The above bar graph shows that Magento is the second most attacked CMS out there. Source: ZDNet
Hence, in this article, we will discuss some of the best Magento security practices you must include in your security checklist to protect your store.
Magento Security Practices: Protect Your Store From Hackers
1. Choose the correct hosting company
The right infrastructure will give a boost to your website’s reputation and security. Hence, you must consider a reputed hosting company that doesn’t let you face downtime. Here are some tips that shall help you choose the right web hosting infrastructure for your website:
- Reviews and reputation: Check web hosting reviews. You can read more about the hosting on various review platforms or even on social media channels.
- Know your requirements: If there is going to be huge traffic on your website, you can choose the company that specializes in the field of providing well-maintained traffic on the website. Similarly, if you need a company that also backs up your store, you would want to check that. Know what you need and get a solution that matches most of your criteria.
- Test the cybersecurity measures: Check what kind of in-built security measures the company provides.
- Customer Support: Check whether the company provides active human support. You do not want to be stranded in the hour of need, do you?
- Price: For a budding e-commerce store, price is a significant factor. Choosing an optimum solution that also goes with the budget is a task in itself. That said, picking a company for being the cheapest might not be the best of criteria to judge. It can compensate you later when your website is under attack.
2. Secure environment
- Ensure hardware safety: Ensure that the devices you are going to use are up to date and secure.
- Strong Passwords: Cybersecurity Ventures, a cybercrime magazine, estimates that by the end of the year 2020, 300 billion passwords will need protection. Make sure your passwords do not land on this list. Instead of using your name and phone number as the password, use auto-generated passwords which are difficult to guess via brute force. To manage and remember these strings, you can use a password manager like — Dashlane, 1Password, Passbolt, etc.
- Regularly update your website: Keep your Magento website and all complimentary extensions up-to-date with recent security patches.
- Use secure connection: Use secure communication protocols such as HTTPS, SSH, SFTP, etc; and disable FTP permissions.
- cron.php access: Limit access to cron.php files for specific users.
3. Two-Factor Authentication
Two-factor authentication adds an extra layer of security to your password. Mandating an additional security question, an OTP, or an email verification, along with the password works as two-factor authentication. The following are certain factors that need to be considered while opting for the right 2FA for your store:
- The knowledge factor is something that only the user will know such as name or pet’s name, etc.
- The possession factor is something that only the user possesses such as his/her ID or mobile phone for OTP verification.
- The inherence factor is unique for a user such as fingerprints.
- The location factor is something such as tracking the GPS of the device the user is carrying.
- The time factor, it restricts the authentication to a certain period. For example — the validity of an OTP generally lasts a couple of minutes only. Same with other 2FA verifications.
4. Backup your website from time to time
Backing up a website is one of the most commonly recommended Magento security practices. This is because when nothing works, you can use a good backup of your website to start afresh. Magento provides backing-up facilities for different parts of the website such as — databases, file systems, and medical files.
The steps to create a backup on a Magento store are as follows:
- From the admin sidebar, select System>Tools>Backup.
- From the backup Dropbox, select the backup you want to create.
- Select the checkbox to put the store into maintenance mode, which is turned off automatically after the completion of the backup.
- If you want to include the media folder in the system backup, check the checkbox. And confirm the action.
5. Change Admin URL
The default admin URL is often in the form of http://www.websitename.com/admin which is widely known, making it a lot easier to locate your store and crack it via a brute-force attack. The best way you can avoid this fate is by changing your admin URL.
Follow these steps to change the default URL of your store:
- From Magento Admin panel, select Stores>Configurations>Advanced>Admin>Admin Base URL.
- Set Custom Admin Path to ‘Yes’.
- Enter the custom Admin Path and then change the custom Admin URL.
6. Use HTTPS/SSL for login pages
SSL ensures a secure connection between the customer and the store. To make sure that your website is SSL encrypted, perform the following steps:
- From System select, Configuration>Web>Secure.
- Change the base URL from http:// to https://.
- Select ‘yes’ for Use secure URLs in frontend and for Use secure URLs in Admin.
- Save configuration.
7. Set correct permissions
Always limit the access permissions to server activities, files, and folders. Follow the permission guidelines of Magento to ensure that everyone (from subscribers to admins) has the correct permission on the store.
Click here to Sign up for Early Access
8. Monitor for suspicious activities
Regularly monitor web server logs for any kind of suspicious activity. You can also implement the Intrusion Detection System (IDS) to add an extra layer of security.
You can also monitor whether new admin users have been created or not, in the Admins action log. For any unsuspected logins, monitor all system logins (FTP, SSH, SFTP).
9. Security Audit from a trusted source
The best way to protect a website from a possible hack is to get your store audited by security professionals. The known security service company, Astra Security provides a thorough and in-depth security audit that uncovers all security defects, vulnerabilities, loopholes, and other flaws in your security system and protocols. It runs over 1250 tests including code analysis, network configuration tests, business logic error testing, payment security, and so on.
A quick video to understand how hackers hack your Magento store: https://youtu.be/-1XuLrF5bL
This is how the VAPT process at Astra looks like:
VAPT plans come in three different packages called: Basic, Expert & Elite.
If you know your store in and out and have a decent experience in technology, you can leverage the following security audit tools to your benefit. For the detailed process of Magento security audit, follow this guide.
About the Author: Ankit Pahuja is a software engineer turned security evangelist & growth hacker. He secures businesses for food because he believes hungry security researchers are the best. Since his educational years, he has actively participated in bug-bounty programs, several of which won him awards & huge bounties, and professionally he has secured over 500+ businesses until today.