How to Clean Hacked Magento Stores in 2021? A Complete Guide

How to Clean Hacked Magento Stores in 2021 A Complete Guide

The security of your Magento store is an utmost priority while running an online business. If your Magento store has been attacked by hackers or contains malware then you are reading the right article to know how to clean hacked Magento stores. The e-commerce merchants lose their trust as well as money when their store gets hacked. Customers also don’t visit or buy from a website that has been hacked or has malware. In an e-commerce store, where credit card/ debit card payments are being accepted, customers will not be inclined to share this data in the fear of theft or cyber fraud by hackers.  If the data is stolen and misused, customers can file demands that they may have to face. Standard payment card industry data security (PCI DSS) standard.

But with Magento, many of your problems got resolved by the platform itself. The platform comes with many security enhancements to protect your store from any cyber attack. The latest version also has 2-factor authentication make it more difficult for hackers to breach the security. To keep the tight security, you should always upgrade your store to the latest version. Also, the obsolete or faulty plugins can create security problems, thus either removing them or upgrading them. After doing this, review the below-mentioned symptoms:

Symptoms of a hacked Magento store are:

  • The home page of your store has been destroyed. It can be due to a hate attack or just for fun.
  • The host of your website suspends your website because of the malicious activity      
  • Top browsers such as Google or Bing blacklist your website
  • Unauthorized Admin Accounts
  • Customers share queries of misuse of credit card information
  • Payment page is showing anomalous behaviour
  • Website is running very slow
  • Unauthorized code on your website

Find the Attacks Location:

config.php and .php:

config.php and env.php are among the important files in the Magento installation process. These files consist of shared, system-specific configurations installed by Magento and are part of the Magento 2 deployment configuration.

The Magento 2 configuration has been divided into app/etc/config.php and app/etc/env.php. These documents help in connecting the file system and the database. env.php file contains the credentials of database connection and can also be used for:

  • To define security key
  • To specify the prefix of the database
  • Setting Admin Panel default language

The app/etc/config.php stores the list of installed themes, modules, language packs and shared configurations. Since it is generated automatically, it doesn’t exist in Magento 2 repo/release.


Attackers mostly use this file for various attacks like vandalizing stores. In some cases, ransomware could encrypt the entire contents of the file and just leave index.php.

If you are upgrading your platform, then rename the index file to index.php.old. The files contain essential information that a hacker can later discover by utilizing an automatic scanner.


The role of .htaccess files is to allow configuration changes in your Magento store. The users can modify the settings defined in httpd.conf/apache.conf.

Instructions mentioned in the htaccess file apply to folders and directories. Also, the .htaccess file lets you modify how users access the site. Along with this, .htaccess is available for:

  • Restrict the access of specified folders stored by Magento
  • Create store redirection
  • Force https.
  • Allow some hyphen injection attacks in the store
  • Block username by enumerating bots
  • Lock image hotlink
  • Force automatic files download from storage

When an attacker broke this powerful file, he can send spam on your website. The hackers can inject malicious codes with .htaccess files to redirect users. The common malicious code signatures are:

RewriteEngine On

RewriteOptions inherit

RewriteCond %{HTTP_REFERER} .**$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .**$ [NC]

RewriteRule .* https://PhishingDomain.tld/phish.php?t=3 [R,L]

Users will be redirected to https://phishingdomain.tld. This script is similar to the original login panel. The unsuspicious users can pass their login credentials to the attacker which can lead to a huge Magento attack.

Common Types of Attacks on a Magento Store:

Although Magento leaves no stone unturned in protection from cyber attacks and hackers. It is wise to know the common types of attacks.

Magento Authentication Brute Force:

In the Brute Force attacks, the attacker tries multiple passwords until the correct password is found. It may seem impossible to find the correct password by hit & trial but using algorithms and bots it has become quite possible. One such vulnerability, named PRODSECBUG-1589, was found. This affects Magento open source before and Magento commerce before

Some of these nodes require Admin authentication, and an attacker can guess the Admin password.

Remote execution of Magento Code:

Before Magento 2.3 the previous version was really vulnerable to RCE errors. But the latest version has improved a lot in response to the RCE errors. The attacker used to perform a PHP objection injection attack. Arbitrary PHP code with carefully compiled serialized data from the shopping cart.

In Magento old versions i.e. Magento 1.9 and previous versions, an RCE defect known as PRODSECBUG-2159 was found. But now you have cvss3, apart from this, the SUPEE-10975 security update contains several RCE related security updates.

Cross-Site Scripting:

XSS vulnerability is also a very common issue that Magento store faces. The common XSS error is ODSECBUG-2053 which affects Magento open-source fore 1.9.4, and Magento 2.1 before, Magento 2.2 before 2.1.16.

By an XSS attack, the attacker can induce an admin to filter login credentials via JS phishing, resulting in a Magento management hack.

Cross-Site Request Forgery:

The CSRF attacks induce users to execute spam requests on their portal. But the notable thing is that the attacker can only execute the request but can’t see the answer so the data theft doesn’t exist. Multiple CSRF bugs have been uncovered in Magento dubbed as PRODSECBUG-2125, PRODSECBUG-2088, and PRODSECBUG-2140. It can delete all blocks at once, customer groups by updating permissions and mapping the website. 

The best way to identify a hacker file is by comparing the site’s current state with a new installation file or a clean backup. If there is a difference between the two versions, you will know what the hacker has modified.

You may also require access to the webserver and database. If you don’t want to edit PHP or manipulate the database table, we at Ceymox Technologies can help you.

How to clean a hacked Magento store?

If you find anything suspicious or a malware upload after performing the above steps, it is time to clean your Magento store. Comparing infected files with good files (known files) let you know and eliminate malicious changes.

Remove Hacked Website Files:

If you compare a file with its good copy, make sure to use the same version of the file and core Magento extension, including patches for any application. Perform these steps to manually remove malware infections from Magento files:

  • Login to your server using SFTP or SSH
  • Take the backup of the site before making any changes
  • Search the file to reference a malicious domain or a log load
  • Identify the recently modified files and confirm whether they are genuine
  • View the files marked by the diff command during the integrity checks of the main file
  • Compare the files with clean backups
  • Remove any suspicious code from the file to verify that the site can still run after the change 

If you don’t find any malicious content in the file, keep on searching for any spam, payloads, or malicious domain names you witness in step one. You should also reinstall the Magento extensions after hacking to make sure they work properly and there is no malware residual. If there are disabled themes, plugins, modules on components, which are no longer in use, we recommend removing them from the server. It will also improve the speed.

Remove hacked database tables:

Log in to your Magento Admin Panel and open CMS or content sections for editing static blocks, posts, pages on your site. You can also modify certain sections of your database from this interface and is usually valid. Tools like PHPMyAdmin search for replacement databases and administrators.

You can also remove malware infections from your Magento store database by following these steps:

  • Login to the Database Management panel.
  • Take the backup before making any changes
  • Search for any suspicious content (e.g. spam, keywords, links)
  • If any table contains suspicious content, open it.
  • Delete the suspicious content manually to verify that the still can run properly after the change
  • Delete the database access tools that you uploaded

For the suspicious content, you can manually search for common malicious functions like eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Along with that, the most common location of malware is core_config_data Table.

However, manually removing the malicious code from your website is extremely dangerous for your site. We recommend hiring a Magento development company like us for these tasks.

Remove hidden rear doors:

Hackers are almost always left if the original vulnerability has been patched. Generally, we found multiple rear doors at the hacker’s Magento sites.

This back door is mostly located in new files which ostensibly looks like the official Magento main file. Hackers can also inject backdoors and malware into major Magento locations like footers.

To check this vulnerability in the footer of your Magento store, follow these steps:

  • Login to the Admin Panel of your Magento store
  • Click CMS or Content in the menu item
  • Select a static block or block from the list
  • Open the footer link block
  • View malware content
Compare Magento files to remove the back door:
  • Confirm the Magento version in the bottom right corner of the board
  • Download the same version file from the Magento official community
  • Login to the server through SFTP or SSH
  • Take a backup before making any changes
  • Compare the website with a known-good download
  • Check if there is any file while doesn’t match a well known file
  • Check if the size of any file is anomalous
  • Delete any suspicious content or replace the file with a good file
  • Login to the Magento Admin Panel
  • Update the Magento Cache from Cache Management in the Tools section from the System tab in Menu
  • Test any changes
Reset User Password:

Make sure that all your user passwords get replaced with a strong password for preventing re-infection. Also, if your Magento version is not patched, the first patch your site. If the patch is out of date, an attacker can steal the credentials of your Magento store from the backend.

Also, the users with admin roles should be limited. This will extend to your FTP account and website system.

Steps to Prevent Attacks to Happen In Future:

Update and Reset Configuration Settings:

The main cause of infection is unpatched and obsolete software and it is important to remove any vulnerable extensions. You should also reset the password to make sure that even if the hacker got your credentials, it doesn’t become infected again. Update all Magento software, files, components, templates, modules, and plugins.

How to Apply Magento patches and updates:
  • Take the backup of the site
  • From the official Magento site, download a specific patch of your Magento version
  • Upload or .patch file to your Magento root
  • If the Magento store is compiled, disable the compiler in System > Tools > Compile.
  • Connect the site via SSH and run this command to apply for the patch file extension:


patch –p0 example_patch_name_12345.patch

unzip -o

tar -zxf

tar.bz2 tar -jxf

After performing this, clean the cache from your site.

Configure Backups:

A good backup is the heart of a good security posture. Here are some tips to help you back up your website:

· Location:

Store the backup in an offsite location. Do not store the backups on your server as it can be hacked and used to damage the real website.

· Automatic:

Ideally, the backup should be taken automatically after a regular time interval.

· Redundancy:

The ev certificate needs certification authority documentation to validate the organization. Visitors will see the company name in the address bar.

· Evidence:

Test the recovery process to confirm that your website is working.

· File type:

Some backup solutions exclude certain types of files, such as video and archiving.

Wrapping Up:

In this article, we have gone through an extensive guide on How to clean a hacked Magento store. Hacking is the worst thing that can happen in your e-commerce business. The best solution to prevent any attack on your store is by hiring a dedicated team who will maintain all the mentioned aspects of your e-commerce store. At Ceymox Technologies, the best Magento development company in India, we are having expertise in maintaining the Magento store, improving security, fixing security loopholes, and much more. Let us know your requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *

Have a project to discuss?

Let’s make something
amazing together