I think I am in a bit of trouble...
I was developing online store for past month, when I have finished I changed the hosting to new company. Transferred files and database...
Today I go to System->Permissions->Users and besides me I see one unknown account.
I check this account and it's also an administrator! So I think someone hacked into my website.
During development I didn't remove install folder from my server so maybe he got there by this... Is there any other way someone could do it?
And most importantly do you reckon my password that I use to login to magento back end was compromised?
I will greatly appreciate all of the answers and tips how to make my website secure. Thank you.
If you find an unknown user account in users list, click to open the account. Then, click the Delete User button.
After that you need to install all new security patches like
SUPEE-1533
SUPEE-5344
SUPEE-5994
SUPEE-6285
For installing security patches you need to download thease security patches from magento store
https://www.magentocommerce.com/download
and after that you need to upload thease patches from magento root directory and run command via terminal like
sh SUPEE-1533(name of this downloaded patch)
repeat this for all patches
and after sucessfull installing this pathes enter you site url here
https://shoplift.byte.nl/
and then what happens
and also you can see a list of file name in you file app/etc/applied.patches.list
Hope it will help
Thanks
Magento recently make some security upgrade issue.
Use this link to check if the patch is applied on you store.
If not, I recommend to you make the upgrade.
If you find an unknown user account in users list, click to open the account. Then, click the Delete User button.
Important: Install latest security patches.
To learn how to install a patch check this link out:
https://info2.magento.com/rs/magentoenterprise/images/Installing-a-Patch-for-Magento-Community-Edition.pdf
To check your store security use the following link:
http://magento.com/security-patch
Related
As you can probably tell, I am new to Magento2 and I am trying to figure out some of the basics. I'm a full-stack developer that is use to developing (frontend and backend) myself then using docker and finally hosting it on an AWS:S3/EC2 or AWS: Elastic Beanstalk. With that said, Magento seems like a completely different beast to conquer.
I have a family member who is wanting me to do some basic frontend stuff for their website (such as changing Navbar design and a potential home page overhaul later on), naturally wanting to help them out I agreed to have a look and see what I can do. I have access to their Magento 2 dashboard area and have been looking around with no sure luck thus far. I have researched online that Magento 2 allows for a "Page Builder" or a "WYSIWYG" type functionality. But I am unable to use these types of tools because my family member had the website built by a Magento 2 developer firm awhile back and everything is coded manually and could cause problems if using one of the above mentioned tools. Due to this I am trying to get access to their site directory so that I can go in and make the necessary changes and upload the files. But I am really struggling on how to access the codebase.
I have read that an admin needs to send me the code??? Or grant me access to the code or something along those lines? I do have the host, port, root, username, password, etc. for the live server but still having trouble.
Any help would be greatly appreciated.
You need to use ssh to access the server
ssh user#host -p port
After you get into the server, you should set up a git repository in the project root and push the code from the server to the repository, then clone the repo to your local environment.
From there on, it's the normal development flow. You can use a clean database with sample data or you can dump the db from the live env and use it on your local env, but this will require some changes in the db after the import.
Detailing all the steps required to do this task would take forever and would cover a lot of different issues/steps.
"I have read that an admin needs to send me the code???"
Not sure what you mean by this, but a Magento admin is just a user on the backend side of the website. He does not have access to any code.
A git repository admin(probably previous dev) could grant you access to the code repository, but this doesn't seem like an option.
My Magento site was down yesterday don't know the reason. But after searching i found manually clearing the files in cache /var/cache/ and session /var/session/ directories solve the problem.
My problem is, the site is down again today and again i cleared these directories solved the issue.
I need a permanent solution for this please help.
Contact server provider and check if the server space is enough to run a Magento website (magento creates session, cache files inside the file system).
Check file/folder permissions are correct (http://devdocs.magento.com/guides/m1x/install/installer-privileges_after.html).
If you need to clear cache directory automatically, ask the server provider to setup a cronjob to clear the cache directory in a specific time period (https://magento.stackexchange.com/questions/84186/automatically-refresh-cache).
Note: this issue is not related to Magento installation, this is something related to the server. Also ask Magento related question here: https://magento.stackexchange.com/
I hope this helps.
I am really new to Drupal and playing around with this existing Drupal site.
I did a FTP transfer of all the files to my local computer directory. I currently got it on a Vagrant box and I can access the site via http://192.168.56.101/html.
I can do http://192.168.56.101/html/anything-but-user and it brings me to the proper area on the site. However I can't do localhost/html/user, because it redirects me to the website URL rather than the local URL.
I tried clearing the cache (with Drush). I scanned all files in the system and changed the web url to the local URL [not sure if I need to do any other command], and I can't seem to find anything in the .htaccess files that would lead me to this.
The href="/user I would greatly appreciate any advice or help in figuring out this solution.
--UPDATED
There was a module called "Secure Pages" that was causing the user and registration links to be locked and static to prevent redirects to phishing sites. I had to disable this module using "drush pm-disable securepages" in the terminal.
Some typical items you may want to check:
Check if you get the same problem using another browser. If with another browser it works, then it is pretty sure a cookie problem. To solve that, delete the cookie in the browser where you have the problem.
Make sure "clean urls" is enabled. Refer to "https://drupal.stackexchange.com/questions/165029/clean-url-leads-to-duplicate-url-after-migration-to-another-hosting/165044?s=1%7C3.9647#165044" for more details on that.
Make sure the value of "base_url" is set correctly (in your settings.php).
If module Secure Pages is enabled, then try to (at least temporary) disable that moduel to see if it helps.
Apparently, there was a mod called "SecurePages" that was causing the URLs to be static to prevent someone from changing them and redirecting users to a phishing site.
I have set up a simple Wordpress site with an order form but I'm struggling to get the site to recognise Sage Pay.
I've been following the initial instructions in the PHP integration kit - http://www.sagepay.co.uk/support/find-an-integration-document/direct-integration-documents:
Create a database and add the necessary tables.
Edit the /lib/config.php and the /demo/config.php to include my Sagepay Account and database details
In the test server for Sage Pay I also added the IP address of my site as an exception.
Every time I run the https://mywebsite.com/demo it returns the error:
Ooops!!!
An unexpected error seems to have occurred.
Try to refresh the page or you can contact us if the problem persist.
This is pretty early on in the but I seem to be doing something wrong. Is there something else that needs edited as the instructions are frustratingly vague.
Would I be better just using a Sagepay Direct plug in with Wordpress e-commerce solutions?
Thanks.
I am also a currently frustrated Sagepay learner. To asnswer you question, I had this problem too. My problem was that i had the database details incorrect. I had my local host details on my test environment, and i had not changed the details correctly in demo/config.php before ftp the file to my webserver. Once i did this, i got over the oops screen. The next problem was that i got a blank screen when running index.php from demo. I was told by sagepay that apache needs restarting as a service everytime somethingortheother happens. So on my local environment i restarted all services in wamp and it worked. I can now see the demo (not that i know what to do now as there are no instructions and the php is hidden in a complex class structure with the html content in some tpl files which i have never seen before - of course there are no instructions in the integration kit at all). Anyway back to the answer. So locally i can run the demo, but i still have white screen on my webserver, becuase i can't restart the apache service there, so that is the next problem. I will keep trying and add anything useful later.
I also had this problem, I had not given the database user account the necessary permissions to access the database.
I have a wordpress website which provides a download link to a word document. When user clicks on the download link in IE-9 a windows security pop up is shown to user. It works fine in all the other browsers.
I have done some search and found that it is due to some security settings in IE-9.
Is there any way I can overcome this setting because all the users will mostly have this security setting?
UPDATE This problem comes only if user selects open. If user selects save or save as option from the Save dialog it works fine.
This is the security pop up
This answer provides a server side fix, if you are running IIS. The issue is that the security popup appears when a user tries to open a Word document through IE9, rather than straight download it.
...We have the setup on IIS7 and elected to disable 'WebDAV' (All updates are done by uploading the files anyway). To do this open IIS7, select either the server or the site and click the "Request Filtering". Action - Deny Verb... and enter PROPFIND. Create another for OPTIONS. I found that the server did not need a reboot and it was fixed straight away. Hope that is useful to someone. -Stuart
Credit goes to Stuart from the Moodle forums: https://moodle.org/mod/forum/discuss.php?d=143111
Resolved this. The Internet explorer does not handle word files properly so I implemented a PHP script for explicitly downloading the files and it worked