Applying a Magento Security Patch without SSH Access

By 27th April 2015 Magento No Comments
UPDATE – This post was written when the Shoplift Bug was reported early in 2015, however, this step by step guide should also work for the other Magento security patches that have been released more recently.
The testing links in this post will only test site vulnerability against the shoplift bug.
The Notification

Many business owners have logged into their admin panels recently and have been confronted by this notification;

Magento security patch warning

This notification alone has sent many business owners and operators into quite a panic, and rightly so it would seem.  Back in January, a security company called Check Point found a high critical security flaw in all Magento sites. The “Magento Shoplift Bug” allows an attacker to take complete command of a Magento store and its server.  So just to reiterate, this is pretty critical.

Check to see if your site is vulnerable

Luckily, there is a site you can visit to check whether or not your site is vulnerable to the “shoplift” threat or not.  Just visit and enter your domain name.  If you are vulnerable, the image returned will look like this…

Shoplift vulnerable
What can I do?

Well, as the message within your admin panel states, you need to go to the Magento downloads page and download the security patches that relate to your version of Magento (you can see this by logging in and looking at the bottom of the admin panel).

For your convenience, this is the link to the page (Magento will require you to log in to download the patches:

So far so good, you have grabbed the Magento security patch (or patches) you require and now you have to install them, and this is where it all seems to get a little bit complicated, as Magento instruct you that you should use SSH to install these files.
Whilst this information is correct, and in an ideal world we would all have SSH access and all have PuTTY installed on our computers to link into our servers and run these patches in this manner, the reality is we don’t all have that luxury and most people only have FTP access to their server.

So lets now jump straight into how you can install those security patches to fix the Magento Shoplift Bug threat using ftp access only.

I’m going to assume by now that you have downloaded the necessary patch files as stated above and that you have knowledge of FTP.  Lets get cracking…

  • SO, first things first..  BACK UP EVERYTHING, DIRECTORIES, DATABASE, EVERYTHING.  As you can tell, I really cant stress this enough.
  • Now, open your ftp program and connect to your server, navigating to your root directory (where your Magento installation is located), and upload the patch files.
  • Next, we are going to create a new file.  Lets call it applypatch.php
  • Within that file, we are going to place the following code;
Magento security patch code

You will notice in the above code the section in which you need to place the entire file name including the .sh extension on the end.  It is imperative that this is correct otherwise no patch can be implemented.

  • Once you have saved your applypatch.php file, upload this to your root directory
  • Open a new tab and navigate to your website, adding the applypatch.php file on the end, for example

Once the script executes, you should see this response (or similar);

Magento security patch applied successfully

Once you have completed this for the first patch. you can then amend the applypatch.php file and change the filename to any other patch filename you have uploaded, save the file and re-upload to your server using ftp (overwriting the original copy), and run the file again.  Personally, I did this for each individual patch just in case one particular file caused any issues.

Check again

Once you have completed this for each patch, then jump back too and run the test again.  If everything has gone to plan, you should now see a screen that says you’re looking safe 🙂

Shoplift safe

That’s it, hope it helps you to install your Magento security patch using FTP.

Would you like us to do this for you?

You can book Digital Crate to handle this for you if you wish.  Simply fill in the details below and we will contact you to gain the details we require to install the security patches.
Our charge for this service would be from £50 per site.

Your Name (required)

Your Email (required)


Your Message