Frequently asked questions

• Who are you?
• How does it work?
• Is it safe to run this test?
• Aren't you helping hackers?
• How do you maintain it?
• Can I control what sites are scanned?
• Do you store the scan results?
• Why are some checks RED while I surely have installed the patch?
• Some checks are grey. Can I make them green?
• Do you provide an API?
• Do you store my backend url when provided?
• Can I scan my locked Magento shop?

Who are you?

This free service gives you a quick insight in the security status of your Magento shop(s) and how to fix possible vulnerabilities. MageReport.com is made by the Magento hosting specialists of Dutch provider Hypernode. With a dedicated team of 40 skilled colleagues, we protect performance and security of several thousand Magento shops.

By sharing our tools with the rest of the Magento community, we hope to increase the overall security of Magento worldwide.

How does it work?

It is not possible to see from the outside of a Magento shop which files exist on the server. So we use behavior-based identification patterns. This is possible because each Magento patch introduces subtle changes in behavior.

Apart from that, it is possible to request a few static files and derive the Magento version from that. Our work is shared on Github.

Is it safe to run this test?

Yes. This site exclusively uses passive checks, ie they run in read-only mode and do not, in any way, modify your shop.

Aren't you helping hackers?

We are positive that MageReport contributes to Magento safety worldwide. The MageReport tool only tells you what is wrong, not how to exploit it. Ultimately, we believe that by sharing our findings with the community, we actually increase security awareness and thus increase Magento security globally.

How do you maintain it?

We do this already for our own customers, as we closely follow Magento releases and security trends in the community so that we can act swiftly when it is required. Because of our high volume of professional Magento shops, we are generally one of the first to notice new threats and attack patterns.

Can I control what sites are scanned?

Yes, if you want to exclude certain sites from the scan, you can block the "magereport" user agent, as we will always use that.

How do I add MageReport to my firewall?

The production IPs of MageReport probe servers are automatically published here. Those IPs change frequently (per major release), so if you want to update your firewall (to either allow or block them) you should probably automate it. You can also use this JSON file, to help automate the whitelisting process.

Do you store the scan results?

For your convenience, we save results so that when you come back, you don't have to enter your shops again. If you want, you can purge the results from our system by clicking the litter bin icon on the left.

Why are some checks RED while I surely have installed the patch?

Unfortunately, in some cases patches appear to be installed (on disk) but are not effective (in the running shop). Possible reasons:

• You need to flush your cache, restart webserver, php processes or other intermediary system (80% of cases). In case of doubt, ask your hosting provider.
• You have custom code in place (possibly overwriting core files) that effectively overrules the patch. It is recommended to find a certified Magento developer to remedy the situation.

Some checks are grey. Can I make them green?

MageReport checks from the outside, because it cannot see your code. Sometimes checks will give an "unknown" result. This is notably the case for a fully patched shop, because once patch 5994 is installed, it is not possible to determine the existence of patch 5344. However, as patches must be applied in order, this is seldom a problem.

Do you provide an API?

No. Magereport was developed as part of the service we offer to customers of the Magento hostingplatform Hypernode. Our interface is an integral part of the Magereport service. It's where we communicate and launch new features. We welcome everybody to use Magereport, but please use the whole tool.

Do you store my backend url when provided?

No. MageReport will not store your backend url. We're just asking for it, so we can run better validation on some of the checks that require a backend url.

Can I scan my locked Magento shop?

Is your Magento shop locked behind a Basic Authentication username/password combination? It might be possible to still scan your shop by adding these to the URL, e.g. : http://username:password123@dev.magereport.com

Disclaimer

It's our first priority to make our security checks accurate. While we thoroughly test and constantly tweak our security checks, we cannot guarantee that the results are always 100% accurate. Every Magento store is different, and in some scenarios, the configuration of your store or server may lead to false positives or negatives. Therefore, we advise you to use MageReport as a guide. If you are unsure about the validity of a check, please consult your developer or find one on the support page.