I’ve been sat on this post and POC for CosmicSting (CVE-2024-34102) for a little while, giving time for stores to patch the vulnerability. Chances are, if you still have not applied the patch your store will have been probed and compromised by now since there are a handful of POCs out in the wild. So I highly encourage you to make sure the patch is applied (its simple, a single file diff). And to download and run a malware scanner such as Ecomscan by SanSec (its free, although wont tell you the location of the infections). Since this allowed attackers to exfil any files on the server that the user running PHP had permissions for. It is highly advised you rotate your application key in app/etc/env.php as this will allow attackers to create new API tokens even after the patch is applied. ...

Flushing Magento 2 cache is simple right? Just click the Orange “Cache Clear” button in the Admin, or run php bin/magento cache:clean from the command line. Speaking to other developers and merchants, this seems to be the way everyone deals with refreshing cached content. Even if its just affecting a single page or product. It does not take a genius to realise flushing the entire Magento cache, means a significantly lower cache hit rate for the short term. They key impacts of this will be: ...

Summary Over the last few years, we’ve noticed an increase in the complexity of spam bots signing up to Magento 2 stores. They used to just spam customer accounts using the same email/email domain likely on ending in .qq.com .ru etc. So it used to be easy to just bulk delete based on the TLD especially for sites that do no ship to China / Russia etc. Whereas the last few years I’m observing them using standard mail providers such as gmail.com or outlook.com along with name fakers for the account names. This coupled with slower registration rate, and realistic fake data in the other fields make it much hard to batch delete customers. ...

PHP-SPX is an free and open source profiling alternative to Blackfire/Tideways etc. The main benefits imo are, its free to use and how simple it is to setup < 60s There is an open discussion within Warden, to install the PHP-SPX profiler into warden core. https://github.com/orgs/wardenenv/discussions/719 In the meantime while we wait for the PR to merge, I’ve created the following shell script to bootstraps the PHP-SPX installation & configuration for the current warden project. ...

You might find yourself needing to anonymize a database in Warden to either pass off to another developer, or move it forward into ephemeral / staging environments. This is fairly easy to achieve with Smile-SA GDPR Dump. First lets download the resources we need, we will store them in the dev folder as we can exclude this in our deployment pipelines. wget https://github.com/Smile-SA/gdpr-dump/releases/latest/download/gdpr-dump.phar -O dev/gdpr-dump wget https://raw.githubusercontent.com/Smile-SA/gdpr-dump/main/app/config/example.yaml -O dev/gdpr-dump.yaml chmod +x dev/gdpr-dump Next we can edit the yaml to set our correct Magento version and catch any non core tables we might have followed by running the anonymizer script. ...

Overview Recently I came across a Magento 2.3.4 store with a stripe specific credit card scraper embedded into the checkout page. The Malware had been injected into the core_config_data table, and was being saved against the shipping/shipping_policy/shipping_policy_content key. The updated_at time of the entry was 2024-04-10 13:27:32 although its worth noting, whilst this may be the time of the initial infection. Since the original entry point has not been patched, an attacker could have simply changed the payload on that date. ...

Running regular malware scans is critical for any Magento 2 store to prevent compromised code or database infections, yet many stores skip this step. The gold standard is Ecomscan by Sansec.io, which supports single-site, scheduled, and bulk scans via CLI or Ansible. This guide shows how to run scans, interpret results, and integrate notifications via Slack or email. TL;DR One-off malware scan: curl "https://ecomscan.com" | sh Schedule recurring scans via CRON Bulk scan multiple Magento 2 sites using Ansible: GitHub repo Get alerts via Slack or email Free trial available; paid licenses €45–200/month depending on scale One-Off CLI Malware Scan with Sansec Ecomscan You can trigger one-off scans from the server CLI by running the following command and following the prompts. It even gives you the option to configure it via CRON for regular future runs. ...

Recently I onboarded a new client, who was looking for a new development partner. The site was running 2.3.4, so I was expecting we would need to perform a few updates and for there to be some security holes to patch. I ran Ecomscan, as always, during my initial audit of the site. And that highlighted 4 samples of malware on the store! Much to the surprise of the client, who had zero clue of the site being infected. So into firefighting mode we went. ...

The default magento-vars.php file that is referenced through the Adobe Commerce documentation leaves a lot to be desired and can become a pain when managing stores with many websites and store views. Luckily we can simplify this configuration using the match implementation within PHP8. This version of the script allows us to configure new store fronts by adding a single case to the match statement. <?php $host = $_SERVER['HTTP_HOST'] ?? ''; $ephemeralHostScope = fn(string $host): ?string => substr_count($host, '.') === 4 ? strtok($host, '.') : null; $_SERVER["MAGE_RUN_TYPE"] = 'store'; $_SERVER["MAGE_RUN_CODE"] = match(true) { $ephemeralHostScope($host) === 'us' || str_contains($host, 'example.com') => 'us', $ephemeralHostScope($host) === 'gb' || str_contains($host, 'example.co.uk') => 'gb', $ephemeralHostScope($host) === 'cn' || str_contains($host, 'example.cn') => 'cn', default => 'base' }; We are targeting two URL formats within this upgrade script. ...

This post explains how to set custom Elasticsearch configuration within Warden to fix the Fielddata access on the _id field is disallowed error with Elasticsearch 8. This is a follow on from a earlier post explaining common ES8 configuration issues with Magento. The error was are going to fix related to ES8 changing the default values for _id fielddata Fielddata access on the _id field is disallowed, you can re-enable it by updating the dynamic cluster setting: indices.id_field_data.enabled" The Solution Within your project root create a file at .warden/warden-env.yml with the following content ...