Blog

What We’ve Learned From Our Large-Scale Magento Security Analysis

Like no other hostingprovider we know about Magento-security. This makes Hypernode one of the most secure Magento platforms and has also led to the development of services like MageReport.com. We’ve now used our expertise to gain insight in the security of Magento installations on world’s most popular domains.

Gaining insight in security

From experience, we know the quality and safety of Magento webshops varies greatly. When a webshop is insufficiently protected or patched, this can have many different reasons. For example, because merchants or solution partners underestimate risks or do not consider the costs security failure poses to customers and visitors.

To gain more insight in merchants’ security decisions and to what extent they take into account the burden security failure poses on customers and society in general, we’ve decided to investigate the state of cybersecurity in the Magento community more systematically. For this, MageReport.com already provided us with all technology needed.

Since conservative estimates say at least 250,000 Magento webshops exist worldwide, we decided to focus on Magento-installations from the US and EU, ranked within Alexa’s top 1 Million list of most popular domains. This is because webshops of this popularity should have decent processes in place and are as such able to develop sound and secure webshops.

The state of Europe’s Magento security

Next-up, we scanned over 9000 webshops on all MageReport-checks. To compare the security of webshops in different countries, webshops were assigned a security score based on the CVSS-scores of Magento security patches.

Furthermore, we were curious whether merchants decided on the security of their webshop, based on the number of visitors their domain attracts and compared security scores with their Alexa ranking. This is important, because a hacked webshop can, in theory, inflict more damage the more visitors, consumer data and transactions it handles.

The results of this analysis are quite remarkable and perhaps worrying. Webshops do not seem to consider the number of visitors and societal costs. Moreover, our analysis shows webshops get even less secure as they attract more visitors. In addition, higher-ranked webshops have a greater chance to contain one or more critical vulnerabilities.

We also found significant differences between webshops depending on their country of origin. With US webshops taken as a reference category, making up for almost half of the webshops in our dataset, our research shows Magento shops from the UK, The Netherlands and Germany are significantly more secure, while shops from France, Spain, Italy, Poland and Romania are significantly less safe. The security of webshops in other countries varies, but does not differ significantly from the reference category.

Where these differences stem from is unsure, but they do provide insight in state of Europe’s Magento communities.

Very popular, very insecure?

Another remarkable finding of our study is that Magento-installations of the 300.000 most popular domains worldwide, attracting a great number of visitors, are substantially less secure than lower ranked webshops.

Although surprising at first sight, this might have to do with the type of webshops that use Magento. For extremely large webshops, with a great number of visitors, tailor-made solutions are sometimes preferred. We suspect this is because large retailers have very complicated setups for their webshops, which make quick development and implementation of patches much more difficult than on ‘standard’ Magento webshops.

Moreover, when a such an extremely popular domain still contains a Magento-installation, it might also be that the webshop is not the primary goal and source of income of the site. For these instances, other or tailor-made content management systems would be more suited. An example of this would be a very large multinational whose website’s main goal is to inform people about its services and is running a Magento-installation ‘on-the-side’.

We find that especially these type of Magento-installations are substantially less secure. In fact, data shows that the webshops from some of Europe’s leading newspapers, whose primary goal is not e-commerce, didn’t install one or more critical security patches. In some cases, even patches released in January 2016 were not installed.

Security as a starting point

In general, this analysis confirms what we’ve already known from experience; firms and merchants, unjustly, often do not consider security as a top priority when having a webshop. We believe security should be the starting point of every webshop.

Through our deep understanding of Magento, unique automated test pipeline and standardized platform, security fixes can be rolled out within 4 hours. This speed is unheard of and assures, when hosted on Hypernode, both merchants and customers of safe webshops.