How to Keep Magento Secure
The biggest vulnerability to any website built on a CMS are outdated versions of plugins or an outdated version of the CMS itself. It is essential to update these as soon as new versions are released. We suggest you install additional security plugins and take regular back ups of your site.
How to Update Plugins in Magento
- Log into your Magento admin area
- Go to “Manage Existing Extensions”
- Click “Check for Updates”
- Click on the dropdown menu behind the extensions that can be updated and choose the newest version.
- ET IP Security: Restrict access to website for visitors by IP or IP mask.
- MageSecure: Scans for vulnerabilities.
- Spam Killer: Integration with Akismet.
- Mage Firewall: Block web attacks, blacklist offenders, uses NinjaFirewall’s rules
Rublon is an excellent two-factor authentication extension. It only allows trusted devices to access the Magento backend by using a smartphone app. The app is available for all popular mobile OS platforms.
Two-Factor Authentication by Extendware is another great option. It also includes limiting log-in attempts.
Hide the Login
By default, the Mageto backend can be found at domain.com/admin. By changing this, it will make it harder for attackers to find the actual login page. Also, it will instantly turn away most of the bots that try to hack sites because they only look in the default place.
You can change your Magento admin path by following these steps:
- Locate /app/etc/local.xml
- Find <![CDATA[admin]]>
- Replace the term “admin” with your desired word or code
- Use An Encrypted Connection (SSL/HTTPS)
In Magento, you can get secure HTTPS/SSL URL simply by checking the tab “Use Secure URLs” in the system configuration menu.
The next step is (of course!) having strong passwords. Unfortunately, lots of people still use password or 123456 as their password. Dictionary attacks, which try out as many words as possible, try those first. Safe passwords should contain upper and lowercase letters, numbers and special characters. Some plugins can also require the users to change their password on a regular basis, just don’t write it down to stop you forgetting the new one!
Backup your site on a regular basis, as well as before and after doing major changes to content or the backend. This way you can roll back to the latest functioning version without losing much content in the case of an attack or some form of data loss.
In general when backing up data, keep the 3-2-1 rule in mind. Always have 3 copies on 2 different physical drives with 1 at another physical location.
Unsecure Hosting and Clients
Unfortunately, you only have limited control over this. But it is crucial to mention, since many sites get compromised because hackers take over the entire server with all files on it. Choose a hosting company that is well established in their business and look for independent reviews. The cheapest option might not offer the service and support you require. Use an antivirus software for your personal computer.
Prevent MySQL Injection
We suggest adding NAXSI to keep your site and your customers safe.
Some plugins change the file permissions on the server upon installation or updating.
500 permissions for directories (dr-x——) gives the web server user read and execute privileges to prevent the accidental deletion or modification of files in the directory. Other users have no access to Magento directories.
400 permissions for files (-r——–) prevent any user (even the web server user) from overwriting files. This prevents attacks that depend on overwriting existing files with malicious content.
700 permissions (drwx——) for the media/ and var/ directories give full control (that is, read/write/execute) to the owner and no permissions to anyone else.
600 permissions (-rw——-) for files in the media/ and var/ directories enable the web server user to write to them and to overwrite them.
The local.xml file, located in app/etc/local.xml holds all of your database connection, and this is not a file you want someone else getting their hands on. As a means of prevention, restrict this file’s permissions to 600, or (-rw——-). These permissions restrict read-and-write access to your user alone.
Disable File Editing
PHP files can be edited from the Magento backend by default. This can be disabled if you have FTP access anyway and other users don’t have to change anything in those files. Place this line in wp-config.php: define(‘DISALLOW_FILE_EDIT’, true);
We highly recommend using MageReport.com. This tool scans your Magento eCommerce site and advise on how to fix the following vulnerabilities:
- Credit Card Hijack
- Cacheleak Vulnerability
- Unprotected development files, Magmi & version control
- Default/admin location
- Outdated server software
- Security patch 5994 (admin disclosure)
- Security patch 5344 (Shoplift)
- Security patch 6285 (XSS, RSS)
- Security patch 6482 (XSS)
- Security patch 6788 (secrets leak)
- Security patch 7405 (admin takeover)
- SSL Certificate check