A chink in the Magento website security’s armor is Unthinkable, Unacceptable and Undesirable for Ecommerce stores and Ecommerce customers.
It doesn’t signify that penetrating Magento security is impossible, while ‘Security Compromise’ is not agreeable for Magento Ecommerce stores.
Of course, security stays at the core of every Ecommerce stores as they store customer’s crucial financial data whose safety is all-imperative.
No Ecommerce wanted to welcome the unwanted software that create security breach, as the end results would be disastrous in terms of traffic, conversion and revenue.
According to Bain and company, “Customers are 4 times more likely to go to your competitor if your problem is service related. But, if there is a security breach, you could lose the customer forever.”
The statement is an eye opener.
That’s why, Magento frequently releases new fix to security flaws and incorporate new security policy to safeguard the Ecommerce stores.
So what’s next?
Still, the Ecommerce stores are hacked and customers’ data is stolen.
In a nutshell, Magento ensure security with its new releases, but a few loopholes enable the hackers to put a security hole in the website.
Got a Question? We’re Here to Help You!
Here is the security checklist that should be checked for enhancing the data security to prevent nefarious elements invade your store:
1) Customize The Admin URL
Just the unique combination of username and password cannot make the admin page secured. The brute force attacks and many intelligent software are available using which millions of combinations of username and password can be created. And alas, the admin page could be hacked.
So what to do now?
How about if hackers are not able to reach the admin page? It sounds strange. However, it’s possible.
If the conventional admin path like- website.com/store/admin is used, hackers can easily guess and get to the admin page, and start their attempts to crack the password. Instead, if the admin path is modified to website.com/store/sdfgtr then they will never be able to get to the page.
For instance:
NOTE : Don’t try to change the admin base URL as otherwise Magento will prohibit you to access the admin panel. From local.xml file, the ‘admin’ word can be changed to something else that cannot be traced.
2) Review Activity Logs
When the Magento store is assigned to a development team to bring in some changes, the access to the admin panel is in the hands of admin user and the team making the changes.
There are number of users who will be using the admin account credentials for certain activity. Meanwhile, there are chances that administrative areas being attacked that may lead to huge loss.
That’s why you need to keep an eye over log to check the suspicious activities, if any and rectify the same.
Alongside, you can install a Magento extension that will regularly notify you about the unusual things like- blocked countries IPs trying to connect, failed login attempts to admin panel, unconventional patterns of website access and more.
3) Nip the Magento Connect Manager in the bud
Magento Connect Manager enable easy and quick installation of Magento modules and third party extensions without needing any technical expertise.
The installation process simplification becomes an added advantage for the hackers to exploit the security of the system.
To not let hackers make an entry into the admin area, following things can help you out:
• Akin to admin path customization, default Connect Manager path modification may also
mitigate the risk. The default path is generally- website.com/downloader where you can replace the word ‘downloader’ by something else.
• Provide the access to the Connect Manager to only a couple of IP addresses by modifying
.htacess.
• Temporary disable the access to the Magento Connect Manager by disallowing the access to the path using an .htacess “Disallow from all” directive.
4) Permit Only A Few IP Addresses To Access The Admin Panel
To provide an extra level of security to the admin page, you can allow just a few IP addresses to access the admin page directly through .httpaccess file or Apache directive Location Match.
For instance:
Yes, this way only a pool of IP addresses would get the permission to log in to the admin page and able to incorporate the changes.
5) Incorporate Two-Factor Authentication
Are you looking for the methods that can make the unauthorized access to admin page impossible?
Of course, your answer will be YES. As the unique combination of your username and password is no longer secured due to smart technology and intelligent hackers.
But, Magento has also taken a step further by providing two-factor authentication facility via an extension installation. See what this two layer authentication offers:
• Only trusted devices or IPs can access the Magento back-end
• Every time, when user login, a secret code is needed to enter alongside username and password. The generated random code is sent to the user’s mobile app only.
6) Deploy Firewall
Safeguarding the website from unapproved access is a hard nut to crack in the technology era.
Utilizing firewall on the server would disable the public access to the web server and only a set of defined IPs can access it.
Actually, it’s so because the well-known database breach methods called SQL injections introduce malicious SQL queries that aid hackers to obtain the confidential data.
The third party applications such as Firewall defense the database against vulnerable attacks by constantly comparing every query structure and preventing the suspicious queries to reach the database.
7) Use HTTPs- The Best Practice!
Attention please! A hacker may eavesdrop your login credentials when you log in.
It’s bewildering. Isn’t it?
When you login to admin page, the information is exchanged between your website and browser. During info exchange, there are chances that someone else would intercept the information just the way intelligence agencies can intercept your telephone calls.
It happens only when your website is not encrypted. Yes, the URL begins with HTTP:// is not encrypted, but the one with HTTPS:// is encrypted.
What’s this?
Actually, Secure Sockets Layer (SSL) provides encrypted connections and the websites that have implemented it are less prone to hacking because the data cannot be intercepted in between.
Moreover, the PCI data security standard have already made the use of HTTPS mandatory for all the online stores.
You can modify HTTP to HTTPS easily just by making a few changes in the settings option through admin panel.
8) Don’t Forget SFTP
The files exchanged over the internet using FTP server are no longer safe as they can be easily hacked. Even, the FTP credential is unencrypted and can be easily intercepted that enable hackers to make a road to get inside your Magento admin area.
SFTP, the secured FTP is a viable alternative, configuring which provides an additional level of security by encrypting FTP server login credentials.
9) Block The Countries Where You Don’t Sell
All Magento Ecommerce stores don’t sell their products worldwide. Are you the one among them? If yes, reading further would justify your time investment…
In case, your customers belong to one or two countries and you are also shipping the products in those nations only, then it’s better to block remaining countries’ IP addresses.
Many surveys have even reported the same fact that’s- “The hackers who make an attempt to inject vulnerability into the Ecommerce stores generally operate from those countries where the store is notselling or shipping.”
There is one tool which will look up the users’ IP address and based on that allow, block or redirect the users.
10) It’s Must- Disabling The Unsafe PHP Functions
Now, the next possible security hole – PHP commands.
It can be ceased out of the gate by adding the following rule to php.ini file:
11) Strong Login Credentials are of utmost importance
How important the admin login username and password is, needs no explanation. The plenty of software can crack the passwords and enable hackers to login to admin panel.
Well, it doesn’t mean your password is always possible to hack. There are some tactics following which you can defeat the hackers. They are:
• Make your password case sensitive
• Ensure it must have numbers, special characters and alphabets
• Don’t keep them based on names or birth dates
• Avoid using technical terms or IT names
12) Enabled Admin Routing Compatibility Mode- The New Danger!
After updating the Magento store and applying the patch, the admin routing compatibility mode for extensions is by default set to ‘Enabled’.
The patches are created to protect the admin URLs against automated attacks, but the security is limited because the admin routing compatibility mode is ‘Enabled’.
When the admin routing compatibility mode is ‘Disabled’, the risk of automated attacks for admin functionality mitigated.
So what to do now?
The better option is to keep the admin routing compatibility mode ‘Disabled’ for better security and provide restricted access to the admin back-end.
13) Upgrade Magento Store And Extensions As Well
Updating the store or extension is considered as an activity that will be done when you have leisure time and spare dimes.
This is the scene almost everywhere.
Remember! Upgrading the store to the latest version will not only add new features to your store, while it fixes many bugs that would have otherwise made the store vulnerable. Same applies to extensions where a minor loophole would give a golden opportunity to the hackers to ruin your years of hard work.
14) Prefer Reputable Extensions Only
When shopping around for Magento extension, you might have found an array of Magento extension providers. Sometimes, you end up buying the extension from the seller who is selling it at a low price.
Right? Obvious, no one prefers to pay through the nose.
However, you are overlooking one thing- quick and dirty things won’t work every time.
The extension that you are about to install though cheap, but may be vulnerable. So make sure to buy the trusted extension and do check the extension’s reviews, ratings and popularity score in Magento Connect.
15) Deny The Website Public Access
Cron job is highly used to create an automated scheduled tasks that run on the server after a certain interval.
However, running the cron job like- http://website.com/cron.php for your Magento store allow the web page access to everyone that may make the backend access insecure.
So it’s better to stop using http://website.com/cron.php.
16) Don’t let Antivirus to become a VIRUS
An arsenal of antivirus software may be trying to convince you to bank on their antivirus. I think you are smart enough and will prefer to pay more for better services rather than suffering from data leaks.
Some antivirus introduces the Trojans or viruses from which you are trying to protect your website.
Create a line of defense against the threats by using commercial grade antivirus that’s up-to- date. Using Antivirus is really all bread and butter.
For instance, the online shopping store is using trusted antivirus that’s shown at the bottom left of the page, which in turn uplift customer’s trust as well.
17) Ensure that your file permissions are altered
It’s often suggested to keep files on the web server in ‘read only’ mode. The reason is, if anyone else got the rights or permission to edit or write the sensitive files other than the administrator, then website security will be put at the stake.
You can make sure that the files on the server can only be read by everyone by changing the file permission to 644 and directory permission to 775.
Changing the file permission is hassle-free. However, file permissions are somewhere dependent on the Magento version and hosting environment, so you have to make it done thoughtfully.
The following snippet would help you to fix it swiftly like:
18) Local.xml File’s security matters a ton
Local.xml file contains significant data that Magento uses to access your database. It means, your Local.xml file holds the info regarding the database connection details to your store and also, the
encryption key used to secure your data.
Local.xml file is located in your /app/etc/ folder.
If the access to this file is publicly enabled, then just imagine what the hackers would have done with the sensitive data.
• The customer data will be in the hand of hackers
• Create caching problems with the server that may cause store downtime
To not let this happen, you can set up the local.xml file permission to 600 so that just limited users would have the read or write access.
19) Professional security review- don’t put out of the mind
The Magento developer is not a one-man army who can perform every function.
Well, your Magento team might have the best knowledge and expertise on various aspects of development.
But, as the work of QA cannot be done by a coder, similarly to ensure the Magento website security, you cannot count on Magento developers.
You should have trained security experts who can analyze the website from inside out.
These security experts would be worth to pay for checking the viable security flaws or vulnerabilities like- testing for SQL injections, file path traversal, and cross-site scripting in your website at regular intervals.
It’s advisable to conduct such tests quarterly to discover the attack vectors, if any.
20) Backup of the store- Do it regularly!
From our desktop to mobile phones, we never forgot to take the backup of them to keep our data secured.
Then, taking the back up of Magento files, database and media and system is completely unquestionable and unforgettable. As, you never know when the hacker would introduce the malicious software in the store and the data is out of the door.
It’s better to take the regular backup of your store on the alternative server and reduce the extent of damage that these attacks may cause.
Also, you can take the multiple backups using cloud storage services wherein the data will be stored at distinct places.
Epilogue
Do you care about your Magento Ecommerce security? Well, even if YES, but there is no easy fix to these problems.
Stunned? Because it doesn’t match with what’s aforementioned.
But, this is the reality that no Ecommerce store on the planet is cent percent unhackable.
As, SECURITY is the consequence of how you are dealing with your Magento store processes, standard practices and fundamental policies.
So ensure following the best practices and remember the above tactics to lessen the chances of a security breach and win customer’s trust forever.
Besides, if your Magento Ecommerce development is under way or you already have an existing Ecommerce store, the tactics will certainly let you fuel up the business growth, instead of getting stuck up in the security issues.
