Patching shoplift bug vulnerability


I recently was forwarded the following email regarding vulnerabilities to the Shoplift bug from DigitalOcean support:

I am emailing in regards to this vulnerability notice my supervisor received and forwarded to me (see below):

Hey there,

We have been notified by an external security researcher that your Droplet may be hosting a Magento installation that is vulnerable to the “Shoplift” bug. This bug allows a hacker to take full control of your shop, and we want to provide instructions on how to patch this bug.

You can verify if your site is effected using this site:

If your site is vulnerable, it is critical for you to download and install 2 previously-released security patches. Here are the names of the patches:

SUPEE-5344 - Addresses a potential remote code execution exploit (Added Feb 9, 2015) SUPEE-1533 - Addresses two potential remote code execution exploits (Added Oct 3, 2014)

Magento Enterprise Edition customers can download the required patches by navigating to the Downloads Tab and then by expanding “Magento Enterprise Edition > Support Patches” in the Magento Support Portal

If you are using the Open Source Community Edition, you can download the required patches by navigating to The patches can be applied by running the downloaded scripts in the root directory of your Magento installation.

New Droplets based on the DigitalOcean Magento One-Click image have the latest patches installed. You can confirm if your One-Click Droplet already has the patches by checking for the existence of the file /var/www/html/magento/app/etc/applied.patches.list

More information about the issue can be found here:

If you have any questions about how to patch your site please let us know and we’ll do our best to help guide you.

Thanks, DigitalOcean Support

I ran through the suggested checks, and received a determination that our site has this vulnerability. I’ve downloaded the patches in question, but am concerned about how long this process might take, as I am a novice in website administration, especially on DigitalOcean. I don’t want to take our site down if possible. If that isn’t possible, I want to keep the downtime to an absolute minimum. Can someone please provide further guidance on this issue?

Thanks in advance, Michael

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Thanks for your response, ryanpq. That’s reassuring to know. Nothing in the documentation indicated anything about restarting the Droplet afterward. However, should I do it anyway?

Installing the patch should cause little if any downtime as it simply needs to update the affected files.