Magento Security

A Complete Guide On Magento Security – Step By Step Guide For Magento 1 & Magento 2

Updated on: July 26, 2020

A Complete Guide On Magento Security – Step By Step Guide For Magento 1 & Magento 2

How can you secure your Magento Store

Today all websites face serious risks. But, it is the e-commerce industry that faces the most risks online. And, as it turns out, Magento is the leader of the e-commerce space, thus a coveted target.

However, you can reduce these risks systematically by following a set of Magento security best practices. In this comprehensive and extensive guide, I have listed primitive actionable measures to strengthen Magento.

If you read this guide throughout and followed it with utmost priority, you can be sure of your website’s reduced susceptibilities.

Go through the below URLs if you are looking for

The Magento CMS, currently, powers 25% of all e-commerce websites all over the world. Clearly, it is one of the most admired CMSes for eCommerce. To add to that, it also stores a sea of personal & financial data, which makes it even more lustrous in the eyes of hackers. The following hacking statistics on Magento backs this.

Magento Hacking Statistics

  • Magento powers 1.2% of the internet.
  • And, 12% of all eCommerce sites.
  • In pure numbers, 250,00 active sites use Magento.
  • However, only 11,000 of those sites run on Magento 2, which is around 44% of all Magento websites.

Magento is also, the most hacked CMS after WordPress. The CVE details of Magento CMS show that XSS is the biggest threat to Magento. Other threats to Magento include Code Execution, SQL Injection, Directory Traversal, Magento store redirecting, CSRF, etc. The following graph makes it better to understand.

Moreover, Magento card skimming and Credit card hacks are some examples of how data compromisation on Magento take place. Further, the Magecart attacks make for the most persistent attack on Magento as of now. As a result of these attacks, customers encounter identity theft, data theft, fake transactions, and so on. Here are more extensive data on hacking for your reading.

Top 16 Steps To Securing Magento 1 & Magento 2 Stores

Securing & maintaining your website is crucial in this era of increased cybercrimes, more so when it is e-commerce. The aftereffects of an attack on Magento or any e-commerce for that matter reverberates to a larger number of people. In cases like these, it is the common people and their data that are at stake. Bill Gates, aptly conveys the apprehension for e-commerce websites as,

Oh, I think there are a lot of people who would be buying and selling online today that go up there and they get the information, but then when it comes time to type in their credit card they think twice because they’re not sure about how that might get out and what that might mean for them.

It all comes down to one thing – securing your website for people to feel confident enough to swipe their cards right in and not being faced with consequences. As for the owners of websites, there are cold & harsh penalties for condoning Magento security.

However, you can avoid being at the face of the storm just by following the below security measures depicted in this guide. Honestly, if you implemented these measures carefully, you will reduce the risks by the maximum.

Get the ultimate Magento security checklist with 300+ test parameters

Related Guide – Ecommerce Security

1. PCI-DSS (Payment Card Industry – Data Security Standard)

Since e-commerce websites deal in sensitive payment data of customers, it requires vigilant monitoring. Therefore, the PCI (Payment Card Industry), an association of top credit card companies, invigilates Magento store security of these sites.

As a web business owner, it is of utmost importance that customers get a guaranteed safe checkout. Hence, the PCI-DSS requires all Magento websites to use standard & secure credit card handling. In case of non-compliance, hefty fines and severe penalties can be charged.

Is your website security up to date? Find out in 15 seconds.

What PCI compliance include?

The security requirements under the PCI compliance include policies and procedures, software design, and network architecture. In laymen’s language

  • Build and Maintain a Secure Network and Systems
    Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
    Requirement 3: Protect stored cardholder data
    Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Maintain a Vulnerability Management Program
    Requirement 5: Protect all systems against malware and regularly update antivirus software or programs
    Requirement 6: Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures
    Requirement 7: Restrict access to cardholder data by business need to know
    Requirement 8: Identify and authenticate access to system components
    Requirement 9: Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
    Requirement 10: Track and monitor all access to network resources and cardholder data
    Requirement 11: Regularly test security systems and processes
  • Maintain an Information Security Policy
    Requirement 12: Maintain a policy that addresses information security for all personnel

Not adhering to the set guidelines by PCI-SSC can open doors for credit card hacks in your store.

Magento credit card hack, Stealing credit card from Magento store

2. Change Admin Username for Magento Store

After you have ensured the PCI compliance of your site, change the default admin username. Always refrain from using the obvious as your username. For instance, the word ‘admin’, your own name, your website’s name are too easy a guess for a hacker and thus dangerous. A newly installed Magento website has the project owner’s email as the username. Change the default hard code email address of the project owner as follows:

  1. Log into your Magento admin panel
  2. Go to system >> My account
  3. Type in the new and unique username in the ‘Username’ field’.
  4. Click “Save Account.”

3. Change Admin URL in Magento

Almost all websites have /admin as the default URL for their admin pages. Not changing this default admin URL in Magento makes for a serious vulnerability. On the other hand, changing the default URL would hide your website’s admin page thus improve Magento security. Further, we recommend you choose a value other than `admin` or `backend` or another term that isn’t easy to guess.

You can change the default admin URL by following a few steps as below:

  1. On the Admin Panel, select System > Configuration.
  2. Select Admin in the left-most column.
  3. Navigate to the Admin Base URL section, and do the following:
    a) Set Use Custom Admin URL to “Yes.” Then, enter the Custom Admin URL in a format like this:
    http://yourdomain.com/magento/
    b) Set Custom Admin Path to “Yes.” Then, enter the name of the Custom Admin Path. Choose something that is not easily guessable by attackers.
  4. At last, hit the Save Config button, and log in with the newly created URL.

4. Use Two-Step Verification for Magento Login

The two-step verification considerably reduces the security risks related to your Magento passwords. Even if a hacker has access to stolen credentials, he just can’t log into your admin panel due to an added security. Additionally, two-factor authentication also checks brute-forcing. You can install TFA for your login page too for authentic access to user accounts.

There are loads of extensions that provide the utility of two-step verification, choose the best based on the ratings.

5. Use IP Whitelisting and .htaccess in Magento

Next up is the IP whitelisting and .htaccess. Whitelisting only select IPs to reach Magento’s admin panel is a smart way you can secure your site. Thus, use IP whitelisting and .htaccess password protection to block access to any development, staging, or testing systems. Since these are highly sensitive systems and any compromisation to these would lead to an ugly data leak or brutal attack.

Here is how you can modify your .htaccess file to protect certain URLs from lurking attackers

For a single-store view Magento installation

#####Secure admin RewriteCond %{REQUEST_URI} ^/(index.php/)?admin/ [NC,OR] RewriteCond %{REQUEST_URI} ^/downloader/ [NC] RewriteCond %{REMOTE_ADDR} !^my.ip.add.ress RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

For a Store View in a Subdirectory

If you have Magneto installed in a sub-directory or a store view as a virtual sub-directory of the main domain name,
Eg. https://www.getastra.com/features/
Eg. https://www.getastra.com/en/
Eg. https://www.getastra.fr/

#####Secure admin RewriteCond %{REQUEST_URI} ^/(downloader shop/ en fr/)?(index.php/)?admin/ [NC,OR] RewriteCond %{REQUEST_URI} ^/downloader/ [NC] RewriteCond %{REMOTE_ADDR} !^my.ip.add.ress RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

6. Use Strong Passwords

If you are still using a password that is easy to guess kindly reconsider. Using a strong password helps you to:

  • Keep your personal information safe
  • Protect your emails, files, and other content
  • Prevent someone from breaking into your account

A strong password stands in a crisis like a brute-force attack. Now, what qualifies as a strong password and what doesn’t? Combination of letters, numbers & symbols as passwords makes for a strong password. Since, passwords are case sensitive, using both uppercase and lowercase letters make it even stronger. The ideal password length is between 8-14 characters. On the other hand, a weak password is that which uses easy to guess words, phrases & combinations. For example, password, 12345678, 9874561, etc. categorizes as weak passwords.

You can create passwords either on your own or use an online password generator for the purpose. If you are planning on creating passwords yourself, we suggest you take a look at this guide on – “How to create safe and secure passwords.”

Here is an example of how you can convert a simple password to a strong password:

Replace letters with numbers & symbols
Example-“Spooky Halloween” becomes “sPo0kyH@ll0w3En”

7. Limit Login Attempts for Magento Admin

Another secure way to lock your admin panel from attackers is to limit the number of failed login attempts. You can also go on and limit the maximum number of password reset requests. This will protect your website from unauthenticated login attempts.

To configure your website, you can follow the below steps:

For Magento 1.x:

  1. Log into your admin panel.
  2. Navigate to System.
  3. Next, go to Configuration.
  4. Click on Advanced > Admin.
  5. Click to expand the Security option there. And change respective settings

For Magento 2.x:

  1. Log into your admin panel.
  2. Navigate to Stores >Settings
  3. Next, go to Configuration.
  4. Click on Advanced > Admin.
  5. Click to expand the Security option there. And change respective settings

Related Blog – Magento Login Protection

8. Enable Captcha in Magento Login & Forms

CAPTCHA is an abbreviation for Completely Automated Public Turing test to tell Computers and Humans Apart. It is rather self-explanatory. So, CAPTCHA is the best bet to discourage bot attacks on your Magento’s admin panel. You can enable CAPTCHA on your site by following these simple steps:

For Magento 1.x:

  1. Navigate to System
  2. Click on Configuration
  3. Go to Advanced>> Admin in the left-most panel
  4. Expand the CAPTCHA section; Select ‘Yes’ to enable CAPTCHA.
How to change Admin URL in Magento 1.x
How to change Admin URL in Magento 1.x

For Magento 2.x:

Navigate to Stores > Settings>Configuration > Advanced > Admin > CAPTCHA

  1. Navigate to Stores>>Settings
  2. Click on Configuration 
  3. Go to Advanced>> Admin in the left-most panel
  4. Expand the CAPTCHA section; Select ‘Yes’ to enable CAPTCHA.
Changing admin URL in Magento
How to change admin URL in Magento 2 (Source: Amasty)

9. Set Recommended File & Directory Permissions in Magento Store

To suit Magento for your specific business needs, you may need to customize the platform. Files and folders and their respective permissions play an important part in this. However, it is also complex.

As a security person, I recommend having the permission of 755 for directories and 644 for files. That being said, there are files in your Magento website that might require different permission than what we just mentioned. Listing all those files and their correct permissions will make this guide unnecessarily lengthy, but, we do have a guide on “How to set correct Magento file permissions” that shall help.

Also read: PHP web shell

Set Folder permissions as:

  1. Access your website through FTP.
  2. Navigate to your Magento installation folder. Ex: (/path/to/your/Magento/install/)
  3. Right-click on the folder and select the File Permissions option
  4. Once you click on the option, a new window will open. Insert “700” in the Numeric value field.
  5. Then enable the “Recurse into subdirectories” option. In the list seen below, select the checkbox titled “Apply to directories only”.
  6. Hit the OK button.
  7. The process may take several minutes for a large number of files.

Set File permissions as:

  1. Access your website through FTP.
  2. Navigate to the where Magento is installed. Ex: (/path/to/your/Magento/install/)
  3. Right-click on the file and select the File Permissions option
  4. Once you click on the option, a new window will open. In the Numeric value field input the value “600”.
  5. Then enable the “Recurse into subdirectories” option. In the list seen below, select the checkbox titled “Apply to files only”.
  6. Hit the OK button.
  7. The process may take several minutes for a large number of files.
Magento File & Directory Permissions
Recommended file & directory permissions as per official Magento documents

10. Set Recommended User Roles and Permissions in Magento Store

Defining correct user roles helps in segregating duties. It also enhances store security since every user does not enjoy all the permissions. There are different levels of permissions. You can assign a user a role based on their duty and your preference.

Here are the steps to set correct user permissions:

  1. Log into your website and  navigate to ‘System’
  2. Click on ‘Permissions’, you will see two options ‘Users’ & ‘Roles’
  3. ‘Roles’ is the section where you can define roles, whereas ‘Users’ is where you assign them.

11. Backup Your Data Regularly

In the case of an unexpected attack, a backup can save your site. A good backup helps restore your hacked website in minutes. It is the best disaster management you’ve got. But, to make backups functional you need to take care of a few things, like-

  • the files to include
  • the frequency of the backup
  • the functionality of the backup

Before you start backing up your site, understand the necessities correctly. A backup should include all the files necessary for your website’s configuration, look, and workings. A Magneto website allows you to take four kinds of backups such as:

  1. System Backup (includes source code+database+media),
  2. Database Backup (exclusively for the database),
  3. Database with media backup, and
  4. System without media Backup.

Note:

  • Put your website on maintenance mode before taking a backup. The website automatically comes out of the Maintenance mode after the backup.
  • Make sure that your server and database are backed up to an external location other than your server.

A system backup is the most functional backup as it includes both the source code and the database. However, you can shuffle the types according to your needs.

Coming to the frequency of the backups. Well, it can vary depending on how often you update the content of your website. You can opt for either daily, weekly, or monthly backups.

Now the methods of backup, you can opt either for a manual backup or automate the process.

The purpose of a backup is to restore your website back to its original & healthy position. Thus, always check backup rolls back to your website completely. In case of a large site, the restoration of a backup becomes too tedious & time-consuming. In such situations, it would be better to work with your hosting provider in order to deploy a professional database backup solution.

12. Update Missing Magento 2.0 Security Patches

Running websites on outdated and vulnerable versions remain the biggest cause of hacks in CMS. Always run your store on the latest version of Magento. This ensures that your installation doesn’t contain any vulnerability. Every update includes the latest security enhancements.
Check for security updates here – https://magento.com/security

If for any reason you cannot upgrade to the latest version, make sure to install all security patches as recommended by Magento. Although Magento releases security patches to fix major issues, new product releases also include additional improvements to help secure the site.

13. Install Extensions from a Trusted Source

Unupdated and vulnerable third-party extensions are again the root cause of many hacks. Make a point to install extensions only from trusted sources. Never use paid extensions that are published on torrent or other sites. Check for the support an extension provides. It is the second most important thing after checking if the extension is updated & maintained often. Always review the extensions for security issues before installing them.

Do not click on suspicious links, or open suspicious emails.
Do not disclose the password to your server or to the Magento Admin.
Check periodically for unauthorized Admin access.
Work with your hosting provider to review server logs for suspicious activity, and to implement an Intrusion Detection System (IDS) on your network.

14. Secure Magento Store with a Web Application Firewall

E-commerce stores are a prime target of Hackers. Using a Web Application Firewall like Astra can help analyze the traffic and discover suspicious patterns. A firewall can block malicious traffic and IPs attempting hacks on your website. It safeguards your store from XSS, LFI, RFI, SQL injection and 100+ security threats.

Don’t take our words for it. See it for yourself!

Peek inside Astra

Having a firewall on top of your website is like having a security shield. A firewall is the best way to deploy a real-time website monitoring mechanism. Here is how the Astra firewall protects your website:

Firewall working
How Astra Web Application Firewall protects your WordPress website

15. Hardening Your Server

Securing your server is another pillar in the store security structure. Before you host your website, weigh the hosting provider well for its offerings, such as –

  • Security
  • Support
  • Customization
  • Loading time

If you can, ask the hosting provider what security measures it undertakes. Also, review the support it provides. A hosting without proper support can become really frustrating in case anything goes south with your website. A managed hosting solves this problem quite acutely. With managed hosting, you get a dedicated host, who looks after your website and is there to solve 911 emergencies with the site.

Other than managed hosting, hosting on a cloud is quite a rage at present. Cloud hosting reduces the loading time of your site as the information is coming from the closest cluster. Several companies like Amazon, Serverguy, etc. offer cloud hosting at reliable prices.

16. Magento Security Audit

Maintaining a website also includes auditing it regularly. A security audit helps you identify loopholes, backdoors, broken security structure before a hacker does. Now, thorough scanning such as an audit might not be feasible for a business owner. Still, you can opt for a professional security audit by Astra.

Astra security experts will do an in-depth security audit and pentesting for you, while you do business. This security audit will uncover each and every vulnerability, loophole & backdoor your site might contain. Our security engineers will also help you with the fixation steps and promises to be there till the time your developers fix it.

Magento security audit

Magento Security: In The End…

I know, building a dashing web store requires enormous effort, maintaining it more so. But it is not impossible. To be honest, it is quite the contrary. And, I hope I made a successful attempt at putting across the essential Magento store security measures. Follow the mentioned fundamental practices and improve your online security ten-fold.

If you believe we missed some, just comment below. I will be happy to hear from you!

Was this post helpful?

Tags: , , , , ,

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

21 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Gabriel
Gabriel
8 months ago

Thanks for such an informative guide on Magento security. I was looking for an all in one guide to secure few of my Magento stores.

What is the pricing for your Magento firewall?

Naman Rastogi
Admin
8 months ago
Reply to  Gabriel

Thanks, Grbriel. You can check our pricing here – https://www.getastra.com/pricing

Gabriel
Gabriel
8 months ago

Thanks for such an informative guide on Magento security. I was looking for an all in one guide to secure few of my Magento stores.

What is the pricing for your Magento firewall?

Maximilian
Maximilian
7 months ago

Magento security is getting frequently targeted by hackers to steal card information. Your guide on Magento security is indeed helpful with all proper steps. Do you have any guide on Magento hack removal & what features you offer for Magento store on security front?

Naman Rastogi
Admin
7 months ago
Reply to  Maximilian

Thanks, Maximilian. We always try to make the things simpler so that even non tech people can follow them. You can check our Magento Hack removal guide here – https://www.getastra.com/blog/911/magento-hacked-fixing-magento-vulnerabilities/

& you can check our Magento security suite features here – https://www.getastra.com/features

Sean
Sean
7 months ago

One of the top class guide on Magento security. I was looking for resources to secure my store from brute force & landed on your Magento security guide.

Awesome work.

Naman Rastogi
Admin
7 months ago
Reply to  Sean

Thank you, Sean for your kind words

Derrick
Derrick
6 months ago

Hi, when will a website will be marked as dangerous by chrome? I am using magento as tech stack. If it happens how can I resolve this?

Sai Krishna
Editor
6 months ago
Reply to  Derrick

Thanks for responding to our article. In this case, you need to find malware, malicious links to reference to malicious links that could be causing this. Basically, a code review for malicious content is required in such cases. Followed by submitting to Google for a review. Ideally, a security firewall is recommended as the website will be on the radar of hackers. This article talks about various malware and fixes, please feel free to review them: https://www.getastra.com/blog/911/magento-hacked/

Lillie F. Kleiman
Lillie F. Kleiman
6 months ago

Hi there, I have a website using Magento CMS. How safe and secure is magento?

Sai Krishna
Editor
6 months ago

Thanks for responding to our post. It’s not Magento that makes your site safe and secure. Instead it’s how your programmer sets up your site with proper security features and does not compromise the code quality while setting it up. Magento being a Zend based CMS is pretty robust and secure in itself and does not encounter common security threats as often encountered with wordpress. In this case, we request you to use a security plugin and that is what we exactly offer.For more information: https://www.getastra.com/magento-firewall and You can follow our magento hack removal guide: https://www.getastra.com/blog/911/magento-hacked

Brandy
Brandy
6 months ago

Hello, for my website I can see a lot of Japanese gibberish URLs. Do you have any guide on how to remove this?

Sai Krishna
Editor
6 months ago
Reply to  Brandy

Thanks for responding to our post and sorry to hear about the japanese SEO spam. You can follow this article to remove the hack: https://www.getastra.com/blog/911/black-hat-seo-spam-magento-opencart-prestashop/. We recommend you to use a security plugin and that is what we offer where our experts will help you in securing your website. For pricing and details you can visit: https://www.getastra.com/pricing

Paul
Paul
6 months ago

Magento SQL injection is spreading all over and businesses are getting ruined and I don’t want to take the risk. Is there any guide on how to protect from this?

Sai Krishna
Editor
6 months ago
Reply to  Paul

Yes, you are correct. SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. It will cause many harmful things to your Magento Store, and your database. You can refer our article on how to protect: https://www.getastra.com/blog/cms/magento-security/magento-sql-injection/

Smith
Smith
6 months ago

This is really a great article. How can I avoid a Malware injection for my website? I am using Magento.

Sai Krishna
Editor
6 months ago
Reply to  Smith

Thanks for responding to our post. Yes, Magento has witnessed a steep rise in malware attacks. E-commerce platforms are a goldmine for malicious actors to harvest lucrative credit card and personal information from online transactions. You can refer our guide to protect against it: https://www.getastra.com/blog/cms/magento-security/how-to-prevent-magento-code-injection/

John E. Drees
John E. Drees
6 months ago

So, I own a website and haven’t been using a security plugin or a firewall. How important is it to use a WAF?

Sai Krishna
Editor
6 months ago
Reply to  John E. Drees

Thanks for responding to our post. Precisely, a WAF (Web Application Firewall) is like a gatekeeper that filters all traffic coming to your portal. It protects you from hackers, bots, malware etc. A business can set up online rules for users by having a Web Application Firewall. For more info on the significance of WAF kindly refer this article: https://www.getastra.com/blog/astra-product/ecommerce-security-web-application-firewall/

Adam G. Brown
Adam G. Brown
6 months ago

Hi, I would like to secure my Magento 2 admin panel from hackers. Is there any way I can protect against the attacks?

Sai Krishna
Editor
6 months ago
Reply to  Adam G. Brown

Thanks for responding to our post. Magento is considered as the best e-commerce platform available today and it has numerous features, plugins, regular updates and a huge community of developers. As the technology and security measures improve, so do the capabilities of the hackers. Hackers usually target e-commerce websites to gain credit card information or just for some kicks. You can refer this article to guard your magento admin panel: https://www.getastra.com/blog/cms/magento-security/steps-secure-magento-admin-panel-hackers-bruteforcing-magento-1-magento-2/

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany