How to apply Magento patches
Table of contents
- 1 Different Magento patches
- 2 Six steps to apply the patch and increase your Magento security
- 3 FAQ
- 3.1 I keep getting a Hunk failed error. What should I do?
- 3.2 How long will downloading and applying the patch take?
- 3.3 I’ve patched my shop, but I keep getting an notification in the back-end of Magento
- 3.4 Can I check if a patch is installed?
- 3.5 I have a Magento 2 shop, can I still check if a patch is installed?
- 4 Magereport keeps saying the security patch isn’t installed
- 5 Need help?
Different Magento patches
Every once in a while Magento issues a new patch for Magento Community and Magento Enterprise to increase the security of their software. These patches are basically security releases, and new Magento versions mostly contain all prior patches. Whenever a new patch comes out, download and install it as soon as possible. A complete overview of Magento patches can be found on Magento.com.
Six steps to apply the patch and increase your Magento security
You need SSH (shell) access to download and apply the patch. You need only three commands, CD, WGET and BASH, to navigate, download and apply the patch.
Step 1: Make a backup
There’s a chance that certain plugins or elements in your webshop aren’t compatible with the Magento patch. That’s why we always recommend you to make a backup first, in case something goes wrong.
Step 2: Log on to SSH (shell)
Log on to the shell server. If you don’t how to log on, contact your hosting provider or technical contact. Byte customers follow the steps in the article Inloggen op SSH (shell) (written in Dutch).
Step 3: Download the patch
To download the correct patch for your webshop you need to know what version of Magento your using. Don’t know what version you use? Find out with this tutorial or get the version by simply using Magereport.
Download the patch(es) you need via the Magento downloads page.
Step 4: Apply the patch
The command BASH will apply the patch you just downloaded:
Let’s assume here that the patch name is: patch_supee-5994.sh . Your actual command would look like this:
Step 5: Clear your cache
It’s important to flush the Magento cache after applying the patch. Flushing your caches can be done in the back-end of your Magento shop under Cache management. More info about flushing your cache in the back-end of Magento can be found in the Magentocommerce Knowledgebase. Don’t forget to flush your OPcode or APC cache as well!
Step 6: Check your shop
Don’t forget to check your shop for vulnerabilities after patching and flushing your caches. Magento’s Security Patch Page provides a list of signs to look out for to determine whether your site is comprised or not.
I keep getting a Hunk failed error. What should I do?
When you get the Hunk failed error it means you downloaded the patch for the wrong version. Please check what version of Magento you’re running and download the correct patch. If you still receive this error, please check the Magento forum for more information on these patches or discuss your problem on one of their boards.
How long will downloading and applying the patch take?
Downloading and applying the patch doesn’t take much time. We do however recommend that you check your shop thoroughly after applying the patch, which can take up quite some time.
I’ve patched my shop, but I keep getting an notification in the back-end of Magento
Magento doesn’t check whether you’ve applied the patch or not, so that notification will always be visible, patched or not. If you already applied the patch, you can ignore the notification or indicate you’ve read the message.
Can I check if a patch is installed?
Yes you can. You can scan your site with magereport.com to see if a patch is installed or not. If a check comes up grey it’s possible the files that are needed for the check are relocated. Therefore it can’t see whether your shop is patched or not. No worries. Simply use SSH to check if your shop is patched.
Every check that’s been installed can easily be found in the content of your shop. More specifically it’s logged in app/etc/applied.patches.list . So you use the command ‘grep’ to access the list:
grep '|' app/etc/applied.patches.list
The output will look like this:
-e 2015-04-14 08:34:22 UTC | SUPEE-5344 | EE_184.108.40.206 | v1 | a5c9abcb6a387aabd6b33ebcb79f6b7a97bbde77 | Thu Feb 5 19:14:49 2015 +0200 | v220.127.116.11..HEAD
In this example only SUPEE-5344 has been applied. When you uninstalled a patch, you’ll see this:
-e 2015-04-14 15:21:48 UTC | SUPEE-5344 | EE_18.104.22.168 | v1 | a5c9abcb6a387aabd6b33ebcb79f6b7a97bbde77 | Thu Feb 5 19:14:49 2015 +0200 | v22.214.171.124..HEAD | REVERTED
I have a Magento 2 shop, can I still check if a patch is installed?
If you have a Magento 2 shop on Hypernode, most security checks will come out as ‘safe’, except for SUPEE-5344 Shoplift (the check in MageReport comes out as ‘unknown’). This makes sense, since the patches are made for Magento 1.x versions security leaks. If a security leak also effects Magento 2, the Magento team will release a separate patch or version (like they did with the Magento 2.0.1 Security update).
Hosting elsewhere? Some security patch checks may report unknown if your hosting provider has taken measures to protect your shop against these vulnerabilities.
Magereport keeps saying the security patch isn’t installed
We found out that there are several reasons why patches can come out as uninstalled on Magereport.com, so we recommend you to check the following:
- When compilation is enabled in the backend of your Magento, the Magento patch doesn’t work properly. Disable compilation (navigate to System > Tools > Compilation page and click on Disable button) to make sure the patch works. After disabling compilation, check your site with magereport.com again. If the check still comes out as not installed, try re-compiling.
- Check if the patch is installed in the correct directory;
- Reload your opcode cache, webserver, php-fpm process and possible other caches. The old code might be still be active;
- Check your shops’ .htaccess. If you’ve made any adjustements in your .htaccess, it’s possible the patch is only partially installed;
- [SUPEE-6482-only] Using a Magento version older them Magento 126.96.36.199? Update to a more recent version. When patching Magento versions older then Magento 188.8.131.52, certain redirects aren’t added.
We hope one of the causes mentioned above can fix your problem. If not, we recommend you to hire a Magento specialist. Unfortunately we can’t help fixing these problems. We’re a hosting company that specializes in Magento hosting. Magento development however is a completely different specialty. A list of Magento developers per country can be found on Magereport.com.
Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.