Magento 1.x Knowledge Base

Magento has built-in Maintenance mode which is ready to use with simple minimalistic approach. For advanced features, like switching maintenance mode on per-store-view basis from Magento Backend, please skip to the next section. Magento maintenance mode is controlled by maintenance.flag file under Magento’s root and coded in Magento’s index.php file: To turn maintenance mode ON this file (with any content) needs to be placed in Magento root, i.e.:   To turn Mageno maintenance mode OFF…

Sometimes you may need to temporarily disable or turn off some Magento extension/module completely due to misbehave or other reasons, so it can not affect Magento installation and site can function just let the module never existed. Warning Some users spreading the false idea of disabling extension in Magento Backend by disabling its output at System > Configuration > Advanced > Disable Module Output. Do not do this, it would not disable the extension, would…

Your Magento store shows “Service Temporarily Unavailable” page when it is switched into Maintenance mode. It can happen after extension installation via Magento Connect, scheduling a backup or performing any update/upgrade actions:Related PostsHow to turn Magento Maintenance ON or OFFHow to edit Magento Maintenance page

Magento maintenance page design can be changed just like any other Magento error page. By default, it looks like the following: It is shown when your store is in Maintenance mode, you can read how to turn it on or off in How to turn Magento Maintenance ON or OFF article. To change it to match your site’s look and feel use the following steps: under Magento root on filesystem copy errors/default/ folder into errors/your_skin/,…

Recently released announce regarding Magento vulnerability disclosed by CheckPoint urges Magento patches SUPEE-1533 and SUPEE-5344 installation. The patches are available for download at MagentoCommerce site: https://www.magentocommerce.com/products/downloads/magento/ To test if your store is vulnerable use our Scan your store button in sidebar. The only problem with these patches is SSH requirement, which some hosts do not provide. If you have SSH access, you can install patches as shown in How to apply SUPEE-5344 and SUPEE-1533 via…

When you are working on several Magento installations you may need to determine version of every Magento site without going to Backend (it is shown at bottom of every page in Backend) or looking down through contents of app/Mage.php (it is in content of getVersionInfo function). I use this simple shell command line to check Magento version (when under Magento root directory): As you can see in the example above it is Magento 1.9.1.0. Another…

Recently released announce regarding Magento vulnerability which is about to be disclosed by CheckPoint mentions necessity of installing Magento patches SUPEE-1533 and SUPEE-5344 available for download at MagentoCommerce site: https://www.magentocommerce.com/products/downloads/magento/ To apply these patches you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. To apply patches without SSH access please refer to this article. Update: Make sure also to apply the latest SUPEE-5994 released…

Due to recent changes in Magento release policies, as they are continue to release updates in a patch form, it is getting more vital to keep a track on which patches were installed and which core files were modified in this patches. All patches that were installed successfully are logged into app/etc/applied.patches.list file. You can just open this file in your favourite text editor to find out all installed patches and changed files: Also you…

Default Magento backend URL is set to /admin/ (i.e. http://www.example.com/admin/), it knows everyone, including bots and crackers, who brute-forcing it for weeks according to my logs. Recent Shoplift vulnerability (known by its SUPEE-5344 patch widely announced to public) indicated that Magento Backend should not be accessible / known for anyone except store staff. Lucky us, changing default /admin/ path to any other random string is easy task for anyone who can edit text in XML…

UPDATE: July 7, 2015: New Magento Security Patch (SUPEE-6285). Make sure to apply it after SUPEE-5994 installation. For details refer to How to install SUPEE-6285. According to announce sent on May 15, 2015 to all Magento installations new security patch SUPEE-5994 should be installed in addition to two recent shoplift patches (SUPEE-5344 and SUPEE-1533). Important: New Magento Security Patch – Install it Now It is important for you to download and install a new security…

UPDATE: July 7, 2015: New Magento Security Patch (SUPEE-6285), save time on installing both SUPEE-5994 and SUPEE-6285 at once as shown in SUPEE-6285 & SUPEE-5994 installation without SSH. According to announce sent on May 15, 2015 to all Magento installations new security patch SUPEE-5994 should be installed in addition to two recent shoplift patches (SUPEE-5344 and SUPEE-1533). Important: New Magento Security Patch – Install it Now It is important for you to download and install…

If your Magento store was not yet patched, highly likely it was already compromised / hacked by automatic exploit that gone wild on April 22, 2015. To the date, almost every not yet patched store I see have all signs of intrusion: lib/Varien/Db/Adapter/Pdo/Mysql.php file modified, so patch can not be applied seamlessly: app/code/core/Mage/Cms/controllers/IndexController.php file have a hijacking cookie key installed Magpleasure/Filesystem extension is installed for easy access to filesystem (file upload/PHP code modification) from Backend…

According to announce sent on July 7, 2015 to all Magento installations new security patch SUPEE-6285 should be installed in addition to the previous Magento security patch (SUPEE-5994). July 7, 2015: New Magento Security Patch (SUPEE-6285) – Install Immediately Today we are providing a new security patch (SUPEE-6285) that addresses critical security vulnerabilities. The patch is available for Community Edition 1.4.1 to 1.9.1.1 and is part of the core code of our latest release, Community…

According to announce sent on July 7, 2015 to all Magento installations new security patch SUPEE-6285 should be installed in addition to three recent patches (SUPEE-5994, SUPEE-5344 and SUPEE-1533). July 7, 2015: New Magento Security Patch (SUPEE-6285) – Install Immediately Today we are providing a new security patch (SUPEE-6285) that addresses critical security vulnerabilities. The patch is available for Community Edition 1.4.1 to 1.9.1.1 and is part of the core code of our latest release,…

According to announce sent on August 4, 2015 new security patch SUPEE-6482 is available for installation to cover several potential threats, one of which is critical: August 4, 2015: New Magento Security Patch (SUPEE-6482) – Install Immediately Today we are providing a new security patch (SUPEE-6482) that addresses 4 security issues; two issues related to APIs and two cross-site scripting risks. The patch is available for Community Edition 1.4 and later releases and is part…

According to announce sent on August 4, 2015 new security patch SUPEE-6482 is available for installation to cover several potential threats, one of which is critical: August 4, 2015: New Magento Security Patch (SUPEE-6482) – Install Immediately Today we are providing a new security patch (SUPEE-6482) that addresses 4 security issues; two issues related to APIs and two cross-site scripting risks. The patch is available for Community Edition 1.4 and later releases and is part…

August 31, 2015: We are receiving notices about attacks to Magento stores via /index.php/api/v2_soap/index/ URL exploiting issue in Zend Framework used in 1.9.0.0 and 1.9.0.1 versions. Attacks are coming from 178.62.128.0/17 network block (Digitalocean) and user-agent logged as [email protected]. If you run Magento 1.9.0.0 or 1.9.0.1 version it is strongly recommended to apply SUPEE-3762 patch or upgrade to the latest Magento version. If you wish to save time and have us to install these patches…

October 17, 2015: We are receiving reports about massively infected Magento sites with GuruIncsite Javascript malware function LCWEHH(XHFER1)….. On October 20, 2015 Magento sent announce to all Magento installations via news feed in backend: New Malware Issue. Make Sure You Have Implemented All Security Patches We have received reports that some Magento sites are being targeted by Guruincsite malware (Neutrino exploit kit). We have NOT identified a new attack vector at this time. Nearly all…

October 27, 2015: New Magento Security Patch (SUPEE-6788) – Install Immediately Today, we are releasing a new patch (SUPEE-6788) and Community Edition 1.9.2.2 to address 10+ security issues, including remote code execution and information leak vulnerabilities. This patch is unrelated to the Guruincsite malware issue. Be sure to test the patch in a development environment first, as it can affect extensions and customizations. Download the patch from the Community Edition Download page and learn more…

October 27, 2015: New Magento Security Patch (SUPEE-6788) – Install Immediately Today, we are releasing a new patch (SUPEE-6788) and Community Edition 1.9.2.2 to address 10+ security issues, including remote code execution and information leak vulnerabilities. This patch is unrelated to the Guruincsite malware issue. Be sure to test the patch in a development environment first, as it can affect extensions and customizations. Download the patch from the Community Edition Download page and learn more…

January 20, 2016: New Magento Security Patch (SUPEE-7405) – Install Immediately If you have SSH access, it would be more simple to apply the patch via SSH. If you have no SSH access to apply the patch, you can simply upgrade your installation to Magento 1.9.2.3 version which includes all the latest security patches (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7405). If Magento upgrade is not possible in the moment due to some reason you still…

January 20, 2016: New Magento Security Patch (SUPEE-7405) – Install Immediately New SUPEE-7405 patch can be downloaded as usual from Downloads page: https://www.magentocommerce.com/products/downloads/magento/ or installed as a regular Magento upgrade via Downloader (it is included in Magento 1.9.2.3 version). You can install it in the same way as previous patches or by upgrading to Magento 1.9.2.3. To apply the patch you need SSH access (shell access actually, SSH is just most used way to get…

SUPEE-8788 resolve multiple security issues, including critical vulnerabilities with certain payment methods and Zend Framework libraries, support for HTML5 image upload (no flash). SUPEE-8788v2 patch (shell version) can be downloaded from Downloads section. To apply the patch you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. If you have no SSH access, you can refer to How to apply SUPEE-8788 via FTP/Filemanager/cPanel or any…

SUPEE-8788 resolve multiple security issues, including critical vulnerabilities with certain payment methods and Zend Framework libraries, support for HTML5 image upload (no flash). If you have SSH access, it would be more safe to apply the patch via SSH or upgrade to Magento 1.9.4.5 or OpenMage. If upgrade is not an option due to some reason you still can apply the patch via FTP/sFTP upload as shown in this article. Before applying this patch, make…

February 8, 2017: A fix for the recently discovered Zend Framework 1 security vulnerability New SUPEE-9652 patch can be downloaded as usual from Downloads page: https://magento.com/tech-resources/download#download1972 or installed as a regular Magento upgrade via Downloader (it is included in Magento 1.9.3.2 version). You can install it in the same way as previous patches or by upgrading to Magento 1.9.3.2. To apply the patch you need SSH access (shell access actually, SSH is just most used…

February 8, 2017: A fix for the recently discovered Zend Framework 1 security vulnerability If you have SSH access, it would be more simple to apply the patch via SSH. If you have no SSH access to apply the patch, you can simply upgrade your installation to Magento 1.9.3.2 version which includes all the latest security patches (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7405, SUPEE-8788, SUPEE-9652). If Magento upgrade is not possible in the moment due…

May 31, 2017: Community Edition 1.9.3.3 and SUPEE-9767 Security Enhancements – 5/31/2017. New SUPEE-9767 patch can be downloaded as usual from Downloads page: https://magento.com/tech-resources/download#download2014 or installed as a regular Magento upgrade via Downloader (it is included in Magento 1.9.3.3 version). You can install it in the same way as previous patches or by upgrading to Magento 1.9.3.3. To apply the patch you need SSH access (shell access actually, SSH is just most used way to…

July 12, 2017: Community Edition 1.9.3.4 and SUPEE-9767 version 2 patch address customer registration and other issues encountered by some merchants when using the original release or patch. If you have SSH access, please refer to how to apply the patch via SSH. If you have no SSH access to apply the patch, you can simply upgrade to the latest Magento 1 version or OpenMage LTS with all the latest security patches up to date…

SUPEE-8167: New Patch for PayPal Instant Payment Notification (IPN) Changes. Upgrade to 1.9.3.3 or SUPEE-8167 by June 30, 2017 to Avoid Service Disruptions – 6/13/2017 As of June 30, 2017, PayPal Instant Payment Notifications will no longer allow you to use HTTP to post messages back to PayPal for verification. To comply with these changes, all merchants using PayPal must upgrade to Community Edition 1.9.3.3 or apply the SUPEE-8167 patch. Updates must be in place…

Your current version of cURL php5 module is 7.xx.x, which can prevent services that require TLS v1.2 from working correctly. It is recommended to update your cURL php5 module to version 7.34.0 or higher Such message is shown on payment settings page in Magento Backend and informs about upcoming changes by June 30, 2017: PayPal IPN Url change covered by SUPEE-8167 switching to TLS1.2 version of SSL protocol, all previous versions will be rejected PayPal…

July 10, 2017: We are receiving reports about massively infected Magento sites with Javascript redirect malware to one of the following sites: http://mon.setsu.xyz https://tiphainemollard.us/index/? https://melissatgmt.us/redirect_base/redirect.js https://ribinski.us/redirect_base/redirect.js To this time, it seems like caused by old unpatched vulnerabilities, same as Guruincsite malware, so mitigation is very similar. Mitigation navigate in Backend to System > Configuration > Design > Footer > Miscellaneous HTML and System > Configuration > General > Design > HTML Head > Miscellaneous Script…

September 15, 2017: Community Edition 1.9.3.6 and SUPEE-10266 Security Enhancements – 9/15/2017. New SUPEE-10266 patch can be downloaded as usual from Downloads page: https://magento.com/tech-resources/download#download2073 or installed as a regular Magento upgrade via Downloader (it is included in Magento 1.9.3.6 version). You can install it in the same way as previous patches or by upgrading to Magento 1.9.3.6. To apply the patch you need SSH access (shell access actually, SSH is just most used way to…

September 15, 2017: Community Edition 1.9.3.6 and SUPEE-10266 Security Enhancements – 9/15/2017. If you have SSH access, it would be more simple to apply the patch via SSH. If you have no SSH access to apply the patch, you can simply upgrade your installation to Magento 1.9.3.6 version which includes all the latest security patches (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7405, SUPEE-8788, SUPEE-9652, SUPEE-9667, SUPEE-10266, SUPEE-10336). If Magento upgrade is not possible in the moment…

Magento CE 1.9.3.7 and SUPEE-10415 Security Enhancements – 11/29/2017 SUPEE-10415 patch can be downloaded from Downloads section or installed as a regular Magento 1.x upgrade or upgrade to OpenMage LTS with all the latest security patches up to date (it is about ~30 patches up to 2021). To apply the patch you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. If you have no…

November 29, 2017: Community Edition 1.9.3.7 and SUPEE-10415 Security Enhancements – 11/29/2017. If you have SSH access, it would be more simple to apply the patch via SSH. If you have no SSH access to apply the patch, you can simply upgrade your installation to Magento 1.9.3.7 version which includes all the latest security patches (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7405, SUPEE-8788, SUPEE-9652, SUPEE-9667, SUPEE-10266, SUPEE-10336 and SUPEE-10415). If Magento upgrade is not possible in…

March 28, 2018: SUPEE-10570v2 version released fixing inability of customers to complete checkout when trying to register during checkout after SUPEE-10570v1 February 27, 2018: Community Edition 1.9.3.8 and SUPEE-10570 Security Enhancements – 02/27/2018. If you have SSH access, it would be more simple to apply the patch via SSH. If you have no SSH access to apply the patch you still can apply the patch via FTP/sFTP upload as shown in this article. If you…

February 27, 2018: Community Edition 1.9.3.8 and SUPEE-10570 Security Enhancements – 02/27/2018. New SUPEE-10570 patch can be downloaded as usual from Downloads page: https://magento.com/tech-resources/download#download2164 or installed as a regular Magento upgrade via Downloader (it is included in Magento 1.9.3.8 version). You can install it in the same way as previous patches or by upgrading to Magento 1.9.3.8. To apply the patch you need SSH access (shell access actually, SSH is just most used way to…

June 27, 2018: SUPEE-10752 version released with fixes that help close authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF) and other vulnerabilities. If you have SSH access, it would be more simple to apply the patch via SSH. If you have no SSH access to apply the patch you still can apply the patch via FTP/sFTP upload as shown in this article. If you wish to save time and have us to…

June 27, 2018: Community Edition 1.9.3.9 and SUPEE-10752 Security Enhancements – 06/27/2018. New SUPEE-10752 patch can be downloaded as usual from Downloads page: https://magento.com/tech-resources/download#download2222 or installed as a regular Magento upgrade via Downloader (it is included in Magento 1.9.3.9 version). You can install it in the same way as previous patches or by upgrading to Magento 1.9.3.9. To apply the patch you need SSH access (shell access actually, SSH is just most used way to…

September 18, 2018: Community Edition 1.9.3.10 and SUPEE-10888 Security Enhancements – 09/18/2018. New SUPEE-10888 patch can be downloaded as usual from Downloads page: https://magento.com/tech-resources/download#download2243 or installed as a regular Magento upgrade via Downloader (it is included in Magento 1.9.3.10 version). You can install it in the same way as previous patches or by upgrading to Magento 1.9.3.10. To apply the patch you need SSH access (shell access actually, SSH is just most used way to…

The following error is reported on SUPEE-10888 installation (PATCH_SUPEE-10888_CE_v1.9.3.9_v1-2018-09-18-02-41-27.sh): File skin/adminhtml/default/enterprise/images/placeholder/thumbnail.jpg: git binary diffs are not supported. Cause The last chunk of the patch file (PATCH_SUPEE-10888_CE_v1.9.3.9_v1-2018-09-18-02-41-27.sh) contains a new file skin/adminhtml/default/enterprise/images/placeholder/thumbnail.jpg provided in a git diff format:Solution Update: updated patch files available (with v1-2018-09-19 in filenames), re-download the patch from Downloads page: https://magento.com/tech-resources/download#download2243 Regular patch command used in the script can not apply git diffs by default, such diff should be applied by git apply…

September 18, 2018: SUPEE-10888 version released with fixes that help close cross-site request forgery (CSRF) and other vulnerabilities. If you have SSH access, it would be more simple to apply the patch via SSH. If you have no SSH access to apply the patch you still can apply the patch via FTP/sFTP upload as shown in this article. If you wish to save time and have us to install these patches for you, simply click…

After installing SUPEE-9767 patch Magento security report show the following Failed scan: SUPEE-9767 Failed. Outdated jQuery library found (APPSEC-1622) response body contains unexpected ‘jquery 1.10.2.min.js’Cause There is a theme override in your app/design/frontend/themepackage/themevarian/layout/page.xml.Solution Edit the theme layout replacing jquery-1.10.2.min.js with jquery-1.12.1.min.js, just like in default rwd theme: If you have any difficulties with solving this problem or got a similar one, please let us know in comments below, so we can find the solution together.…

PHP 7.2 support patch for Magento provides compatibility with PHP 7.2 for core Magento. The patch was released in October 2018 and can be downloaded from https://magento.com/tech-resources/download#download2240. Note, that the patch is in unified diff? format and should be applied with patch command: Alternatively, you can upgrade Magento to 1.9.4.0 version which have announced PHP 7.2 support. Note: Now there is an option to upgrade your M1 store to the latest version of OpenMage LTS…

SUPEE-10975 patch can be downloaded from the table below or installed as a regular Magento upgrade via Downloader (it is included in Magento 1.9.4.0 version).Download SUPEE-10975 You can install it in the same way as previous patches or by upgrading to Magento 1.9.4.0. To apply the patch you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. If you have no SSH access, you can…

November 28, 2018: SUPEE-10975 version released with fixes that help close cross-site request forgery (CSRF) and other vulnerabilities. If you have SSH access, it would be more simple to apply the patch via SSH. If you have no SSH access to apply the patch you still can apply the patch via FTP/sFTP upload as shown in this article. If you wish to save time and have us to install these patches for you, simply click…

Mage_Backup core module is disabled after SUPEE-10975 patch or after upgrade to 1.9.4.0. It is not possible to create Magento database backup as corresponding screen in backend is missing. Also it is not possible to use any third-party extensions that rely on Mage_Backup. Cause The backup module is disabled intentionally by patch/upgrade process. Solution If you wish to use Mage_Backup core module you can enable it with completing the following steps: change <active> tag to…

‘undefined’ alert pop-up is shown after click on Place Order button at Magento checkout page after Magento upgrade: Cause Most likely cause is missing form_key attribute in the order form. Solution Check app/design/frontend/yourpackage/yourtheme/template/checkout/onepage/review.phtml and app/design/frontend/yourpackage/yourtheme/template/checkout/onepage/review/info.phtml files and replace the following code: with Do not forget to Flush Magento cache after the changes. If the issue persist, or form_keys are in place already, to troubleshoot the problem further edit skin/design/frontend/package/theme/js/opcheckout.js in your theme, search for alert(msg);…

During Magento upgrade via Magento Connect Manager or from ./mage upgrade-all CLI command there is the following or similar message reported in console: upgrade-all: Package community/Lib_IDNA2 1.9.4.0 conflicts with: community/Mage_Core_Modules Cause Most likely cause of this dependency issue is the following:upgrade-all: Failed to delete files: ./pkginfo/Mage_All_Latest.txt Check permissions The actual error message is just masked in long output from ./mage upgrade-all Solution The solution is to locate actual error message and correct it, i.e. delete…

If you noticed that your Magento store every day sends new account spam from registration form and user accounts are created in your store sending spam mails to random email addresses, mostly in qq.com, 168.cn, mail.ru, inbox.ru, list.ru or bk.ru domains, that means your registration form is unprotected from automatic submission. You may receive messages from your Mail Delivery System like this: Mail delivery failed: returning message to sender A message that you sent could…

Problem description After Magento upgrade to 1.9.3 or installation of SUPEE-8788 patch image upload is broken at Catalog > Manage Products > Product details > Images tab. It is not possible to upload new images, or Upload button is missing. Cause and solution See SyntaxError: expected expression, got ‘,’ for details. If you have any difficulties with solving this problem or got a similar one, please let us know in comments below, so we can…

This list include all Magento 1 patches (SUPEEs), including security patches, compatibility patches, USPS changes, etc. along with corresponding Magento version, where this patch was added to core Magento code. Results can be filtered with a Search field below. Related PostsKnown issues after Magento 1.x patch installation or upgrades

After Magento upgrade up to 1.9.2.1 or newer version you may notice Middle Name field is shown on Checkout, Customer Registration and other Frontend forms despite its configuration setting in Backend, at System > Configuration > Customers > Customer Configuration > Name and Address Options > Show Middle Name (Initial) option. Yet the option is set to “No“, Middle Name initial is still shown in every form on Frontend. Cause In newer Magento version (1.9.2.1…

After upgrade to Magento 1.9.4.1 or SUPEE-11086 Magento logging not working if log file does not exist. Cause In 1.9.4.1 (and SUPEE-11086) Magento added log validation function to validate extensions and it throws error on is_readable() function in case log file does not exist yet. Solution Use MPERF-10565 patch below to correct this issue. Note: This patch will be included in the next official SUPEE-release and should be reverted priot to next SUPEE-patch installation. If…

According to the following email notification from USPS Magento and OpenMage users should update USPS Endpoint to use HTTPS schema: This message explains some security improvements planned for the USPS Web Tools services. Effective June 24th, 2021, Web Tools will remove support for all unsecure HTTP endpoints. After this change, all requests to an unsecure HTTP endpoint will fail when attempting to access the Web Tools APIs and integrators may see an error message. To…

The following exception logged on attempt to process PayPal Payflowpro payments in Magento 1.7.0.2: ERR (3): Zend_Http_Exception: Invalid HTTP response version: 2 in lib/Zend/Http/Response.php:182 Stack trace: #0 lib/Zend/Http/Response.php(665): Zend_Http_Response->__construct(200, Array, ‘RESULT=0&PNREF=…’, ‘2’, false) #1 lib/Zend/Http/Client.php(1007): Zend_Http_Response::fromString(‘HTTP/2 200 \r\nco…’) Cause Response from PayPal server is now returned with HTTP/2 version, while old Zend Framework and Magento code is capable in parsing only HTTP/1.0 and HTTP/1.1 responses. Solution It can be fixed with adjusting regular expressions matching…

As of 2021 Adobe has ended support for the Flash Player plugin and it is removed in browsers (refer to Saying goodbye to Flash in Chrome for details). Magento 1 Image Uploader depended on Flash. With flash plugin removed product image upload on Catalog > Products is now broken in Chrome and Firefox. There is official patch from Magento to overcome this issue in Magento 1.9.x and all older versions, SUPEE-8788. It comes along with…