Magento patches – why and how you need to install them

This article will cover the following topics

  • What are patches? What types can we distinguish?
  • Why are patches important?
  • Magento patches and their significance
  • Patches or version updates?
  • How to install patches under Magento 1 and Magento 2?
  • Checking patches
  • To install or not to install?
  • Conclusion


What are patches?

Service packs: While developing a software application, it often happens that the developers have to make modifications that were not planned originally. After the application is launched, the software developers fix errors, missing data issues, security vulnerabilities (i.e. bugs), occurring later on, by way of software updates.


These service packs include the whole set of the fixed files, while in the case of open source software solutions, patches are used including only those files that hold modified data. Magento officially releases patches for bug fixes.


Magento patches logo


The advantage of patches is that with modifying only the necessary code lines, they can be compatible with earlier software versions at the same time. Their drawback, on the other hand, is that some expertise and experience is needed to apply them.

So it can happen that service packs can be even larger than the overall file size of the original application, while a patch comprises only the modifications, and these modifications include such executable files that automatically modify the files of the application.

It is a basic condition that both patches and service packs are to be used only for a given version of an application. This is usually included in the name and description of the pack.


Magento patch illustration

Why are patches important?


tips HINT: Generally, we fix flaws, data missing errors or security vulnerabilities of applications with patches and service packs. Therefore it is of utmost importance to follow the releases of service packs via newsletters, RSS web feed, social networking sites or the notification board within the application (e.g. admin page). The patches and service packs can be of unofficial, security and hot types.


[bctt tweet=”Keeping in mind dealing with Magento Patches is crucial for your e-store performance.” username=”aionhill”]



Magento patches security center


The most significant ones are the security fixes because these help to protect your application effectively handling security vulnerabilities. When a security fix is released for your software, then it should be installed as soon as possible. Please note that these security fixes should be installed only from a reliable (official) source, as other sources may provide harmful patches.

Hot (dynamic software development) type fixes can be installed even when your application is running, as they do not cause system errors, restart or system crash.

Fixes from unofficial sources are not commercial fixes of a commercial application. These are such fixes that a third party released with the consent of the original developer company.


Magento patches and their significance

Magento, and basically all major ecommerce software developer companies with a large user base, notify their users if a new update or version is launched. You get these notifications in their newsletters (if you have a registered account) or you can see them when logging in to the admin panel.


Magento patches message box magento1

Notifications in Magento 1 admin panel


Magento Patches system message magento2

Displaying notifications in Magento 2 admin panel


The Community Edition patches can be downloaded from Magento’s official site by going through the following steps:

  1. Log in to your account at
  2. Click on My Account in the upper right section. If you don’t have an account, create one by registration – this is totally free of charge.
  3. Select the patch you want to install under Magento Community Edition Patches.
  4. Select your own CE version from the list seen next to the given patch.
  5. Click on Download.
  6. When downloading is finished, installation can start.


The Enterprise Edition patches can also be downloaded from Magento’s official site. Please follow these steps:

  1. Log in to your account at Click on My Account in the upper right section.
  2. Select Downloads on the left panel.
  3. In the right side section, click on Magento Enterprise Edition.
  4. Select Support Patches.
  5. Find the patch you need.
  6. Click on the appropriate version number (that you use).
  7. When downloading is finished, installation can start.



Magento Patches downloads section my account

Magento EE patches downloads section


Patches or version updates?

Magento indicates on its downloads site what kind of patches the different software versions include. Therefore we can have two options for implementing the fixes:

  • Patch integration
  • Upgrading the whole software version


You also need to know that new versions, apart from fixes, contain other new and modified functions that – especially when upgrading to significantly higher versions – may “break” your presently functioning online store. When creating security fixes, Magento’s developers always aim to modify the code to the least extent necessary, so after implementing patches, there’s a big chance that your ecommerce store will function just the same. If the patch includes some error of incompatibility with earlier versions, the patch developer informs users about it with the given patch or during version upgrade.


How to install patches under Magento 1?

It is possible to download the latest version of Magento as a single set, which includes previous patches as well, and overwrite your existing Magento version with it, no matter which version you have at the moment. As we assume that your Magento developers used proper modular extensions and left the extended Core files untouched, no problem should arise in this respect.

But here’s a little problem, let’s take a look at the installation of Magento (2016-02-23): 109.4 MB, 14,310 files, compressing of the ZIP file of 33.5 MB takes nearly 1 minute! If you want to upload these files to your server, depending on connection speed, it can take even half an hour and if you want to make comparisons in the meantime, uploading may take hours. This is far from ideal.

The patch sizes are small (from a few kB to several hundred kB), which change only the necessary code lines in the files. These sequential files perform the tasks step by step and complete “patching”.

If you choose this solution, take special care of checking which version of Magento you use at the moment and run the patch files that correspond to it.


# 9. Track patch applying result
echo "Patch was applied/reverted successfully."

exit 0

SUPEE-6482 | CE_1.9.2.0 | v1 | | Tue Jul 14 14:17:04 2015 +0300 |

diff --git app/code/core/Mage/Api/Model/Server/Adapter/Soap.php app/code/core/Mage/Api/Model/Server/Adapter/Soap.php
index 0f9a3fa..1ac0d57 100644
--- app/code/core/Mage/Api/Model/Server/Adapter/Soap.php
+++ app/code/core/Mage/Api/Model/Server/Adapter/Soap.php
@@ -233,9 +233,9 @@ class Mage_Api_Model_Server_Adapter_Soap
 : $urlModel->getUrl('*/*/*');
 if ( $withAuth ) {
- $phpAuthUser = $this->getController()->getRequest()->getServer('PHP_AUTH_USER', false);
- $phpAuthPw = $this->getController()->getRequest()->getServer('PHP_AUTH_PW', false);
- $scheme = $this->getController()->getRequest()->getScheme();
+ $phpAuthUser = rawurlencode($this->getController()->getRequest()->getServer('PHP_AUTH_USER', false));
+ $phpAuthPw = rawurlencode($this->getController()->getRequest()->getServer('PHP_AUTH_PW', false));
+ $scheme = rawurlencode($this->getController()->getRequest()->getScheme());
 if ($phpAuthUser && $phpAuthPw) {
 $wsdlUrl = sprintf("%s://%s:%s@%s", $scheme, $phpAuthUser, $phpAuthPw,
diff --git app/code/core/Mage/Catalog/Model/Product/Api/V2.php app/code/core/Mage/Catalog/Model/Product/Api/V2.php
index ff71ec5..46fc492 100644
--- app/code/core/Mage/Catalog/Model/Product/Api/V2.php
+++ app/code/core/Mage/Catalog/Model/Product/Api/V2.php

Example: SUPEE-6482_CE_1.9.2.0_v1 sh file


Step by step installation of a .sh patch file

You can install a patch of .sh extension following the steps described below. If the file has a .patch extension, please first ask for assistance from Magento Support.


1) Copy the .sh file to the Magento install root directory.



2) Give the following command under a user who can (authorized to) write Magento files:

If the patch has been installed successfully, you’ll get a message like this:

Patch was applied/reverted successfully.


3) After installation you need to regain authority over the modified files:

A) Find the user of the webserver:

ps -o "user group command" -C httpd, apache2

The value at the USER column indicates the webserver user.

B) Give the following command as a root user in the Magento install root directory:

chown -R web-server-user-name .


Follow every further instruction that Magento Support has given you.


Cancelling a patch

If patching has been unsuccessful, follow the steps below and contact Magento Support:

  1. Go to the Magento install root directory.
  2. Give the following command under a user who can (authorized to) write Magento files:
sh -R


How to install patches under Magento 2?

Installation of Magento 2.0.4 (2016-03-31): 224 MB, 41,458 files, compressing of the ZIP file of 69.4 MB takes 2-3 minutes! If you want to upload these files to your server, depending on connection speed, it can take even an hour and if you want to make comparisons in the meantime, uploading may take several hours. This, as we have seen at version, is far from ideal.

With Magento 2, you can download updates with the help of the Composer or from GIT repository and install from the command line. telepíthetjük parancssorból. During the installation process, you can update your system step by step using a guide.


How can you check if the patches have been installed?

After the installation of patches and service packs have been finished it is important to check whether it has been done properly. We recommend two methods:


  1. Enter the URL of your Magento store at You will get a detailed analysis indicating what kind of service packs and patches are installed and what types of further fixes you may need.
  2. By identifying the code sections in the .sh file, you can check if updating of the code base has been executed or not.


Why is it risky not to install patches?

The Magento community works hard to make online stores around the world fully functional meeting all customer and user requirements and to eliminate every kind of security issue. We know that even though there is a lot of testing, some problems arise only when you use the live system.

Patches can solve these problems quickly, and, additionally, later versions will include these fixes so that users can install more stable and safer versions all the time. This whole fixing process can take some time because as there are more and more users with a growing number of needs, more flaws and deficiencies, which were not an issue before, may now come to the surface.


Let’s see an example for a Magento security patch:



This patch was released on 19 February 2015, reported by Netanel Rubin. You can read its detailed description by clicking the link above. It affects all versions of Magento CE prior to and Magento EE prior to

It is a security patch which prevents creating admin users or installing malware by using an extra parameter in the redirection system of the administrative page. The “Severity” value of the patch is 9.1 (Critical), which means that without it your e-store is in danger because someone who knows about this vulnerability, can have total control over the store!

If you think about what tremendous amount of information can be obtained through the admin panel, you easily realize how important it is to install such a patch.



Your Magento ecommerce store is a software application which has a life cycle, a development path and can often have flaws, bugs or security problems. These are addressed quickly by the large community behind Magento so Magento release patches or service packs as soon as they can, which are recommended to be installed. More recent versions already feature these fixes, therefore you get a more reliable system by using the latest version.

It is still important to keep an eye on new releases of patches and versions and to install them as soon as you can because otherwise malevolent hackers may get access to the data of your store or ruin it completely. It is recommended to be up to date with these issues and spend the time and money necessary to patch these security holes.



3 replies

Trackbacks & Pingbacks

  1. […] Magento, security patches are issued on a continuous basis which need to be installed as soon as possible to give your […]

  2. […] managed service usually includes updating and patching of server(s), software and […]

  3. […] way that no exploitable back doors or vulnerabilities remain (or in case they find such things, the patch arrives immediately). On the other hand, security depends also on how you operate your own online […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.