eCommerce is growing dramatically, thousands of individual servers work day and night, and private information (including, of course, financial data) is a significant temptation for hackers. eCommerce sites are desirable targets to attackers because of the personal and payment data that is needed to make a sale. Magento power thousands of sites in the e-Commerce platform, and the latest finding by Astra reveals that 62% of a store has at least one vulnerability.
In this article, I will consider the most important and well-timed security advice for Magneto. Ordinarily, attacker cracks e-commerce websites:
to utilize it for electronic spam; to use it for phishing (the attempt to receive sensitive information such as passwords or credit cards details); to deface or harm your website: to steal information that they can utilize to their advantage.
In the first place, you have to defend your Magento shop because you should protect the client’s information. It goes without saying that hackers may want to obtain your information for some reason (for instance, in the framework of industrial espionage), but the first thing is that you shouldn’t give them customers’ private information, including credit card details. If this data is stolen in consequence of the hacker attack, it can severely injure your reputation as well as damage your clients. Welcome to apply these Magento security rules to your shop.
Two-Factor Authorization
Even the most secure password is worthless if it can be stolen. To increase the level of security for your store, it is highly recommended to utilize any second authorization factor, such as allow the backend only from a particular IP, implementing two-faction authentication. To limit backend access, add these lines to the VirtualHost section of Apache webserver configuration (please be careful – if you add the following lines to .htaccess file it will cause an error): Feel free to check the Amasty extension if you’re looking for a Magento two-factor authentication solution.
Change Backend URL
This approach is more about security by obscurity, but it can be useful as an additional method of fighting against bots and brute force attacks. To change backend URL, you can edit app/etc/local.xml (admin / routers / adminhtml section). We don’t advise you to change the default admin URL using the native interface of the Magento admin panel. You have to make sure that the new URL address ‘s hard enough to guess. Moreover, you might want to clear a cache after this. Then you should check your new URL and make sure the old URL returns the 404 error page.
Update Software in Time
Software updates give you not only new features but also error fixes and the removal of vulnerable points. That’s why it is crucial to utilize the latest software versions available at this time. To upgrade your system, apply the following laconic commands: RHEL / CentOS Debian / Ubuntu If you are still using Magento 1 which is the end of life, you should consider leveraging service like Nexcess Safe Harbor who look after security to ensure your shop is safe.
Backup Regularly
No one can be secured from hackers’ attacks, but there’s some way to feel safer: periodic backups can save you from many problems that may become critical for your business. You should save regularly backup copies, don’t try to keep them on the original website’s server, and from time to time, restore your backup on a sandbox to check if they’re working correctly. Keeping your backup on the server with your website is dangerous not only for the reason that your copy should be safe in case if your server breaks down, but also because if a hacker gets to your server, he’ll also get access to the backup copies, which is, of course, very unwanted.
Use Complex Password
According to SplashData, 123456 was one of the most common passwords in 2013 (and, of course, one of the most insecure). The admin password is the keystone of your Magento shop security. And it should be strong enough! Easy paroles can be easily cracked, so apply more than ten characters, with lower and upper case, and also special characters like ^$#%*, in this way, your password won’t be forced since even with the newest programs, it will take years to crack. You can use the LastPass password generator.
Use Firewall
There are two types of firewalls you can use to protect your Magento store. WAF (Web Application Firewall) – protect your online store from web security vulnerabilities like SQLi, XSS, Brute-force attacks, Bot, spam, malware, DD0S, etc. You can think of implementing a cloud-based firewall such as Sucuri or Astra. System/Network Firewall – ban public access to everything except your web server. If you don’t possess a permanent IP address to access it through the firewall, apply VPN or Port Knocking technology. In RHEL/CentOS you can find the firewall settings in /etc/sysconfig/iptables; when it comes to Debian/Ubuntu, apply iptables-persistent (/etc/iptables-persistent/rules.v4).
Don’t Re-use Password on Other Site.
This Magento security issue works with all password-protected information that you own. As reported by passwordresearch.com, more than 15% of users apply the same password for many services. Not many people know that applying identical passwords for several logins, indeed, contains the risk of losing all of your accounts right away. One more time: all passwords must be unique, no other way. Be careful; set aside this article for a while and change them if they aren’t. Otherwise, you risk getting injured because of your imprudence.
Change Password Periodically
Your passwords shouldn’t be constant. We highly recommend changing passwords leastways every six months. Even if a password has been stolen (and even if the hacker hasn’t applied it), constant changeovers will make the earlier leaked information worthless. Make sure also that passwords are changed for all the clients that are using the website.
Don’t Store Password On Your PC
A big part of the Trojan software steals your saved passwords. You should be cautious with browsers and FTP clients since passwords are stolen through these applications more often. You should never save passwords applying this software without using the master password (a password that enciphers the rest of the passwords while keeping access details). Neglecting this advice can easily lead to data leaks. You may try a password manager.
Pay Attention to Error or Suspicious Activity
Do a security review regularly to check for signs of attack, and also when contacted by clients with security concerns. You may want to apply the Admin Actions Log Magento extension for this aim, and it has been updated with the next features critical for web security:
You can set up an announcement for a successful login attempt from an unusual country compared to previous logins. You can set up an announcement for many unsuccessful login attempts over the past hour, which can indicate a break-in attempt. “403 Forbidden” status returned by failed login page in the backend, that facilitates the integration with server security tools.
Moreover, you can use a web security scanner to analyze your eCommerce website for vulnerability automatically and periodically.
Use HTTPS/SSL
If you use a public hotspot (for example, in a mall) to access the backend, you’re risking getting injured from the MitM attack. Having an online store accessible over HTTPS provide security to the shopper as all the transaction data is encrypted from the user to your server over SSL/TLS protocol.
You can either use a FREE SSL certificate or buy one.
Forget FTP
FTP protocol was introduced when the Internet was an infant, and security wasn’t the problem at times. FTP protocol usage is very unwanted since authorization is performed with plain text and can be intercepted without difficulties. Utilize SFTP protocol, as it will also relieve you from problems with IP streaming (NAT), for not everyone has a public IP for Internet usage. Follow this guide to configure SFTP for Magento.
Set Minimum Access Permissions
You should always limit access permissions for web server activities. You need records in Magento in app/etc., media and var only, plus includes/if you use compilation. Extended rights may be required only for Magento Connect usage. The best combination for the security will be as follows: you let the website source code belong to the first user (for example, admin), and the webserver will run the code with the second user (for example, Apache). Let’s see an example of access settings for this combination:
Only if compilation is used
Block All Unwanted Countries
If you don’t ship worldwide, block other countries. For example, if you send your goods to the USA only, in this way you can protect yourself from any attacks – as is known, a great deal of malicious traffic comes from China, and by blocking it, you avoid any break-in attempts from this country. There are many ways to do this, and the procedure depends on WAF hosting you use. You should speak to your hosting or security provider company about this to set things in the right way.
Conclusion
I am sure you can add additional security to your Magento store by following the above tips. For SMBs, you should also explore cloud-based VAPT solutions.
