How Secure is Magento? | 2016 Global Security Report

How secure is Magento? Not much, says Trustwave.

One of the leading information security companies, Trustwave, released the 2016 Global Security Report which reveals the top cybercrime, data breach and security threat trends from 2015. Even though the report only confirmed what we have been suspecting over the last year, some of the data, especially those considering ecommerce, were somewhat shocking. We would like to share some interesting facts from the report, especially those considering compromised ecommerce websites and, as the Trustwave report shows, by “compromised ecommerce” we mean Magento.

Ecommerce is still a lucrative target for hackers.

There has been a shift in compromised environments, with compromises affecting corporate and internal networks increased from 18% to 40% in 2015. Ecommerce is still affected by a large portion of hacker attacks, as 38% of investigations were of ecommerce breaches. For ecommerce environments, SQL injection was the biggest factor at 26% of intrusions, followed by malicious file uploads (22%), code injection (17%) and malicious insiders (13%).

Magento is NOT the most secure ecommerce platform.

At least not just left as-is.

According to Trustwave, Magento was the ecommerce target of choice for hackers, with Magento installations accounting for 85% of compromised ecommerce systems. Considering that at least five critical Magento vulnerabilities were identified in 2015, this is not surprising. Most of the affected systems were not fully up to date with security patches, with some being behind by more than 12 months.

unpatched magento websites

Most of affected Magento websites were out of date and not fully patched. Which leads to conclusion that Magento store owners couldn’t care less about web security. But why is that?

Unfortunately, many Magento store owners are still reluctant to invest in security of their website. It all comes down to few main reasons why users don’t patch:

  • – Installing security patches is complex, requires technical knowledge and regular users are simply not able to do that by themselves, so they have to hire a developer.
  • – Installing security patches can be overwhelming: users have to establish which patch they need, log into Magento account, download patch, transfer files, run series of commands, test if everything works and repeat for all shops and all patches.
  • – People would rather choose a hypothetical large risk (and HYPOTHETICAL large cost) over small but certain price they have to pay for hiring someone to install patches. The fact that Magento started releasing security patches almost every other month, further discourages online retailers.


It’s really the cheapskate’s attitude: deciding not to pay now and taking the risk of regretting it later. There is no “better safe than sorry” when it involves your hard-earned cash. But when it comes to security of your business, sooner is better. And NOW is the best!

Your website could have been hacked and exploited for 9 weeks without you realizing it. In fact, you could be hacked right now!

To understand how long it takes businesses to detect a breach and how long affected data records are exposed, Trustwave recorded the dates of three milestones in a security compromise:

  • – Intrusion – the day the attacker gained unauthorized access to the victim’s systems;
  • – Detection – the day the victim or another party identifies that a breach has taken place.
  • – Containment – the day the compromise has been cleaned, and the system is no longer exposed.


According to Trustwave’s investigators it takes 80.5 days on average from initial intrusion to security breach being detected, with values ranging greatly, form zero days to over 2000 days (more than five years!).

In some cases, the containment of a security breach can occur before the detection, when an attack is stopped by a software upgrade before being discovered, or when investigators determine that the attacker left before evidence of the breach was detected. Even though the median total duration between intrusion and containment decreased from 111 days in 2014, to 63 days in 2015, it still leaves hackers 9 weeks on average to exploit your system without you being aware.

undetected security breach

image courtesy of Trustwave

Cybercrime is a profitable business.

Cybercrime is big business and that’s kind of a general known fact. But it still seems difficult to comprehend just how big. In last year’s report Trustwave showed how attackers launching a malware campaign could expect to earn a breathtaking $84,100 in profit from an initial investment of just $5,900 – in 30 days. In parts of the world where many attacks originate, that could mean going from rags to riches in just one month! And it’s your unsecured business paying for that.

In case of online security, what you don’t know CAN harm you!

The majority of victims, 59%, did not detect breaches themselves. The number of victims that detected breaches on their own has increased since 2014, but it is very important that this number keeps going up. Victims who were capable of detecting compromises internally, either on their own or in partnership with their security services provider, detect breaches sooner and contain them more quickly than victims who are not.

If only there was a security solution that could help me protect my website…

Well, there is! Faced by increasing number of clients that came to us because of the problem that turned out to be a result of a security breach, ExtensionsMall team developed an extension that can help even the non-tech savvy users implement the best security practices with ease and gives them an insight into their website’s security. Here are just few of Magento security issues MageFence addresses efficiently:

Security Checklist for Magento

  • – Undetected malware infection – MageFence scans your system for malware and checks if your website has already been hacked. Make sure your website is free from the critical issues such as Credit Card Hijack, Guruincsite malware, Ransomware virus or any kind of malicious code.
  • – Vulnerabilities – the Checklist feature allows you to easily find out if your website has been hacked or if there are any vulnerabilities that need to be solved.
  • – Malicious file uploads – MageFence performs a scan of your installation on regular basis and reports ALL changed files so you can confirm the changes you have made yourself and pinpoint the files that are modified as a result of possible hack attack.
  • – Brute-force attacks – changing Admin Panel URL and Magento Connect URL easily and safely, and blocking IP addresses after too many failed login attempts.
  • – Unauthorized access – MageFence scans the database and detects users with admin privileges created without authorization.
  • – Compromised password – to make sure that bad guys can’t access your Admin Panel even if they somehow get hold of your credentials we have included the Two-Step Verification module in the MageFence Security package.
  • – Outdated protection – this module gives you the list of all Magento security patches you have installed, as well as the ones you are missing, and because this extension connects to our server, you will always be notified of the latest security trends and updates.


You can download MageFence Security module here, and secure your Magento right now. A copy of the full 2016 Trustwave Global Security Report can be found at:

2 thoughts on “How secure is Magento? Not much, says Trustwave.”

  1. So, you blame Magento in the headline, but it seems it’s really the users that are at fault. Why the misleading headline? Why the lies? Writer must be a Liberal! Oh, and since to like to deceive, I’ll take my business elsewhere.

Leave a Reply

Your email address will not be published.