how to install magento security patch

How to Install Magento Security Patches

As most Magento merchants are aware by now, Magento has released a number of security patches in the past several months in order to address weaknesses in the codebase. I recently went through the process of applying three Magento patches (SUPEE-1533, SUPEE-5344, and SUPEE-5994) to a new installation of Magento CE version, and what follows is a brief synopsis of my experience both for my own reference and for anyone else who may find it helpful. Keep in mind that it’s always best practice to make a backup of your production site and apply the patches there to confirm everything goes smoothly. If so, then you can follow the same procedures to apply the patches on your production file system.

1. Download Magento Patches

Obviously in order to install the patches, we need to get them from Magento first. This part is easy; simply visit the Magento Community Edition download page, and scroll down until you reach the Magento Community Edition Patches section. Find the patch you need to apply, select the version of Magento you’re using, and download the patch.

Look for the drop-down menu where you define the version of Magento to which you're applying the patch.

2. Temporarily Relax File Permissions

This step as well as most of what follows requires that you have SSH access to your server (and the ability to use an SSH client). In order to run the patch files, you first have to make sure that your file system has the appropriate permissions to allow the patch to execute and copy or overwrite files as needed. You can use the following shell commands to set the permissions appropriately:

find . -type d -exec chmod 777 {} \;
find . -type f -exec chmod 600 {} \;

In effect, you are setting all directories to 777 and all files to 600. This leaves your file system broadly exposed, so it’s crucial to remember to restore the appropriate permissions when you’re done. Don’t worry, we’ll get to that.

3. Upload the Patch Files

Using an FTP or SFTP client of your choice, upload the patch files into the root directory of your Magento installation. You may wish to use binary mode to minimize the risk of any file corruption in transmission.

4. Execute the Patch Files

Once your patch files have been uploaded to the root directory of your Magento installation, you can log in with your SSH client and execute the scripts. Patches may come from Magento in one of two different file types: .sh or .patch.

For .sh file types, the command to execute the patch is:


For .patch files, the command to execute the patch is:

patch –p0 < patch_file_name.patch

In both of the above examples, you should swap out patch_file_name for the actual file name of your patch. If the patch has been successfully applied, your server will return the message ‘Patch was applied/reverted successfully.’ In the event that a particular patch was already applied, you’ll see an error message. This means you do not need to install the patch again.

5. Restore Proper File Permissions

Once your patch is applied, you need to restore your Magento file system to the proper permissions for normal operation. Directions for this step, like those above, are included in the “Installing a Patch” guide from Magento, however I found that the suggested commands did not properly restore file permissions and used the following alternate commands instead:

find ./ -type f | xargs chmod 644
find ./ -type d | xargs chmod 755
chmod -Rf 777 var
chmod -Rf 777 media

H/T Stack Exchange.

The above commands will set file permissions at 644 and directory permissions at 755. Then the permissions for the var and media directories are set to 777. You may wish to research the issue for yourself and choose the permissions you find most appropriate, but this did the trick for me.

6. Clean Up, Refresh, Restart

Once you’ve reset your file permissions, it’s time to wrap up. Start by deleting the patch files from your server, and then hop into your Magento admin and flush the cache by visiting System > Cache Management and then clicking the ‘Flush Cache Storage’ button.

Lastly, you’ll want to gracefully restart your server to make sure that any and all remaining caches are flushed. Depending on your server configuration, you may be able to do this through cPanel or through the command line. Here are a couple commands for the most common configurations:

For CentOS/Fedora/RedHat:

apachectl -k graceful

For Debian/Ubuntu:

apache2ctl graceful

And that’s it! If you’re specifically looking for confirmation that the Magento Shoplift Bug has been successfully patched, head on over to to run your URL through the bug checker.

Published by

Brian Lyman

Brian is the founder of Vale Studios, which is really just a stage name for what has been a great experience in freelancing. Brian is currently working under a dedicated contract for a terrific e-commerce retailer, but he uses this space to continue publishing ideas and reflections related to e-commerce, marketing, and Magento.

Leave a Reply

Your email address will not be published. Required fields are marked *