongly consider a website firewall. This will protect your Magento website from vulnerabilities and restrict access to admin areas for unauthorized users.
The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website Firewalls were invented to provide a perimeter defense system surrounding your website.

Benefits to using a website firewall:

  • Prevent a Future Hack

By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.

  • Virtual Security Update

Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days). A good website firewall will patch your holes in your website software even if you haven’t applied security updates.

  • Block Brute Force Attack

A website firewall should stop anyone from accessing your wp-admin or wp-login page if they aren’t supposed to be there, making sure they can’t use brute force automation to guess your password.

  • Mitigate DDoS Attack

Distributed Denial of Service attacks attempt to overload your server or application resources. By detecting and blocking all types of DDoS attacks, a website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.

  • Performance Optimization

Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.

We offer all of these features with the Sucuri Firewall.

3.5 - PCI Compliance

For any ecommerce website, PCI compliance needs to be taken seriously. Unfortunately, most Magento sites that process payments themselves are not PCI compliant. This is often linked to a common misunderstanding that leveraging SSL in the checkout process is enough to prevent a breach. In fact, the encryption of transmitted credit card data is only one of the twelve requirements.

The requirements were created by major credit card companies like Visa, MasterCard, and American Express. Designed to protect online shoppers from credit card theft, any ecommerce website may be audited. If the website is found to be noncompliant, there can be serious consequences including fines, fees, and remediation costs.

The PCI compliance requirements are:

  1. Install and maintain a firewall.
  2. Do not use vendor-supplied defaults for system passwords or other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across public networks.
  5. Protect all systems against malware and regularly update antivirus programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Identify and authenticate access to system components.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain an information security policy.


Magento offers integrated payment gateways that allow merchants to securely transmit credit card data. These solutions integrate with Magento checkout pages and use an API or payment form hosted by an external payment processor. These options allow information to be sent directly to the payment gateway without sensitive data being stored on the Magento application server. Learn more about the official Magento Approach to PCI Compliance.

You can also read our series of posts explaining PCI compliance:

Ready to protect your Magento website?

Sucuri Resource Library

Say on top emerging website security threats with our helpful guides, email, courses, and blog content.

Webinar

Learn how to identify issues if you suspect your WordPress site has been hacked.

Email Course

Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.

Report

Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.