An estimated 240,000 ecommerce stores use Magento for their online operations, which accounts for nearly 30% of the ecommerce platform market.
Unfortunately, this not only makes clear that Magento is a worthwhile program, it makes clear something else: It’s a focus area for cyber criminals across the globe. Add to this the fact that it’s an ecommerce platform, and it’s clear how critical security for any Magento e-store would be.
Magento keeps on releasing security patches to keep client websites Secure; however, the responsibility of doing everything possible to secure your Magento store also rests with you, the customer.
There are several customizations, security settings, and additional best practices that you need to be aware of in order to make your Magento based e-store secure. This piece will run through 10 tips that can help you make your ecommerce store more secure than before.
From very technical suggestions to secure your admin access, to general security practices that will keep your store secure, below covers it all.
The obvious: Make sure you have a strong password policy in place
The biggest sin that most Magento e-store administrators and owners are guilty of is having a routine, weak, and easy to crack password. It’s expected, though, considering your entire focus is on getting things off the ground when you set Magento up initially. However, in the absence of any automated password policies via Magento, you need to implement your own. Below are best practices to remember:
- Your password must be 10 or more characters long
- The password must include at least one symbol, one number, and one capital alphabet
- Don’t include your company name, or any dictionary word in your password
- Change the password every 90 days, or sooner
This can also be improved with secure two-step authentication. This helps you cover your bases if you ever give your password to another employee who may need administrator privileges at one point in time.
The not-so obvious: Modify the admin path
Chances are you have never bothered with the admin/default path. However the default path, unfortunately, makes it a lot easier for cyber criminals to crack your login credentials using brute force techniques. By changing the default admin path, you add another layer of protection to keep your store’s login credential secure. Here are ways you can change the default admin path.
1. Go to admin backend. Here, go to System, and then Config. In the options, click on Admin, and then Admin Base URL. Select the option to ‘Use Custom Admin Path’, and click on Yes.
2. The other method involves manipulating some code in your Magento store’s local.xml file. You can access the local.xml file by going to the following path: app/etc/local.xml.
Open the file, and look for the following code.
Here, you need to replace [admin] with the new path. Once done, save the file, and refresh the cache and you’re done!
Keep a strong watch and control on admin users
For all admin users who have admin privilege roles assigned to their IDs, you need to devise a mechanism to view their activity logs, and must remove their privileges if you detect anything unusual. This can be done within Magento from this path:
System > Permission > User and Roles
Make sure that you only provide admin privileges to a user only when absolutely necessary, and only for a necessary period of time.
Encrypt critical pages
You just can’t afford to send any sensitive information, such as your credentials, over unencrypted connections considering how common it has become for hackers to steal information over unsecure connections. The solution to this grave problem – secure URLs. Magento provides you a setting to help here.
Go to System, then Configuration, and Web. Here, select the Secure tab, and specify a Yes for the options to ‘Use Secure URLs in Frontend’ and ‘Use Secure URLs in Admin’.
Finally, remember that it’s mandatory to have secure URLs for processing financial transactions. Magento lets you add SSL for your web store, so make sure you make use of it.
Ask yourself: Am I using the most secure, upgraded, and patched Magento version?
Remember, it’s your responsibility as well as requirement to deliver 100% secure shopping experiences on your e-store. The kind of brand tarnishing that a customer data leakage brings can break your business’ back. To make sure you don’t leave any security gaps, it’s important that you always upgrade to the latest Magento version whenever such upgrades are rolled out. In addition, between version upgrades, Magento keeps on pushing out security patches when needed. It’s critical that you install these security upgrades as soon as they’re available because they’re precisely offered to combat the latest security threats.
Path: System -> Magento Connect -> Magento Connect Manager
Of course, you will get notifications when there is a critical security patch on offer, or when there’s a version upgrade. You can also check on Magento’s website for word on any planned upgrades and security patches.
Ensuring security of server environment
Secure server environment is critical for the wholesome security of your Magento website. However, it’s one of the often ignored aspects of security for Magento websites. For starters, talk to your web hosting provider and understand the kind of security protocols in place. No unnecessary software should be running on the server. Then, make sure that only secure protocols are in use for communications (protocols such as HTTPS, SFTP, and SSH).
The ports in the server must not be opened all at once because of the high attack surface it creates. Magento comes with .htaccess files that help in system file protection when Apache web server is in use. However, if you’re using a web server such as Nginx, ensure that directories and files are protected.
Here’s an experiment – try to access this address: https://www.yourMagentowebsite/app/atc/local.xml.
If it’s accessible, your site is at risk and you need to change the server settings. Access to cron.php file should be very restricted; remember to use the system cron scheduler to execute the command, always.
Use a reliable mechanism of running scans for your Magento website
Imagine a situation where a 3rd party plugin causes a security risk in your Magento website, and the server scanner is not even able to detect it! To avoid such problems, it’s important to run routine scans on your Magento website. Online scanning services such as MageReport and ForeGenix scan your Magento website completely and send a list of the potential issues, apart from the scan report, to your email id. Below is a screenshot of how a typical MageReport scan report looks like:
Use reliable security extensions for Magento
There are just too many security risks for all kinds of websites, let along Magento e-stores. Thankfully, Magento offers some time tested and proven effective extensions that can take care of all kind of security issues. Explore the most highly rated extensions for functions such as blocking security threats, scanning for vulnerabilities, blocking malicious codes, log activities, enforce strong password policies, and implement firewalls. Some of the reliable Magento security extensions worth checking are:
- ET IP Security: Offers IP based access limitations for website access.
- MegaSecure: Scans your Magento store for vulnerabilities
- Spam Killer: Integrated with Akismet to deliver world class spam comment removal
- Mega Firewall: Blacklist security violators, implement NinjaFirewall’s security rules, and block all kind of web attacks.
Note: Always run every extension through antivirus checks. Magento extensions could easily infect malware into your website, especially if you’re not sure of the source or the reliability of the developers. To avoid such as mess, make sure that you run each extension through your operating system antivirus before installing it.
More importantly, always choose an extension after reading its reviews, and making a smart judgment based on the reputation and previous record of the developing agency. Make sure you choose extensions made by developers who seem committed to their work, because a few years down the line, you wouldn’t want to be stuck with an important extension that is not supported or upgraded anymore.
To make sure that your website remains up even when a security breach happens, take regular backups and store them on the cloud, as well as in the form of an offline copy, so that you can quickly take your website back to a known good state from the very recent past whenever needed. You can easily find reliable Magento extensions for this.
Your Magento store deserves all your attention, not only from a business development and management perspective, but also a security perspective. In the highly volatile and uncertain cyber security environment of today, the responsibility of your Magento website’s security rests completely on your shoulders. Trust these 10 practices discussed above to secure the most critical aspects of your e-store.
Is there anything you would add to the list? Have you had a personal experience with your Magento store? Let us know your thoughts and your story in the comment section below.
Amanda DiSilvestro is a writer for NoRiskSEO, a full service SEO agency, and a contributor to SEW. You can connect with Amanda on Twitter and LinkedIn, or check out her services at amandadisilvestro.com.