Magento 1.x Knowledge Base ยป Configuration
MAY 03 2020

Re-enable use of Admin SID in Magento after SUPEE-11314

After SUPEE-11314 or upgrade to Magento 1.9.4.5 use of Admin SIDs is disabled by default, which may affect certain modules (i.e. Sage Pay Suite MOTO payments). To re-enable use of Admin SIDs we can add corresponding section into backend: After that we Flush Magento cache, navigate to System > Configuration > Web > Session Validation Settings and change value of Use SID on Admin Backend option to Yes. Please do not forget to Flush Magento… Read the rest
OCT 23 2015

Securing Magento Cacheleak, Backupleak and Sessionleak


4 comments

Magento Cacheleak is an implementation vulnerability, result of bad implementation of web-server configuration for Magento platform. With such configuration web-server ignoring all or some .htaccess files shipped with Magento distribution or some directives from these files and therefor all private directories, including var/, var/backups/, var/cache/, var/session/ and so on are exposed to public, so it is possible for anyone get the list of backups or sessions and download it, extract data values from cache files… Read the rest
OCT 18 2015

Securing MAGMI Data Import Tool

MAGMI (Magento Mass Importer), popular Magento Data Import Tool, often is used without any protection in its default location (/magmi/web/magmi.php). Unsecure implementaion of this tool can be abused to gain full access to a Magento installation, especially taking into account CVE-2014-8770 vulnerability and public exploits available. What can be done to secure useful MAGMI tool? There are several ways of restricting access to /magmi/ possible. You can select any way that suit your needs and… Read the rest
JUL 26 2015

Solving Magento SSL errors (yellow padlock or exclamation mark)


1 comments

Your connection is encrypted with 128-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page. If you see this warning message along with yellow SSL pad lock in Chrome for your Magento store (usually in frontend or on checkout pages), that means that your page contains some resources (i.e…. Read the rest
SEP 21 2019

Restrict access to Magento /downloader/


2 comments

We are noticing dynamic increase in robots/crawlers brute-forcing Magento’s /downloader/ locations, trying default admin user with various passwords (mostly dictionary-based) and other popular logins. We seen the bots are trying it continuously (in some cases for several months or years already)
NOV 23 2018

Securing Magento /admin/ by admin path change


6 comments

Default Magento backend URL is set to /admin/ (i.e. http://www.example.com/admin/), it knows everyone, including bots and crackers, who brute-forcing it for weeks according to my logs. Recent Shoplift vulnerability (known by its SUPEE-5344 patch widely announced to public) indicated that Magento Backend should not be accessible / known for anyone except store staff. Lucky us, changing default /admin/ path to any other random string is easy task for anyone who can edit text in XML… Read the rest
SEP 25 2019

How to edit Magento Maintenance page

Magento maintenance page design can be changed just like any other Magento error page. By default, it looks like the following: It is shown when your store is in Maintenance mode, you can read how to turn it on or off in How to turn Magento Maintenance ON or OFF article. To change it to match your site’s look and feel use the following steps: under Magento root on filesystem copy errors/default/ folder into errors/your_skin/,… Read the rest
MAY 21 2015

[solution] Magento :: Changes not applied

When you stuck why your configuration changes have no effect in Magento, try the following steps: make sure that you have applied changes for correct Configuration Scope / store / store view and there are no overrides on lower level (see how) Flush Magento cache at System > Cache Management rebuild indexes at System > Index Management Disable Magento compiler and clear compiled cache (details) flush PHP opcode cache (APC/XCache/eAccelerator) clear your browser caches forcibly… Read the rest
JAN 12 2015

How to change favicon in Magento

Magento favicon is changed at System > Configuration > Web > Design > HTML Head > Favicon icon. Click on Browse button and select favicon icon from your hard drive to upload.