Magento Security – The Best Practices for your Store
As Magento is commonly used for building e-commerce websites, it often becomes a soft target for hackers to steal customer credentials by phishing, spamming, and breaching the server/database of your website. Certain attacks can cause irreversible damage to your business and you may lose out badly.
Attackers use all kinds of ingenious tricks to break into your admin panel and control your website. In order to prevent different types of attacks on your store, it is crucial to walk some extra miles to harden your site security. Check out these best practices to protect your Magento Storefront:
1. Use SSL encrypted connection
The information exchanged between a web browser and a website can easily be intercepted by hackers if it is done over an unencrypted connection. The situation is vulnerable when you or your customers enter login credentials over unencrypted connections. Therefore, it is always recommended to use a secure connection using Secure Sockets Layer (SSL) for encrypted connection.
Steps to create a secure connection:
- In Admin Panel, go to System > Configuration > General > Web > Secure
- Change base URL setting from “http” to “https”
- In Frontend and Admin, agree to the option of “Use secure URL”
Https enabled connections with symbolic green padlocks are sturdy and tough to breach. Moreover, to be PCI compliant, it is mandatory for you to enable HTTPS/SSL encryption.
2. Use secure FTP
Hackers often breach a website by intercepting FTP password on unencrypted connections. To avoid that, always use complex password and enable SFTP (Secured File Transfer Protocol) that uses a private key file for authentication. To enable SFTP, go to FTP Settings and select SFTP.
3. Backup your website regularly
Backups enable you to restore your website to previous versions in case of any malfunction or data loss. Possible malfunction scenarios may include website hacking and deletion of data by hackers, accidental deletion of files, website crashes, site errors due to wrong configuration or new extension. In order to get back to normalcy as soon as possible, you must have a backup plan.
Magento’s in-built functionality allows you to create active backups like System Backup, Database and Media Backup, and Database Backup. Depending on what your requirements are, you can create hourly offsite backups, and downloadable backups. Do not forget to Include cloud storage and hard disk backup in your backup plan.
4. Disable directory indexing
Directory indexing is turned on by default on most web servers. Disable it to hide different pathways through which your domain files are stored. In on-mode, anyone can access lists of files contained in your directory thereby making your store vulnerable to attacks.
5. Set a complex password
Setting a complex password is the easiest thing you can do to protect your Magento website. A complex password must contain a combination of upper-case & lower-case alphabets, at least two special characters, and numbers. Never use dictionary words, date of births or any other easy to guess words.
It is further advisable not to use this password anywhere else. Change your password frequently. Apart from that, use complex username instead of admin or administrator to make it difficult for hackers to guess it. This way you hide both your key and the lock to be more secure.
6. Use a unique email address for Magento
Email addresses are often used during password reset wherein Magento sends a code to registered email address to reset password. Anyone who gains access to this email address can request a password reset and gain control over your Magento store. To avoid such a scenario, create a unique email address for Magento store not known publicly or listed anywhere.
7. Appropriate hosting plan
What cloud hosting plan you choose for your Magento store matters a lot from security point of view. Shared hosting is cheap but isn’t the best option. There are high chances of your data being comprised. Even dedicated hosting has its limitations owing to its inability to meet sudden rise in traffic. On the other hand, managed hosting plans offer best security with frequent patches at server level.
8. Update to the latest version
Magento constantly releases new versions to fix bugs and patch security loopholes. Keep a tab on when a new version is out and immediately install it. Contrary to what many people think that new versions are not always better, the large open-source community of Magento ensures that the update is worthwhile and superior to the last version. The new version always mentions what new features were added and what security loopholes were fixed. If there is still any doubt, you can always contact Magento community.
9. Prevent MySQL injection
Hackers often use SQL injection to extract sensitive information out of databases. They do so by entering malicious SQL queries into forms on web pages. Magento offers strong support to prevent such attacks, however, it is not always reliable.
Supplement your security by using third-party application firewalls such as NAXSI to prevent data leakage. Such applications filter all traffic being directed into and out of the database and prevent malicious SQL queries from hitting the database.
10. Use two-factor authentication
Unfortunately, a set of username and complex password is not enough to secure your Magento site. Hackers use all sorts of malicious techniques like phishing and brute-force password guessing attack to gain access to your website. Two-factor authentication adds another layer of security to your store.
Common authentication types include giving access to only trusted devices using an app called Rublon; second is new code generation at every log-in attempt where code is sent to your mobile device. And then there is another app called two-factor authentication by Extendware that uses complex authentication mechanisms like limiting log-in attempts.
11. Access admin panel via custom path
Standard URL to access Admin Panel of Magento store is http://store.com/admin. However, standard URLs make it easier for hackers to reach your admin panel and get on to password guessing stage. Therefore, it is advisable to create a custom path to reach the admin panel. Custom path is known only to you and hackers will find it tough to guess it.
Steps to create a custom path:
- To create a custom path, open /app/etc/local.xml in your Magento installation directory and find this line <![CDATA [admin]]>
- Change “admin” to create your desired code using only numbers and letters for example- “jwfprxvn837”
- The next step is to refresh, login and run the following command: rm –rf var/cache/*
- You will now be able to access your Admin Panel at http://store.com/ jwfprxvn837
12. Seek guidance from Magento community
The best part about open-source platforms like Magento is that they have a strong community of developers and tech support. They are always there to help you. You can raise a query / concern regarding security issues or features; soon you’ll get a response to resolve it. Also, look for security reports released by members for different versions of Magento.
13. Access to selected IP address only
If you or your team members access Magento Admin Panel only from specific networks, it is advisable that you configure your server to prevent access to any other IP address. You have the option of using an IP-access Magento extension or list the IP addresses which you want to permit in .htaccessfile of your server.
You can also limit access to your website only via specific countries where your customer base is and block IP addresses from all other countries. This ensures that hackers who attack from different countries are unable to do so. However, work out your options carefully because you may want to explore customers from other countries as well.
14. Get an expert to review Magento security
Irrespective of the steps taken by you to harden website security, you must consult a Magento security expert to get your site reviewed. The security experts have superior experience in testing loopholes and coding errors that may subject your site to attacks.
Expert guidance will help you to take necessary steps to boost your security and make your site attack-proof as far as possible. Security reviews are recommended once / twice a year to ensure better risk protection because hackers find new means of attacks every now and then.
What more you can do to protect your Magento store?
- Make sure that sensitive files are only writable by site administrators to avoid unauthorized server access
- Keep your anti-virus on automatic update to avoid virus, malware or spam
- Make sure that local.xml file is not publicly accessible to avoid database breach
- Disable unsecured PHP commands to unlawful server access
- Check out the extension’s review, rating and popularity score on Magento Connect before installing it
- Frequently check web server logs for suspicious activity
Diligent effort to secure your website pays well
Magento is a robust platform to sell your products. It offers regular security updates and patches. Nonetheless, it is important to follow the best practices in industry to make your website as robust as possible. Most importantly, seeking an expert’s help to review website security gives you a realistic picture of your site’s security and vulnerability. Accordingly, you can take steps to mitigate risks.
You may also like:
Magento Commerce Digital Cloud – All You Need To Know!
Magento 2.0 vs Magento 2.1 – What are the Major Updates
Top 10 Magento Themes for your Ecommerce Business
4 Magento Partners Share Their Take on Magento 2