The “Magento Connect Manager” which is integrated into the Magento admin area is a quick and easy method to test and install new modules. You don’t need any technical knowledge for that, modules can be installed without technical support.
We recommend to not use the Magento Connect Manager. Preferably, it should be disabled. That’s because of the following reasons:
- Every module which is used in a live shop should have gone through a code review. Otherwise, there is the danger to install modules with security issues, spyware and/or performance problems.
- If you are using the Connect Manager, integration with version control (Git, SVN, …) is much harder. Every professional shop should use version control.
- No module should be installed untested on a live system. Deinstallation of a module isn’t as easy as the Connect Manager might make you believe in many cases. Often, database changes have to be done after the uninstallation of a module
- The technical support of a shop should have and keep an overview over all installed modules in order to quickly identify possible problems. As long as the Magento Connect Manager is available, this can never be guaranteed.
- It may lead you to use too many modules. With a higher count of modules, the risk of conflicts between modules increases as well as the risk that a Magento update doesn’t pass through without problems.
- The Magento Connect Manager is a security problem. While you can adjust the URL of the admin area, the Connect Manager is always available at “/downloader/”. If the password gets hacked, i.e. during a brute force attack, the attacker gets to the admin area with a direct link.
Every module should be installed on a development or test system first. In the best case, you are using Composer or a similar tool for that.
If that’s not possible, you can still download the installation package (either from GitHub directly – for MagentoConnect modules you can use a tool like the “magento connect 2.0 extension downloader“). The downloaded module should go through a code review then. After that the module files can be copied to the development or test system and be added to the version control. You can test it there then.
Using the version control you can easily remove the module again so it doesn’t reach the live server at all.
Blocking the Magento Connect Manager
Due to the abovementioned reasons we recommend blocking access to the Connect Manager completely. You can do that with the following means:
- Deletion of the “downloader” directory in Magento. This is the most secure method, but its disadvantage is that this directory is contained again in every update. So you’ll have to delete that directory again after every Magento update.
- Deactivate access to the Magento Connect Manager using the permissions in Magento. This is the easiest method, but it doesn’t fix the security issue mentioned above.
- Blocking access in the .htaccess file of Magento if you are using Apache. You can do that by adding the following line to the top of the file .htaccess in the Magento root directory:
1RewriteRule ^downloader.* index.php [L]
Author: Andreas von Studnitz
Andreas von Studnitz is a Magento developer and one of the Managing Directors at integer_net. His main areas of interest are backend development, Magento consulting and giving developer trainings. He is a Magento Certified Developer since 2011 and a Magento Certified Solution Specialist since 2014 (Magento 1) respective 2017 (Magento 2).