For merchants a safe & secure online portal is a critical first step in building trust with their customers. An unsecure website can be a spoiler for trust with your customers, no matter how beautiful and user friendly your online store is and with as many ‘best offers’. Although Magento is the world’s most popular platform it isn’t immune to security threats. In this two part series, I am trying to list down magento security best practices and key tips which ensures a more secure Magento based store for our clients. You can read the part 1 here.
#1 Install Virus and malware scanner
Keep your antivirus software up to date, and use a malware scanner. Do not install any unknown programs, or click suspicious links. Setup a cron to scan application on regular interval.
#2 Prevent your website from MySQL injection attack
Mysql injection is a very easy place for Hackers. They can easily steal data from the database.
Though Magento provides great support to any MySQL injection attacks with its newer versions and patches, it is not always a good approach to rely only on them. I strongly suggest that you should add web application firewalls to keep your site and your customers safe.
#3 Get in touch with the Magento Community
Magento has a great community of techies who are always there to help you in the time of need. You should become a member of the Magento community portal and should subscribe for newsletter. The Magento Community members also release security reports on various versions of Magento, so look out for those as well.
#4 Never avoid critical notifications on Magento Admin panel
As an admin user, we are used to avoiding notifications in the Magento admin panel. We never read the message in detail. Sometimes Magento sends an important security update notification to us. Make a practice to read Magento notification in detail and do take necessary action.
#5 Have best server environment
Best server environment is one of the key parameters to run Magento shop securely without any hacking.
You need to make sure that the server operating system is secure. For this surety, you need to check with your hosting provider to ensure that there is no unnecessary software running on the server.
Use only secure communications protocol like SSH/SFTP/HTTPS to manage files, and disable FTP. Don’t open all port in server to for application access. It will allow a hacker to hack website easily.
Magento includes .htaccess files to protect system files when using the Apache webserver. If you use a different web server such as Nginx, make sure that all system files and directories are protected.
For .htaccess protection to work correctly, your web server must read .htaccess through the AllowOverride All directive in its configuration.
If you get the contents of the local.xml file, then your site is at risk. You must need to change the web server settings.
Provide limited access to cron.php file to only required users. For example, restrict access by IP address. If possible, block access completely and execute the command using the system cron scheduler.
#6 Have encrypted connection (SSL/HTTPS) in Magento Shop
Whenever you send data, like your login details, across an unencrypted connection, there are risks of that data being intercepted. This interception can give a golden chance to the hacker to peep into your credentials. To avoid these issues, it is very much required that you use a secure connection.
In Magento, you can get a secure HTTPS/SSL URL simply by checking the tab “Use Secure URLs” in the system configuration menu. It is also one of the key elements in making your Magento website compliant with the PCI data security standard and in securing your online transactions.
#7 Scan applications online
You can scan your website using this URL https://www.foregenix.com/ . You need to register on this site and you can scan your Magento website. This website will share a detailed scan report via email. Sometime it may happen that the server scanner can’t detect malware, but this website will ensure about 100% malware scanning and credit card hijack security check.
#8 Magento Security Extensions
There are a lot of great Magento security extensions which will lock down your site and help protect you from attacks. These extensions allow you to rate limit or block security threats, block malicious networks, scan for vulnerabilities, enforce strong passwords, see which files have changed, implement a firewall to block common security threats, and much more. We recommend only downloading extensions from Magento Connect or trusted 3rd party sites. Here are some popular Magento security extensions:
ET IP Security: Extension allows restricting access to the website for visitors by IP or IP mask.
MageFence: MageFence is the complete security solution for Magento that keeps your website safe and secure at all times.
MageSecure: Protects your Magento store from hackers by scanning list of tests & vulnerabilities.
Spam Killer: Integration with Akismet.
Mage Firewall: Block web attacks, blacklist offenders, use NinjaFirewall’s rules
#9 Double check third party modules before installation
Before installing any third-party module do double-check the code. Scan those files with Antivirus and make sure there are no virus-infected files in module.
There are multiple ways to make Magento secure. There are few great extensions to help you do so. From keeping Magento and extensions up to date, custom admin path, file permissions, using an SSL certificate, being smart with usernames and passwords, using security extensions, and more. Many of these recommendations can be implemented within a matter of minutes and you can be rest assured knowing your Magento site is more secure than ever from hackers.
Do you have any other Magento security tips that you think we have missed? If so, please let us know in the comments section below!