Unprotected Magento version control systems
Lots of developers use version control systems for developing a Magento webshop. These version control systems such as Git and Subversion store their metadata in hidden folders. When left open via the web, they could reveal sensitive information such as passwords.
If .svn or .git directories are available/can be approached from the web, one can download (parts of) the full repository and, therefore, view all code and configurations of a shop, or retrieve passwords and other credentials stored in version control. This holds true even when “directory listing” is disabled.
What are the consequences for my webshop?
If the database passwords are also present in this repository, this may lead to hackers using the user name and password combination to add admin users to your Magento webshop. This way, they can take over the shop and cause great damage.
How do I secure my Magento?
At Byte, this is already prevented from happening through a modification in the web server configuration, which means that these files are not available. On other servers, a modification in the web server configuration by the hoster or in the .htaccess file is required.
If you host your webshop somewhere else, we recommend contacting your webhoster and asking them to block access to directories and files that start with a full stop (also known as a dot or period: “.”) .
Examples for non-Hypernode users
Non-Hypernode and/or non-Byte users, can use these snippets to block your version control directory:
Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.