Best Practices for Magento Website Security
Magento is the most popular e-commerce application and had attracted a lot of attacks as well. Protecting your Magento website is important not just for the security of your website but also for your pleasant user experience which is important for your reputation and search engine ranking as well.
Although these recommendations have been made with the security of a Magento website in mind, they will apply to many other content management systems. Generally speaking, website protection principles are generally applicable to most platforms and will be peculiar to most applications only in some specific cases.
Also read Top Nigerian Website Payment Gateways
Magento is the most widely used e-commerce application and that makes it naturally a target for cyber-criminals. Sometimes, hackers attempt to steal personal customer data, misuse credit cards or perpetrate identify theft. Other times, they simply want to deface a site by hacking into it or to take it down with a Distributed Denial of Service (DDoS) attack.
Magento is a relatively secure system and is frequently patched, it is critical that you (or your Magento site administrator) invest time and effort in order to ensure that your Magento security is as tight as possible.
The following list of security recommendations and practices will help protect your Magento websites against attacks.
1. Miantain an up-to-date software
Frequent software update can be annoying to users, however, it is important to keep to the latest version of any software being used. This is because updates always come with patches to new vulnerabilities.To ensure that hackers are unable to use known threats against your site, it is important to always be running the latest version.
2. Keep regular backups
Backups provide some security for the worst case scenario. You can return to an earlier state when the site worked properly. Maintain a healthy backup always and possibly download your backup to your system.
Magento's Admin Panel makes this easy with its built-in functionality to create backups and to restore the system to previous versions, when necessary. You can find these features in System >> Tools >> Backups. Note that there are three types of backups: System Backup, Database and Media Backup, and Database Backup.
3. Use an Updated antivirus software
Trojans, traditional email- or network-borne viruses and other types of malware are used by hackers and data thieves. These programs can steal your data and transmit it to hackers, they can send spam to your customer list, they can capture your screens and your keystrokes (gaining access to your passwords and accounts), they can inject dangerous or spammy links into your site and they can erase data from your site or database.
Your best defense against these critical threats is to keep your reliable anti-virus software constantly up-to-date.
4. Implement a strong password
Without a strong password, attackers can gain access to your website using brute-force and dictionary-based password-cracking software. On the other hand, it is also very easy to defeat these systems by making sure that your passwords are complex to be cracked using the computer power available to hackers today.
We suggest immediately going into to Admin Panel > System > My Account to implement a strong password policy like this:
Passwords must be at least 10 characters in length.
Passwords must contain at least two alphabetical characters.
Passwords must contain both lower-case and upper-case letters.
Passwords must contain at least two numerical digits.
Passwords must contain at least two special characters (such as &amp; ^ % * $).
Passwords may not contain any words in the dictionary or any commonly-used IT login names (e.g., admin, administrator).
Passwords may not contain any personal information (such as names or birthdates).
Other important password-related best practices include:
Passwords may not be used for more than one account.
Passwords may not be stored anywhere on your computer or in the cloud.
Passwords must be changed immediately after outside developers, writers and designers have completed their work.
5. Lock down the admin password reset email address
Because Magento allows users to recover a forgotten administrator password by sending an email to the address associated with the account, it is important to hide the admin email from the public. This is a potential flaw to the Magento security system because anyone who can access that email account can initiate a password reset and gain access to your entire Magento store.
6. Create a custom path for the Admin Panel
By default, the standard URL for a Magento store's Admin Panel is http://store.com/admin, it will be a good security measure to change this to something like http://store.com/somethingelse
To make this change, open the /app/etc/local.xml file (it is in your Magento installation directory) in a text editor and find this line:
Change admin to something complex and non-guessable, using only numbers and letters, such as 5566.
(Note that you never want to change the Admin Base URL parameter in the Admin section of your configuration, as this will actually make your Admin Panel inaccessible.)
After making this change, refresh the Magento cache.
Using the above example, you will now be able to access your Admin Panel at http://store.com/5566
7. Use encrypted connections (SSL)
Enabling the use of SSL is to encrypt every transmitted data. This protect your passwords and logins from being stolen. It is a simple matter to implement this important security mechanism for your Magento store. In the Admin Panel, go to System Configuration General Web Secure. In that section, make the following three changes:
&Change the Base URL setting from http to https
Set Use secure URLs in Frontend to Yes
Set Use secure URLs in Admin to Yes
8. Use only secure FTP (SFTP
Similar to the previous point, it is important to require encrypted connections to your site's FTP server. This is known as Secure FTP (SFTP). A common means of breaking into a Magento store is by intercepting the unencrypted (plain text) FTP credentials and using them to log in to the server.
10. Implement two-factor authentication
Because two-factor authentication is not built in to Magento, you will have to install a Magento extension that provides this functionality. There are two types currently available: one ensures that only trusted devices (such as your team's laptops and smartphones) are allowed to connect, and the other is based on a random code that is generated anew every 30 seconds (an app on your smartphone provides the code that you need to log in each time).
11. Disable directory indexing
On most webservers, directory indexing is turned on by default. This means that anyone can manually enter the URL of a directory in your site to see a list of the files contained in that directory (unless there is a default document in that directory). Giving a hacker access to lists of files can only make his life easier.
To configure your webserver to respond with an error message instead of the list of files in a folder, simply add the Options -Indexes line to your server's .htaccess file. Alternatively, ensure that there is a default document in every directory.
12. Strengthen your file permissions
To do this, you need to change file permissions to 644 and directory permissions to 775. Any files or directories with permissions of 777 or 666 are problematic, and should be changed.
13. Secure the Local.xml file
Local.xml is a sensitive configuration file that stores key information that Magento uses to access your database. This file contains database connection details to your store and the encryption key used to secure your data. It's located in your /app/etc/ folder and, if compromised, hackers would have access to much of your customer data. They could also use it to cause caching problems with your server resulting in store downtime.
14. Disable dangerous PHP commands
Unsecured PHP code is another important security hole you need to address. You should disable these commands in your PHP configuration file, php.ini. The syntax for doing this is:
disable_functions = proc_open,phpinfo,show_source,system,shell_exec,passthru,exec,popen
15. Lock down Your Magento Connect Manager
Magento Connect Manager simplifies the installation process for third-party party extensions, but it is also used by hackers as an entry point for brute force attacks. If you look at your log file, you may be shocked to discover how many page views are recorded for www.yoursite.com/downloader.
There are three ways to mitigate this risk:
Change the default Connect Manager path from /downloader to something that only you know.
Restrict access to the Connect Manager path modifying .htaccess to only allow your team's IP addresses to access this path.
Completely disallow access to the path (e.g., using an .htacess Disallow from all directive). When you want to use Magento Connect Manager, temporarily remove this directive.
16. Only use trusted Magento extensions
17. Deploy an SQL injection firewall
18. Invest in VPS, dedicated or cloud hosting
19. Regularly review activity logs
20. Get a professional security review