How to secure Magmi on Magento

in Security Tags: MagentoMagereportSecurity

Magmi is a Magento mass importer. It’s an alternative product importer offering better performance over the default Magento importer. It doesn’t have authentication of its own, making it a dangerous tool as it effectively offers full access to your Magento webshop database. This article helps you securing your Magmi module against hackers.

On our Hypernode platform Magmi is blocked by default. Hypernode users can follow the steps explained in Unblocking and accessing magmi for Hypernode to use Magmi.

What is Magmi for Magento?

Magmi, the magento mass importer, is an alternative product importer offering better performance over the default magento importer. This makes it a very powerful yet also dangerous tool as it effectively offers full access to your magento webshop database.

We have noticed a number of our customers have installed Magmi without properly securing their Magmi installation, opening up their webshop to being exploited by nefarious actors.

Do you have a Hypernode for your Magento webshop? Please read the Unblocking and accessing Magmi for Hypernode article to see how you can use Magmi securely in a few steps.

What is the security problem and what are the consequences?

If you use Magmi in a non-secure way, you will actually be granting others access to your Magento database. This would mean that your shop could be easily abused by malicious people. They could, for example, add admin users and change products, as well as upload insecure files.

A recent well-known Magmi Magento hack was the credit card collection hack that forwarded all payment details of paying customers to the hacker. You can read the full story on Sucuri’s blog.

How do I secure Magmi on my Magento webshop?

Securing Magmi on your Magento webshop is done via SSH.

  1. Log on to your SSH server with your credentials. Byte customers can find their credentials in their Service Panel.
  2. To protect your Magmi installation with HTTP basic authentication, use the following:
    location ~* /magmi($|/) {
        auth_basic "Magmi login required";
        auth_basic_user_file /data/web/nginx/magmi.htpasswd;
    
        location ~ \.php$ {
            echo_exec @phpfpm;
        }
    }
    

    If you choose this option then you’ll have to create the auth_basic_user_file as well, for example using:

    htpasswd -c /data/web/nginx/magmi.htpasswd exampleuser
  3. To protect your Magmi installation with an IP whitelist, use the following:
    location ~* /magmi($|/) {
        allow a.b.c.d;
        deny all;
    
        location ~ \.php$ {
            echo_exec @phpfpm;
        }
    }
    

    Be sure to replace a.b.c.d with the IP address you wish to whitelist. (Note: You can add as many allow directives as you would like.)

Adjust the web server configuration in such a way that the Magmi directory cannot be accessed by visitors who should not have access to it. You can do this by white listing IP addresses or a directory password security.

Do you have a Hypernode for your shop? Please read the Unblocking and accessing Magmi for Hypernode article to see how you can use Magmi securely in a few steps.

To fix this problem you access to and knowledge of SSH. If you don’t know how to use SSH, please ask your Technical contact to help you secure Magmi. 

Need help?

Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.

1