Improving the security of your Magento
July 18th, 2015
Magento has become a force to be reckoned with in the e-commerce industry because of its regularly updated features.The security of an eCommerce website is particularly important because these sites keep records of users’ data and order-related financial information. Securing both your data and your customer’s data should be one of your top priorities while managing a store. Taking the appropriate measures to secure your store can help you maintain a good reputation with your customers and avoid unnecessary downtime. Magento already comes with a good number of built-in security features, there is always more that can be done to protect your store from hackers and security breaches.
Maintaining the security of your store is not just a suggestion, but a requirement enforced by Payment Card Industry Data Security Standards (PCI DSS) in order to process customer credit card data.
Because Magento is the most popular eCommerce software there is, it comes under the greatest number of attacks from hackers who would love to get inside your store to spam your customers, conduct phishing campaigns and steal your customers information and credit card details. Hacking of such data can cause a huge loss to your store. Magento is considered the safest and most secure eCommerce CMS, but there are still some additional security steps advised to make its security foolproof.
While no eCommerce site is 100% un-hackable, by implementing the these security improvements, you will be able to decrease the amount of vulnerabilities that can be exploited and will bring your Magento site one step closer to being bulletproof. We have explored some simple steps to make for website administrators so they can make Magento store even more secure and robust.
1. Always use the latest Magento version
New versions of Magento often come out to patch recently discovered security risks in the software. Which is why you should always try to update your store with the latest stable version as soon as possible. There are many reasons to update your site’s version of Magento. Upgrading any software or application typically follows the best practices for security, but upgrading Magento also provides you with new features, bug fixes, and other important upgrades. Upgrading could save you from wasting time looking into an issue that was corrected in a recent upgrade.
2. Use two-factor authentication
Two-factor authentication adds an extra layer of security to your Administrator Panel login. This implementation this type of authentication can aleve any worries you have about password-related Magento security risks.
Two-factor authentication extensions ensure that only trusted devices can access your Magento backend. This extra layer of security works by requiring you to not only know your unique username and password, but also enter a security code that is randomly generated every 30 seconds on a smartphone app you can purchase from the Magento Connect Marketplace.
3. Encrypted connections (SSL/HTTPS)
Whenever data is communicated between you and your server, there is a risk of that data being intercepted by third parties. As that data can contain vital information like login details, database information, etc., that data falling into the wrong hands can cause significant trouble.
You can purchase an SSL certificate from any verified Certificate Authority and install it through Nexcess control panel, SiteWorx. Once you have the SSL, configure your Magento installation to require the secure resources on certain pages, enforcing the pages to be loaded over https.
4. Manage access points
Typically there are many methods for accessing your site files and database. Depending on what you are trying to do, you can access your site through SSH, FTP, or the SiteWorx control panel. Each of these protocols should have different passwords and should follow your password policy. It would be best to use secure methods of accessing your site and moving or modifying the content of the site. Using connection methods like ssh-access-with-nexcess.html”>SSH, ftp-sftp-to-transfer-files.html”>SFTP, or winscp.html”>SCP is another buffer of security that can be easily utilized.
5. Secure your local.xml
The local.xml is one of the most crucial files to secure. This file holds all of your database information from the username to password and even the table prefix you may or may not be using. There can also be additional code to implement different caching methods that if changed could result in downtime for your store. Our recommendation is to restrict this file’s permissions to 600 or -rw——- as a listing of a directory would show. These permissions limit read and write access to just your user while all others would be forbidden.
6. Deploy changes responsibly
A possible entry point in to your Magento store can happen through the installation of extensions, themes, and other applications. The best way to avoid or at least minimize this threat would be to implement all new changes first in a development environment. This would be an exact copy of your live site that you could make changes to without effecting your live site. Another life-saver in the event of a security breach or data corruption would be to backup both the site files and database before making any changes.
7. Restricting Admin Access to Only your IP Addresses
There is an option in Magento by which we can pre-define IP addresses which can access the Magento admin panel. This step can add a great security layer to your Magento store.
The following are some examples of configuring rules within your site’s .htaccess file to restrict access to the administrator login by IP address; limiting the Magneto users configured to only have access to certain portions of the Administrator Panel.
8. Limit file permissions
Limiting the file permissions can improve the security of Magento. However, this process can be tricky as file permissions depend on your hosting environment and version of Magento. Generally you want to restrict access to all other users besides the owner, which would be your user on the server.
9. Lockdown Your Magento Connect Manager
Magento’s Connect Manager is a great way to quickly install programs, but it’s also a security risk as it’s a well known entry point for brute force attacks. Like your admin path, I recommend you change the /downloader/ path to make it harder for hackers to crack your store. For added security, you can also restrict the new downloader path by IP address.
10. Configure a custom path for the administrator panel
Obscuring the path to the Magento Administrator Panel can help prevent intrusions. If a someone can easily stumble on to your Administrator Panel login page, it is much more likely to be subjected to brute force attempts to gain access. Changing the Magento administrator URL essentially hides the login page to thwart unwanted access attempts.
To change the admin path in Magento, go to the app/etc/local.xml file, find the line with this code: <!CDATA[admin]]>, and change the string admin to the required admin string. For instance, if you want to change the admin panel URL to http://vivacityinfotech.com/securedadmin, change the CDATA code to <!CDATA[securedadmin]]>
There are many more ways to make your Magento installation even more secure, but if you implement all these steps, you’ll have a very robust and secure Magento site, which will be able to sustain most hacking attempts.
Besides the above-mentioned steps, one obvious way to make your Magento site more secure is
- The Magento team does an excellent job of fixing possible security vulnerabilities, so the latest Magento version is usually better and more secure.
- You should also keep your Magento associated email address secure, because anyone who can access that email address can access your Magento store.
- Use a password that is not easily guessed or decoded.
- Change your password on a regular basis.
- Do not reuse the same passwords.