According to announce to all Magento installations new security patch SUPEE-5994 should be installed in addition to two recent shoplift patches (SUPEE-5344 and SUPEE-1533).

Important: New Magento Security Patch – Install it Now
It is important for you to download and install a new security patch (SUPEE-5994) from the Magento Community Edition download page ( Please apply this critical update immediately to help protect your site from exposure to multiple security vulnerabilities impacting all versions of the Magento Community Edition software. Please note that this patch should be installed in addition to the recent Shoplift patch (SUPEE-5344).

The only problem with these patches is SSH requirement, which some hosts do not provide. If you have SSH access, you can install patches as shown in How to install SUPEE-5994.

It is still possible to apply the patch even without SSH via FTP/sFTP or direct execution via PHP as shown below in this article.

If you wish to save time and have us to install all these patches for you, simply click here

Before patching make sure to Disable Magento Compiler is an operation performed before every code change like installation of Magento Connect extensions, Magento upgrade or manual changes in code files.

Magento Compiler is a plain PHP class used to combine PHP class definitions into files under includes/src/ directory. At this time, in most cases this is obsoleted by native PHP opcode caches such as APC, xCache, eAccelerator, Zend Opcache, ionCube Accelerator and so on, you can find the list of opcode caches . So, if you have opcode cache loaded, do not use Magento Compiler as it is useless and will just cause troubles on every code modification.

To disable Magento Compiler in Backend you can navigate to System > Tools > Compilation:

Applying Magento patches via FTP/sFTP or FileManager / File Upload

To apply patches in this way we simply replace changed files. This way can not be used blindly if you or your developers have changed any core Magento files (which is a big no-no, by the way). Such changes should be re-applied to patched files, or you loose these changes.

Patch SUPEE-5994 (Magento 1.6.x.x- applied to the following files:

  • app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php
  • app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
  • app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
  • app/code/core/Mage/Customer/Model/Customer.php
  • app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
  • app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
  • app/code/core/Mage/Install/Controller/Router/Install.php
  • app/code/core/Mage/Install/etc/config.xml
  • app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php
  • downloader/Maged/Model/Connect.php
  • downloader/Maged/View.php
  • downloader/template/connect/packages_prepare.phtml
  • downloader/template/messages.phtml
  • get.php
  • lib/PEAR/PEAR/PEAR.php
  • lib/PEAR/PEAR/PEAR5.php
  • lib/Varien/Io/File.php

Patched version of these files for Magento packed into single ZIP archive: SUPEE-5994-1.9.1. Simply unpack it and replace files on your store by uploading all folders and get.php file into your Magento root directory.

Patch for other versions

Older versions are patched in the same way, I am adding downloads for other versions into a single table on demand when I need to patch certain version:

Magento version SUPEE-5994
Magento SUPEE-5994-1.9.1
Magento SUPEE-5994-
Magento SUPEE-5994-1.8.1
Magento SUPEE-5994-
Magento SUPEE-5994-1.6
Magento SUPEE-5994-1.5.1
Magento SUPEE-5994-1.4.2
Magento SUPEE-5994-1.4.1


Verify patch status at our patch tester page.

If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching, otherwise code will continue to run from caches.

Additionally, if your store still using default /admin/ path, you may consider securing your Magento admin by admin path changeand restrict access to downloader