So you are considering or have already chosen world’s most popular ecommerce platform i.e. Magento as the go-to platform for your online store. Great! But as with any major platform, security is always a concern as new vulnerabilities are constantly being discovered.
Frankly speaking, wherever there are shops there are thieves and an e-commerce webstore is a wide open place for cybercriminals to find any weakness in the code or any loopholes left by the user through which they can hijack the website.
Even though Magento gets patched for security reasons on a regular basis, there are best practices that website administrators should follow to keep their online store safe. I jotting down few tips which can ensure that your Magento based website is more secure than before-
#1 Scan Magento website
MageReport.com is a great online tool using which you can scan existing magento site .Users can scan both Magento 1 and Magento 2 based websites using this tool. This will give you quick details about the security status of your Magento install and advise on how to fix the vulnerabilities.
This website provides list of sections like which patch is installed and which is pending. Also if a credit card hijack has been attempted and if done what could be the possible reason? It also provides solutions & steps to fix a particular issue.
While installing these patches, we need to be sure for additional check about anything suspicious.
#2 Upgrade to the latest version of Magento
In order to give 100% secure shopping experience to your customers, you must upgrade to a latest version of Magento. Magento is constantly working to introduce more security features in its latest versions which ensure that it is more secure than ever. You can check your magento version using magerport.com website. It will give version details of current application and also suggest if that magento version is out dated. Though you will get to know about the latest version of Magento through Magento’s website, it is imperative to check with an experienced service partner like Sigma on what can be the best strategy to proceed.
#3 Protect Magento Admin panel and Magento connect manager
It is normal practice to keep admin panel URL as yourwebsite.com/admin. For hacker it is very easy to get on admin panel using this unsecure admin panel url.
To avoid this hacking, you must provide customize admin panel url. It will prevent hackers to hack admin panel.
You can easily do it from app/code/etc/local.xml.
You need to provide custom url in ![CDATA[admin]]
Restrict downloader folder by setting appropriate permission and setting changes in .htaccess file inside downloader folder.
#4 Allow selected IP address owner to access admin panel
Normally, admin URL access is open for all. You never put extra effort to secure magento website by whitelisting some of the IP Addresses.
You should make a practice to whitelist required IP address for admin access.
There are two ways to do it.
1) Do necessary changes in .htaccess
2) Update apache server configuration using below code
Order Deny, Allow
Deny from All
Allow from 220.127.116.11
If you want to login from another system, you will need to change IP address. Some time is it is boring thing but it will prevent hacking attack in your site.
#5 Choose your Admin Panel password carefully
A password is the main key to your Magento website. Nowadays there are multiple ways to crack a password. Even so many popular algorithms are available in internet to crack password. It is very easy to crack simple passwords like “admin123”.
To avoid this cracking thing, make a practice to have long password with special characters , one uppercase letter and numeric letters.
It may seem time consuming creating encrypted password but it really isn’t.
Apart from this practice, we should not use Magento password in any other application. It is best practice to have different passwords for different websites or applications.
Just like two locks can’t have the same key, keep your Magento password different from the rest of the passwords.
#6 Effective Backup Plan
Although it is great that you take preventive steps for Magento application security, it is equally important to have a proper backup plan. There should be daily back up and offsite backup plan in place.
If you have proper backup and even if a hacker is successful in hacking your site, you can restore the website we backup which will result in minimum data loss or no data loss.
#7) Audit admin users & their permission frequently
To login into Magento admin there should be a admin user and an appropriate user role assigned to that user.
You should do frequent audit for admin users. If you find something unusual with any account you should immediately delete that user account and inform same to that user.
You can check this detail by System-> Permission -> User and Roles
#8 CMS’s frontend script – The injection points.
You need to do frequent check on System > Configuration > Design > HTML Head > Miscellaneous Script.
If you found some code in this section, remove it immediately.
#9 Audit Magneto’s core files -frequently
As a developer, you should frequently do magento core file audits but as an effective developer, we should never change core files of Magento. But sometime hackers modify core files lile app/Mage.php, index.php and core js to grab customer sensitive information like credit card data.
To avoid this kind of situation, you should do core files audit frequently.
There is a free plugin available https://www.magentocommerce.com/magento-connect/code-audit-1.html as Magento audit tool to help speed up this process—it instantly finds core files that have been modified. This is helpful in identifying potential breaches as well as poorly implemented customizations.
#10 File Permissions
Correct file permission plays important role in magento security. To protect magento shop from hacking, you must need to make sure and use the correct file permissions.
Magento required different file permission for each directory and file .If your permissions are not proper, there is good chance for hacking. For hackers, it will be very easy to hack site with poor file permission.
Magento has some great documentation on setting privileges and ownership after you install Magento. You can refer this link for more detail. http://devdocs.magento.com/guides/m1x/install/installer-privileges_after.html
A safe & secure Magento store is one of the key factors which will help a merchant build & retain trust with shoppers at your website and will ensure that they return back. Continuing on this theme of a more secure Magento store I would be coming back with additional tips in my next week’s blog. Any additional tips & feedbacks on these tips? Don’t forget to write them in the comments section below.
Author: Neeraj Gupta
Neeraj leads the ecommerce practice at Sigma. With over 20+ years of work experience in companies like L&T, Infosys, Motorola, Agilent & Dell R&D he has in-depth knowledge on software Services, Program Management and Product Development. He is passionate about emerging technologies within the ecommerce space and loves sharing his views around them.