Blog | Technical

How to Apply Magento Patches

17/01/2017

In order to understand how to apply Magento patches, you need to understand why you need them in the first place.

A Magento patch is a collection of altered core files that are specifically designed to resolve certain security issues that have been uncovered.

If you have the very latest version of Magento installed, chances are you won’t need to install any patches.

However, if you are using an older version, without any patches, chances are there are security issues and vulnerabilities that have cropped up since its release.

Installing a patch on Magento

Before you begin any work involving patches, you should always make a backup of your current website, just in case things don’t go as planned.

Once that is done, you can move onto to installing your patch:

1)   Find out which patches need applying. Do this by adding the website url to https://www.magereport.com/scan/

2)   Download the correct version of the patches here: https://magento.com/tech-resources/download

3)   Make a fresh copy of your website to a development area. If you are using cPanel, you can do this via the in-built ‘Transfer Tool’ so the process is quicker.

4)   Remember to make site ‘No Index/No Follow’ and to remove any external scripts from head.phtml file.

5)   Install the patches by running the Shell script from the root (public_html) of the hosting account. Be sure to make notes of how you are applying the patches.

6)   Now its time to test any 3rd party extensions. Open up System > Config > Advanced > Advanced to see which extensions are enabled. Then in a different tab, go through the admin settings as well as the front-end functionality of each extension listed.

7)   Once you are happy with the patch process we would recommend that you do another fresh copy of the site and run through it again, making sure that the process you wrote down in step 5 is correct.

Applying patch on LIVE site

Step One:

  • Suspend your development account used in the steps above.
  • Make a full backup of the database, before doing so, run the following SQL query (to clear log tables) to dramatically reduce its size.
SET foreign_key_checks = 0;
TRUNCATE adminnotification_inbox;
TRUNCATE aw_core_logger;
TRUNCATE dataflow_batch_export;
TRUNCATE dataflow_batch_import;
TRUNCATE log_customer;
TRUNCATE log_quote;
TRUNCATE log_summary;
TRUNCATE log_summary_type;
TRUNCATE log_url;
TRUNCATE log_url_info;
TRUNCATE log_visitor;
TRUNCATE log_visitor_info;
TRUNCATE log_visitor_online;
TRUNCATE index_event;
TRUNCATE report_event;
TRUNCATE report_viewed_product_index;
TRUNCATE report_compared_product_index;
TRUNCATE catalog_compare_item;
SET foreign_key_checks = 1;

Step Two:

  • Enable Logging.
  • If website is on Cloudflare, enable development mode.
  • Set store in Maintenance mode by creating a file called “maintenance.flag” in the root (public_html).

Step Three:

  • Create a backup of the public_html folder. SSH into the hosting acc and run the following:
cp -R public_html/ public_html_backup/
  • Set the correct ‘group/owner’ permissions for all fildes/folders in backup folder using the below. We do this, incase we need to quickly revert back to this:
chown -R acc_name:acc_name public_html_backup/
  • then copy the ‘group/owner’ permissions of the the public_html_backup folder. For example:
chown acc_name:acc_name public_html_backup/

chown -R acc_name:acc_name public_html
  • Run Patches
  • Set correct permissions of both Files/Folders
find public_html/ -type f -exec chmod 644 {} +
find public_html/ -type d -exec chmod 755 {} +

Step Four:

  • Block access (and add your IP) to the /downloader/ folder by adding the following .htaccess rule
order deny,allow
deny from all
allow from 1.1.1.1

Step Five:

  • To fix the Cacheleak Vulnerability, add the following into the /var/.htaccess file
Order deny,allow
Deny from all

Step Six:

  • Stop /RSS/ urls from being brute force attacked. You can do this by either disabling Magento’s RSS module or by adding the following to the root .htaccess:
RewriteCond %{REQUEST_URI} ^/(index.php/?)?rss/ [NC]
RewriteCond %{REMOTE_ADDR} !^212.56.98.71
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

Step Seven:

Finding Patches You Have Already Installed

If you’re not sure which patches have already been applied, you can check the ‘applied.patches.list’ file in app/etc/ to see which other patches have been applied.

How to Revert a Magento Patch

If, for whatever reason, you need to revert a patch, you can do so by just adding “-R” at the end of the shell command. For example:

sh patch-file-name.sh -R

Troubleshooting

If you get an error when you run the patch, check the following:

  • Did you download the correct patch version?
  • Did you install them in the correct order. SUPEE-7405 has two versions and both need to be installed.
  • Does the patch have correct file and group/owner permissions?
  • Revert to the public_html_backup folder we created. Do this by renaming public_html to public_htmlold & rename public_html_backup to public_html
  • If problems persist, please don’t hesitate to drop us a line.