20 Aug 2020
Magento security practices to adopt in 2020
Ankit  Pahuja
Ankit Pahuja
082fbce2-d55f-5c4b-9350-e11f0c66551b

Did you know that there are more than 2 billion ecommerce websites? And Magento, being an active contributor, captures over 7% of the e-commerce market share. According to statistics by the security company Astra, more than 62% of the stores have at least one vulnerability.

Internet Crime Complaint Center claims that victims of cybercrime lost more than $3 billion in 2019, and the numerical value is only going up in 2020. With the number of cyberattacks and data breaches going off the roof, Magento security is crucial.

second most attacked CMS.avif

The above bar graph shows that Magento is the second most attacked CMS out there. (Source: ZDNet)

Hence, in this article, we will discuss some of the best Magento security practices you must include in your security checklist to protect your store.

Magento Security Practices: Protect Your Store From Hackers

admin base url.avif

1. Choose the correct hosting company

The right infrastructure will give a boost to your website’s reputation and security. Hence, you must consider a reputed hosting company that doesn’t let you face downtime. Here are some tips that shall help you choose the right web hosting infrastructure for your website:

  • Reviews and reputation: Check web hosting reviews. You can read more about the hosting on various review platforms or even on social media channels.
  • Know your requirements: If there is going to be huge traffic on your website, you can choose the company that specializes in the field of providing well-maintained traffic on the website. Similarly, if you need a company that also backs up your store, you would want to check that. Know what you need and get a solution that matches most of your criteria.
  • Test the cybersecurity measures: Check what kind of in-built security measures the company provides.
  • Customer Support: Check whether the company provides active human support. You do not want to be stranded in the hour of need, do you?
  • Price: For a budding e-commerce store, price is a significant factor. Choosing an optimum solution that also goes with the budget is a task in itself. That said, picking a company for being the cheapest might not be the best of criteria to judge. It can compensate you later when your website is under attack.

2. Secure environment

  • Ensure hardware safety: Ensure the devices you use are up-to-date and secure.
  • Strong Passwords: Cybersecurity Ventures, a cybercrime magazine, estimates that by the end of the year 2020, 300 billion passwords will need protection. Make sure your passwords do not land on this list. Instead of using your name and phone number as the password, use auto-generated passwords, which are difficult to guess via brute force. To manage and remember these strings, you can use a password manager like — Dashlane, 1Password, Passbolt, etc.
  • Regularly update your website: Keep your Magento website and all complimentary extensions up-to-date with recent security patches.
  • Use secure connection: Use secure communication protocols such as HTTPS, SSH, SFTP, etc, and disable FTP permissions.
  • cron.php access: Limit access to cron.php files for specific users.

3. Two-Factor Authentication

Two-factor authentication adds an extra layer of security to your password. Mandating an additional security question, an OTP, or an email verification, along with the password works as two-factor authentication.

The following are certain factors that need to be considered while opting for the right 2FA for your store:

  • The knowledge factor is something that only the user will know, such as name or pet’s name, etc.
  • The possession factor is something that only the user possesses, such as his/her ID or mobile phone, for OTP verification.
  • The inherence factor is unique for a user, such as fingerprints.
  • The location factor is something such as tracking the GPS of the device the user is carrying.
  • The time factor restricts the authentication to a certain period. For example, an OTP's validity generally lasts only a couple of minutes. Same with other 2FA verifications.

4. Backup your website from time to time

Backing up a website is among the most commonly recommended Magento security practices. This is because when nothing works, you can use a good backup of your website to start afresh. Magento provides backing-up facilities for different parts of the website, such as — databases, file systems, and medical files.

The steps to create a backup on a Magento store are as follows:

  • From the admin sidebar, select System>Tools>Backup.
  • From the backup Dropbox, select the backup you want to create.
  • Select the checkbox to put the store into maintenance mode, which is turned off automatically after the completion of the backup.
  • If you want to include the media folder in the system backup, check the checkbox. And confirm the action.

5. Change Admin URL

The default admin URL is often in the form of http://www.websitename.com/admin, which is widely known, making it much easier to locate your store and crack it via a brute-force attack. The best way you can avoid this fate is by changing your admin URL.

Follow these steps to change the default URL of your store:

  • From the Magento Admin panel, select Stores>Configurations>Advanced>Admin>Admin Base URL.
  • Set Custom Admin Path to ‘Yes.’
  • Enter the custom Admin Path and then change the custom Admin URL.

6. Use HTTPS/SSL for login pages

SSL ensures a secure connection between the customer and the store. To make sure that your website is SSL encrypted, perform the following steps:

  • From System select, Configuration>Web>Secure.
  • Change the base URL from http:// to https://.
  • Select ‘yes’ for Use secure URLs in frontend and for Use secure URLs in Admin.
  • Save configuration.

7. Set correct permissions

Always limit the access permissions to server activities, files, and folders. Follow the permission guidelines of Magento to ensure that everyone (from subscribers to admins) has the correct permission on the store.

8. Monitor for suspicious activities

Regularly monitor web server logs for any kind of suspicious activity. You can also implement the Intrusion Detection System (IDS) to add an extra layer of security.

You can also monitor whether new admin users have been created or not, in the Admins action log. For any unsuspected logins, monitor all system logins (FTP, SSH, SFTP).

9. Security Audit from a trusted source

The best way to protect a website from a possible hack is to get your store audited by security professionals. The known security service company Astra Security provides a thorough and in-depth security audit that uncovers all security defects, vulnerabilities, loopholes, and other flaws in your security system and protocols. It runs over 1250 tests, including code analysis, network configuration tests, business logic error testing, payment security, and so on.

A quick video to understand how hackers hack your Magento store: https://youtu.be/-1XuLrF5bL

VAPT plans come in three different packages called: Basic, Expert & Elite. This is what the VAPT process at Astra looks like:

vpat process.avif

Final Note

If you know your store in and out and have a decent experience in technology, you can leverage the following security audit tools to your benefit. For the detailed process of Magento security audit, follow this guide.