If you login to your Magento admin today, you are welcomed with message box that says:

CSRF Attack Prevention Read details !

Yesterday Magento team acknowledged CSRF vulnerability and provided solution in a form of tutorial to change admin path (frontName) of your Magento shop.

I find this approach strange and funny at the same time. Is hiding vulnerability new way of fixing it? Especially since some users of French Magento forums found similar problem in downloader (Magento connect manager). I can confirm this couse i tested it myself. The most funny part was that Magento cached my get request so i couldn’t get rid of my test alert box 

Few fast tips for Magento admins:

1. Follow official Magento news, forums, updates.

2. Don’t click suspicious links. These kind of attacks are usually done through malformed links that admin clicks through mail, comment, or any other source.

3.  Clear “saved passwords” from browsers. Since most web browsers offer to remember passwords, and then autocomplete them,  these kind of attack could easily stole your password.

As mentioned on Magento forums the easiest way to achieve this is with overriding adminhtml config with your local custom one and activate it as module.

This is just a small example of different approach with Admin Theme config option in admin panel, to show you how things can be done in different ways in Magento.

Since this is one of those “code talks, talk walks” examples, here it is: admintheme_example.rar.

It’s great example of small Magento module with simple event hooking and adding configuration fields through system.xml.

Follow directory structure, copy files to their place and you will notice new “Admin Theme” option in System->Configuration->General->Design (Default Config scope). Your theme goes in app/design/adminhtml/default/yourthemename folder. It doesn’t need to be whole theme of course, just the files you’re changing.

If like many of the Magento store owners you find that some of the built-in features are not useful to you or to your customers you can always disable them via the admin interface buy disabling their respective modules.

Wishlist is not one of them.

To remove all of the traces of the wishlist functionality you need to do the following:

1. Go to the Admin interface (select the appropriate scope) and under System -> Configuration -> Customers -> Whishlist select “No” under the “Enabled” in the General options.

This will remove all of the whishlist links in the magento blocks as well as the whishlist itself.

2. Just to make things perfect you should check the (yourskinname)/template/catalog/product/view/addto.phtml and remove the “pipe” character from that file so that it doesn’t disturb the looks of your site

Since transactional emails are very important for the process of online shopping you need to have them set up just the you want them and the default templates just don’t cut it. You need your own logo, email data and custom verbiage to be consistent with the image of your company.

Here how it’s done :

1. Creating custom transactional e-mails via Admin

a) In the admin panel of your magento installation go to:  System->Transactional Emails

You’ll be presented with a list of default emails.  You’ll need to create a custom email so the only way to avoid writing our custom templates from scratch is to use the existing code of the template.
Hint: If you want to see the template before copying, first click on the “Preview” button on the right.