Magento is a widely used open source eCommerce software. A Magento store is also prone to be a target of malicious activities by malware and hackers! When transacting online, using credit cards or other modes of payment, security is of utmost importance.
Even though Magento gets patched for security reasons on a regular basis, below is the detailed list of best practices which can be applied on Magento to mitigate the vulnerabilities.
TIP# 1: Always use the latest Magento and upgrade Magento on a regular basis.
Keep your Magento updated as latest version comes with bugs and security patches for recent security risks.
TIP# 2: Secure directories and files
Harden files/folders permission, a complete lockdown of code except for Var and Media folder. This will help mitigate the risk of Write & Execute access to the malicious script.
TIP# 3: Secure/different admin URL
A hacker can easily access unchanged admin URL and can use Brute Force attack to guess the username and password.
TIP# 4: Restricted access to admin panel by IP
This can be one of the requirements for PCI compliance. Restricting admin access to only approved IP addresses will prevent unwanted people attempting to log in to the admin account.
TIP# 5: Two-factor authentication for Admin access
Two-factor authentication ensures that only trusted users can access the Magento backend. This extra layer of security requires the user to enter a randomly generated security code that is delivered to your smartphone, via an installed app specific to your unique username and password.
TIP# 6: Disable/Delete ‘admin’ username
Using ‘admin’ as a user is not an advisable practice. This typically is one of the first usernames a hacker will attempt to crack the password for.
TIP# 7: Disable/Delete the user accounts which are not in use.
TIP# 8: Use private and secure email addresses for admin users.
Do not use your regular email address for admin users. Anyone can easily find your regular email address from social media, visiting card, etc. which can be compromised and allow hackers to access Magento admin.
TIP# 9: Always use secure FTP
One of the most common ways a hacker is able to get into a site is by guessing or intercepting the FTP password. In order to prevent this, it is important to use secure passwords and SFTP (Secured File Transfer Protocol) which uses a private key file for decryption or authenticating a user.
TIP# 10: Lockdown ‘/downloader/’ directory.
Like admin URL ‘downloader’ directory should also be blocked, doing so can mitigate Brute Force attack.
TIP# 11: Apply security patches as soon as released by Magento
Magento Support timely provides security patches for Magento CE and EE which must be implemented as soon as possible.
TIP# 12: WAF (Web Application Firewall)
WAF firewall helps mitigate various security vulnerabilities. It can also help in blocking traffic based on IP or country.
TIP# 13: Stringent password policy (difficult password, change every X months)
One of the best ways to protect a Magento store against hacks is using a strong password. Using a password manager application is an excellent way to create a strong password for your Magento store.
Also, it is recommended to change your password(s) frequently to prevent previous password(s) from being available on a common directory list that is easily accessed by smart hackers.
TIP# 14: Quarterly scan of the site
Scan for Malware or any malicious code on the website.
TIP# 15: All site pages and content over HTTPS/SSL
HTTPS connection helps in encryption of data and eliminating interception by hackers to steal user information.
TIP# 16: Use secure Cookies
Secure cookies store data in encrypted form to help lessen the security risk.
TIP# 17: Block traffic based on source IP
TIP# 18: Disable TLS1.0
TLS 1.0 is an old encryption protocol. This need to be disabled to be PCI compliant.
TIP# 19: Separate domain/subdomain for WP blog
If using WordPress for blog purposes, the blog needs to be on separate Domain/Subdomain. WordPress database should remain separate from that of Magento. Always maintain separate and different usernames and passwords than Magento.
TIP# 20: Use iFrame payment methods
iFrame payment methods serve the Credit Card information form from their servers; therefore, even if your website is hacked, the hacker is unable to intercept the credit card form.
Although no e-commerce website is 100% unhackable, a serious implementation of the above Magento security tips will certainly keep your data safe and sound.
Do you have any Magento security issues or questions?