cancel
Showing results for 
Search instead for 
Did you mean: 

Someone went into my settings and put their PayPal email

Someone went into my settings and put their PayPal email

i had customers messaging me that they weren't able to buy anything off of my site. When i go and check the backend, someone went into the PayPal credentials part and put their own in. How can i make my admin panel more secure? the password was impossible to find out and i never click on any strange emails. please help, i already changed the the email on the account and created another *impossible* password

9 REPLIES 9

Re: Someone went into my settings and put their PayPal email

First f all ... what version of Magento you're using and did you apply all the security patches released so far?

Tanel Raja

Re: Someone went into my settings and put their PayPal email

Honestly, I haven't updated anything for Magento since I had the site made 2 years ago. I'm not a developer so some, if not most of the updates I've seen require to go do some technical stuff. I don't have my laptop with me right now, but the version I have currently was 1.9. Something

Re: Someone went into my settings and put their PayPal email

Hi @Worldwidestangs

 

First of all hire a developer who can apply all the security patches to your site, if those are not applied.

And always revoke or change all the user credentials for the third party users once the work is finished.

 

If you use a static IP to connect to your site, you can IP restrict you sites's admin url.

You may also use two factor authentication extensions to make your admin login more secure.

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: Someone went into my settings and put their PayPal email

Half of those steps to secure my site after it's done I don't know how to do.

Where can I find a trusted web developer ?

Re: Someone went into my settings and put their PayPal email

You can find a trusted Magento developer from below URL

https://magento.com/partners/portal/directory/?partner_type=1

Apart from this, I would suggest taking care of below things while working with your developers:

1. Change the URL of admin panel to more secure and personalize that no one can guess.
2. Apply patches. You can check required patches on this URL (https://www.magereport.com/)
3. Check if you have any unwanted user account in your user's list and delete them if they exist.
4. Perform a full scan of you hosting(File system) to ensure you don't have any malicious script on your server.
5. Double check your API users and their access level with your developer that you selected in point1.
6. Add a free SSL and firewall in your system if required/ suggested by your developer.


Re: Someone went into my settings and put their PayPal email

There was a nasty security hole in Magento, discovered about two years ago and since then patched in newer versions. There's also a patch available to fix older ones.

 

Checkout this site:

https://www.magereport.com

 

Pay attention to this test: Security patch 5344 (Shoplift) is it's not green, you're in big trouble. Other tests should be either green or grey as well (this is a passive test, occasionally it's unable to determine without active intrusion attempt whether or not your system is safe, thus the grey status), but shoplift MUST be green.

Tanel Raja

Re: Someone went into my settings and put their PayPal email

My issue is, I don't know anything in regards updating or managing the internal parts of my site. All I ever did was use the site and access the admin panel for basic needs.

Where can I locate a trusted and good developer for this issue? Do you know how much it would cost me?

Re: Someone went into my settings and put their PayPal email

You don't have to know anything about the source code of Magento, that's why you should hire a developer / solution partner. You can find a list of official Magento partners here: https://magento.com/partners/portal/directory/?partner_type=1.

 

Which partner suits you best is up to you. You should be able to filter to only see the ones in your area. Prices are hard to say, this depends on the partner you're working with. Be aware that if someone is really cheap, it might also be of low quality. And in the end, if you have a hacked Magento webshop, which is what this looks like, you'll end up losing a lot more money than you need to spend on security of your webshop.

 

Good luck finding a suitable Magento partner and hopefully your webshop will be patched and up-to-date again soon.

If this response was helpful to you, consider giving kudos to this post.
If this response solved your problem, click accept as solution to help others solve this

Re: Someone went into my settings and put their PayPal email

Hi @Worldwidestangs

 

as @Pronto pointed out, it's important that all security issues are addressed and fixed ASAP. 

It's also worth to start thinking about migrating to Magento V2.0 as Magento will only support Magento v1 until November 2018 and after that your website will become more vulnerable. 

 

One other way to find a reliable developer is Magento certification directory https://u.magento.com/certification/directory/ .. This is where all of the Magento certified developers are listed. I suggest that you consider migrating to M2 sooner than later to avoid the hacking issues. 

Magento Certified Solution Specialist | Lead Magento developer
If this response was helpful to you, consider giving kudos to this post