Website security is crucial not just for Magento but also for every other website and every platform. Getting to see one's website being used for phishing, spamming or some other unwholesome activity is one thing so unpleasant a website owner wouldn't want to see. Website security must be taken very seriously.
This post puts you through the details of how you need to secure your Magento website and this involves taking some simple steps.
- Change the default username and simple password
- Customize the path to your admin panel
- Use two-factor authentication
- Make a use of secure FTP
- Use Trusted Magento Extensions Only
- Backup Your Magento Store Regularly
- Update your web store on a regular basis
- Use Encrypted Connection (SSL/HTTPS)
- Create a whitelist of selected IP addresses
- Prevent MySQL injection
Keep in mind that Magento is the most popular e-commerce platform on the internet today and so attacks on Magento is also very high. You need to take serious measures because for an ecommerce store, there are issues to deal with including the availability of customer information, payment details, business data and other highly sensitive data that can create a serious problem if they get into the hands of hackers.
Magento as mentioned above is the largest eCommerce platform in the world and remains the highest target of hackers and spammers. The implication is that the securit of your store needs to be strengthened and you put much effort to find out the ways to strengthen the security of your web store.
1. Change the default username and simple password
This applies to the backend of your Magento store. By default, the username of your Magento backend is "admin". You need to change this to something more personalized, a customized name. If you are using the default username and common password, then immediately change it. Most of the hackers gain access to the backend of your store because it uses the default username and also uses a simple password. Here are a few tips that will help you create a new and more secure username and password of your Magento store:
Change your default username to something unique and uncommon.
Create difficult-to-crack passwords.
Your password should be at least 15 characters long.
Use the combination of alphabets, special characters, and numbers to create a strong password for your e-store. The cPanel password generator remains our recommended auto password generator in terms of strength, complexity and length.
Change your password every few months. Making changes to your password within few months allows you to improve on the quality of the passwords especially in terms of improving the strength of the password.
Use Password Manager Application to secure your password. Like mentioned above the cPanel auto password generator is a good one for this purpose.
Never use the same Magento login details anywhere else. Keep it unique and do not use the same password you are using on your Magento store on any other website especially where you are not the one having access to the store.
These steps should help improve the security of your Magento username and password. When hackers find that you have taken these steps to harden the security of our store, you will also have some peace of mind.
2. Customize the path to your admin panel
By default, your store admin path should be mywebstore.com/store/admin. You can customize this, changing admin to something like your store name. By doing this, you succeed in tightening the security of your web store and reducing points of vulnerability. Hackers tend to hack the admin area of the site using “Brute Force Attacks”.
A brute-force attack occur when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. If it is larger, it will take more time, but there is better probability of success. The idea is that the longer and more complex you set your passwords, the more difficult it becomes for the software to crack down your password. The most common and easiest form of brute force attacks you will understand is the dictionary attack to crack the password. In which case, an attacker uses a password dictionary that contains millions of words that can be used as a password. The attacker tries these passwords one after the other for authentication. If this dictionary contains the correct password, then the attacker will succeed.
Hackers use software applications that helps hackers to guess the different combinations of login details until they gain access to the site. That underscores the need to use very complex combinations and change default login URL for your store..A custom admin path can protect your store from being hacked. For that, you just need to tweak the path of your Magento admin login page. For instance, tweak “mywebstore.com/store/admin” with something more customized lie “mywebstore/store/todhostadmin”. That ind of URL will go a long way to protect your site from brute force attacks.
3. Use two-factor authentication
Just following the options discussed above, using the two-factor authentication delivers added security. This means even if you are able to gain access to the right username and password, you still need additional authentication like entering a code sent to your mobile phone before you are successfully allowed to access the backend of the Mgento store.
There are a few extensions that deliver two-factor authentication in Magento. The first is Rublon. This is an excellent two-factor authentication extension which provides a layer of stealth. It only allows trusted devices to access Magento backend by using a smartphone app. The app is available for all popular mobile OS platforms.
The other extension which is Two-Factor Authentication by Extendware. The extension allows you to implement complex authentication mechanisms which include limiting log-in attempts.
4. Make a use of secure FTP
Hackers can sometimes intercept FTP password to gain access to the site. Most website managers still upload their sites using FTP clients. At one time or the other, you will find the need to use an FTP client to upload or overwrite a file. This threat requires that you need to use secure passwords and SFTP (Secured File Transfer Protocol) to ensure the high-security of a Magento store. You can also use Public Key Authentication along with SFTP to secure your site.
4.1 Some Free FTP Programs / Secure FTP (SFTP) Clients
WinSCP is free SFTP, SCP, WebDAV and FTP client for Windows. Apart from the usual capacity to allow file transfer, it also has an integrated text editor, directory synchronization and support for scripting.
Core FTP Lite
Core FTP Lite is a Windows FTP client that supports uploading/downloading/deletion of directories (folders) and files, browser integration, SFTP (or secure FTP), SSL/TLS, handling of file permissions, transfer bandwidth control, etc.
FileZilla Open Source FTP / SFTP Client
FileZilla is free, a very popular open source FTP client for Windows, Linux and Mac OS X distributed under the GNU General Public License. You can do the usual stuff, upload and download files, as well as resume uploads or downloads, works with firewalls, supports SFTP (Secure FTP) and SSL secured connections, handle queues of files to be uploaded/downloaded, etc.
Curl is a command line tool that allows you to transfer files via FTP, SFTP, TFTP, FTPS, Telnet, DICT, FILE and LDAP, etc. You can also use the HTTP and HTTPS GET and PUT methods to download and upload files.
Cyberduck is an open source FTP and SFTP browser for Mac OS X and Windows. It supports drag and drop, resuming of uploads and downloads, synchronization of files on a local computer with a server, uploading and downloading of folders, etc.
WS FTP Pro provides a secured solution with encryption, is easy to use and customize, and reduces administrative burden. You can use this software to:
Publish and update web sites, blogs, and pictures
Perfect for secure business and advanced file transfers
Built-in automatic end-to-end file non-repudiation
compression between WS_FTP Professional, MOVEit™ DMZ and MOVEit™ Cloud Servers
File integrity checking by SHA256 and SHA512 file verification
5. Use Trusted Magento Extensions Only
It takes just a single vulnerability for your Magento website to be exploited. These vulnerability are usually found in extensions and themes. We recommend that you use well-tested extensions that have a track record of dependability. Extensions have to be updated like your Magento store itself when newer versions are available.
6. Backup Your Magento Store Regularly
Maintaining a healthy backup had been our best way to cope with the most difficult situations. When a problem occur and all efforts to fix it has been unsuccessful, the best thing to do is to revert to a backup. You must always keep a healthy backup at all times. It is the sure way to keep up your store when things really go bad. Always back your store and save the backkup on a different server than where your Magento store is hosted. Ideally,. It is also a great option to keep a copy on your local computer and also on a separate USB external hard-drive.
7. Update your web store on a regular basis
From time to time, developers will launch an upgrade to their software. This is usually in keeping with advances in the internet, PHP versions, bug fixes and security updates. You will need to keep your store in line with these updates by keeping our own store updated. That had been the best way to stay safe with your Magento store. So, make sure you use the most recent version of Magento store. Keeping up with updates also allow you to be in tune with major security enhancements such as PayPal and Braintree implementations which provide safe and secure online payment processing to your potential web customers.
8. Use Encrypted Connection (SSL/HTTPS)
Whenever you send data, like your login details, there are risks of that data being intercepted. This interception can give assailants a peep into your credentials. You are able to deal with with a secure connection.
In Magento, you can enable secure HTTPS/SSL URL simply by checking the tab “Use Secure URLs” in the system configuration menu. It is also one of the key elements in making your Magento website compliant with the PCI data security standard and in securing your online transactions.
Remember that you to purchase an SSL certificate from a trusted authority to start using an encrypted connection. You can get SSL from Todhost by buying it as an addon or directly from shopping cart.
9. Create a whitelist of selected IP addresses
This has turned out to be one of the strongest security measures for a Magento website and any other website. By creating a whitelist of IP addresses that can access the Magento backend, you are actually able to block some users who do have the permission to access your Magento backend.
Because in Magento, stores of online merchants, retailers or manufacturers are managed by specific users, you need to put extra efforts to secure your Magento admin site. By creating a whitelist of selected group of IP addresses you can easily restrict foreign access to your e-store. There are two ways of creating a whitelist of specific IP addresses:
Use .htaccess to change the settings
Use Apache Directive Location Match technique
By simply populating the code below with the IP addresses you want to deny access to, you can keep some people away from accessing your store backend and even the frontend.
Just lace the code below in your .htaccess file:
Order Deny, Allow
Deny from All
Allow from 12.09.34.9/33
You can use the code above to allow access to your admin folder only to 12.09.34.9/33 while all other IP is blacklisted by creating a .htacess in the admin folder and pasting the above code in the .htaccess file.
One of the downsides of this setting is that you will have to tweak the IP address every time you change the Magento store admin or if you want to login from another system. But, still, it is a great way to stop unreliable users from gaining access to your admin panel.
10. Prevent MySQL injection
This problem has been significantly mitigated in newer versions of Magento. Basically injections let attackers modify a back-end statement of command through unsanitized user input. This kind of exploit is easy enough to accomplish that even inexperienced hackers can accomplish mischief. However, in the hands of the very skilled hacker, a web code weakness can reveal root level access of web servers and from there attacks on other networked servers can be accomplished.
To deal with this problem, we suggest that you add web application firewalls such as NAXSI to keep your site and your customers safe. The most commonly used SQL injection defense is made up of two components. First there is routine updating and patching of all servers,
These are the several easy yet compelling ways that can help you secure your Magento store from hackers and other security threats. The tips listed here are not exhaustive and you should endeavor to them carefully implemented on your store. These tips will help you stay safe and secure and make your users' shopping experience a good one, which in turn, will boosts your conversions and sales.