Securing MAGMI Data Import Tool

Last updated Dec 7, 2020

MAGMI (Magento Mass Importer), the popular Magento Data Import Tool, is often used without any protection in its default location (/magmi/web/magmi.php). Unsecure implementation of Magmi can give full access to a Magento installation, especially taking into account CVE-2014-8770 vulnerability and public exploits available.

What can be done to secure a useful MAGMI tool?
 

Restrict access by IP-address

For Apache:

Add the following lines on top of /magmi/.htaccess and /magmi/web/.htaccess files:

Order deny,allow
Deny from all
Allow from <Your_IP>

 

For nginx:

Ask your hosting support or server admin to allow access to /magmi/ location for your IP address only. Sample code to apply in nginx configuration file:

location /magmi/ {
  allow <your_ip>;
  deny all;
  # other code, depending on your config and the way of passing requests to PHP
  # usually the same as for / location
}

 

Restrict access by additional password protection

Create password protection file under var/ directory, i.e. var/.htpwd. Use htpasswd command on your server.

For Apache:

Add the following lines on top of /magmi/.htaccess file:

AuthType Basic
AuthName "Restricted"
AuthUserFile /path/to/your/magento/var/.htpwd
Require valid-user

 

For Nginx:

Ask your hosting support or server admin to allow access to /magmi/ location by password protection. Sample code to apply in nginx configuration file:

location /magmi/ {
  auth_basic           "Restricted";
  auth_basic_user_file /path/to/your/magento/var/.htpwd;
  # other code, depending on your config and the way of passing requests to PHP
  # usually the same as for / location
}

 

Webscoot’s Managed Magento Platform disables the default installations of Magmi due to the extremely severe security risks it poses. If you wish to utilize Magmi, it must be installed and secured properly before use. See our fully managed Magento hosting plans here or Contact Us for more details.

  •  
  •  
  •  
  •  
  •  
  •  

3 Comments

  1. Roze

    Everything is very open with a really clear description of the issues. It was really informative. Your website is very useful. Thanks for sharing.

    Reply
  2. Nanine

    I really like your writing style, superb information, thanks for putting up.

    Reply
  3. Anonymous

    Hello. This article was really motivating, particularly because I was browsing for thoughts on this matter the last couple of days.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *