5 Things You May Not Know Are Publicly Visible On Your Magento Site

5 Things You May Not Know Are Publicly Visible On Your Magento Site


Security Patches

The most important item and the first thing hackers will check on your Magento site is which security patches are installed on your site. More important to them are the security patches that are missing or not patched on your site. Using that information they can tell several of the following:

  • Admin Path Disclosure
  • Customer Data Leaks
  • SSRF API Vulnerability
  • Admin Routing
  • Ability for Remote Code Execution
  • XSS


Admin Panel

A public admin login is vulnerable to exploits (like Shoplift) and brute force attacks. Magento owners should rename these paths to something unguessable, use IP protection, and/or use two factor authentication. The default /admin path is an easy guess for hackers to access your admin panel login screen. From there they can launch there brute force attacks. As mentioned in the last section, if you are missing patches they can also utilize exploits to reveal your admin panel url.


Logs Files

Log files can contain information about your server, your passwords, and customer’s information. These should not be public on the internet. Most developers and Magento website owners forget to protect the default log folders from being accessible via public urls. Many times the var/report folder is exposed and not protected.


Version Control

An exposed version control system contains the source code to your application. This sensitive information should not be available to the public. If your using GIT to maintain your code base then its also possible that you are your developer did not remove .git folders or .gitignore files from your public domains. This is a risk to your site because if a hacker can view your source code then they may also be able to see critical login credentials to you site. You don’t want a hacker logging into your database and accessing all your customers data and wreaking havoc.


Development Files

Development files may contain sensitive information or let attackers modify data in unexpected ways. They do not belong on a production environment. Their is a default Magento path,  /shell, which contains script files that run on your web server. Many Magento owners forget or dont check to make sure this path is not publicly visible. That one mistake exposes a whole list of shell files that may be core to your Magento instance or scripts left behind by developers. You don’t want a hacker coming to your site and running a script file to the nature of www.yourmagentosite.com/shell/clear-all-products.php

Related Blogs

Posted by Christopher Queen | October 13, 2017
Magento is considered an industry leader in e-commerce solutions industries and here are some reasons why.   1) Popularity Magento is currently dominating the e-commerce platform market as observed in...
Posted by Christopher Queen | October 12, 2017
When Is It Time To Fire Your Agency Mid-Project?
This usually happens to the most successful companies-accompanies-a web development project just starts to dwindle all of a sudden. Up to about 25% of the web, projects go wrong, according...
Posted by Christopher Queen | October 11, 2017
Top Reasons Magento Should Be Your eCommerce Platform
Do you constantly record losses on your e-commerce business and for this, you are beginning to consider calling it quits? There is massive competition in the online business scene and...