Exploit Check

Enter your homepage URL below. The test will take a few seconds to test your store. No information is collected or stored.


The Fix

The most important first step is to ensure that the entire Magmi directory is not publicly accessible, only the web directory in the Magmi directory should be exposed, the remaining files should be unaccessible. Using a symlink is the easiest way to achieve this.

Just move the Magmi directory out of the document root, then create a symlink (with an obscure name, eg. some-obscure-name) back to the web directory.

cd /microcloud/domains/example/domains/example.com/http/
mv magmi ../___magmi
ln -s ../___magmi/web some-obscure-name

Nginx

Add the following location directive to your Nginx configuration file to protect by either IP or HTTP basic authorisation. Replace my.ip.add.ress and /path/to/magmi/.htpasswd as necessary. Then reload for the changes to take effect.

location ~* ^/some-obscure-name {
  satisfy any;
  allow my.ip.add.ress;
  auth_basic "Restricted Access";
  auth_basic_user_file /path/to/magmi/.htpasswd;
  deny all;
  location ~* \.(php) {
    include fastcgi_params;
  }
  try_files $uri $uri/ @bootstrap;
}

To populate the contents of your .htpasswd file, you can use the following command (replace user and password as neccessary):

printf "user:$(openssl passwd -1 password)\n" >> .htpasswd

Apache

Add the following location directive to your .htaccess file in the /magmi directory to protect by either IP or HTTP basic authorisation. Replace my.ip.add.ress and /path/to/magmi/.htpasswd as necessary. Then reload for the changes to take effect.

AuthUserFile /path/to/magmi/.htpasswd
AuthName "Restricted Access"
AuthType Basic
Require valid-user
satisfy any
deny from all
allow from my.ip.add.ress

To populate the contents of your .htpasswd file, you can use the following command:

htpasswd .htpasswd user