Today all websites face serious risks. But, it is the e-commerce industry that faces the most risks online. And, as it turns out, Magento is the leader of the e-commerce space, thus a coveted target. However, you can reduce these risks systematically by following a set of Magento Security best practices. In this comprehensive and extensive guide, I have listed primitive actionable measures to strengthen Magento Security. If you read this guide throughout and followed it with utmost priority, you can be sure of your website’s reduced susceptibilities.

Go through the below URLs if you are looking for

The Magento CMS, currently, powers 25% of all e-commerce websites all over the world. Clearly, it is one of the most admired CMSes for eCommerce. To add to that, it also stores a sea of personal & financial data, which makes it even more lustrous in the eyes of hackers. The following hacking statistics on Magento backs this.

Magento Hacking Statistics

  • Magento powers 1.2% of the internet.
  • And, 12% of all eCommerce sites.
  • In pure numbers, 250,00 active sites use Magento.
  • However, only 11,000 of those sites run on Magento 2, which is around 44% of all Magento websites.

Magento is also, the most hacked CMS after WordPress. The CVE details of Magento CMS show that XSS is the biggest threat to Magento. Other threats to Magento include Code Execution, SQL Injection, Directory Traversal, CSRF, etc. The following graph makes it better to understand.

Moreover, Magento card skimming and Credit card hacks are some examples of how data compromisation on Magento take place. Further, the Magecart attacks make for the most persistent attack on Magento as of now. As a result of these attacks, customers encounter identity theft, data theft, fake transactions, and so on. Here are more extensive data on hacking for your reading.

Top 16 Magento Store Security Measures

Securing & maintaining your website is crucial in this era of increased cybercrimes, more so when it is e-commerce. The aftereffects of an attack on Magento or any e-commerce for that matter reverberates to a larger number of people. In cases like these, it is the common people and their data that are at stake. Bill Gates, aptly conveys the apprehension for e-commerce websites as,

Oh, I think there are a lot of people who would be buying and selling online today that go up there and they get the information, but then when it comes time to type in their credit card they think twice because they’re not sure about how that might get out and what that might mean for them.

It all comes down to one thing – securing your website for people to feel confident enough to swipe their cards right in and not being faced with consequences. As for the owners of websites, there are cold & harsh penalties for condoning Magento security. However, you can avoid being at the face of the storm just by following Magento security measures depicted in this guide. Honestly, if you implemented these measures carefully, you will reduce the risks by the maximum.

1. PCI-DSS (Payment Card Industry – Data Security Standard)

Since e-commerce websites deal in sensitive payment data of customers, it requires vigilant monitoring. Therefore, the PCI (Payment Card Industry), an association of top credit card companies, invigilates Magento security of these sites. As a web business owner, it is of utmost importance that customers get a guaranteed safe checkout. Hence, the PCI-DSS requires all Magento websites to use standard & secure credit card handling. In case of non-compliance, hefty fines and severe penalties can be charged.

What PCI compliance include?

The security requirements under the PCI compliance include policies and procedures, software design, and network architecture. In laymen’s language

  • Build and Maintain a Secure Network and Systems
    Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
    Requirement 3: Protect stored cardholder data
    Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Maintain a Vulnerability Management Program
    Requirement 5: Protect all systems against malware and regularly update antivirus software or programs
    Requirement 6: Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures
    Requirement 7: Restrict access to cardholder data by business need to know
    Requirement 8: Identify and authenticate access to system components
    Requirement 9: Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
    Requirement 10: Track and monitor all access to network resources and cardholder data
    Requirement 11: Regularly test security systems and processes
  • Maintain an Information Security Policy
    Requirement 12: Maintain a policy that addresses information security for all personnel

Magento credit card hack, Stealing credit card from Magento store

2. Change Admin Username for Magento Store

After you have ensured the PCI compliance of your site, change the default admin username. Always refrain from using the obvious as your username. For instance, the word ‘admin’, your own name, your website’s name are too easy a guess for a hacker and thus dangerous. A newly installed Magento website has the project owner’s email as the username. Change the default hard code email address of the project owner as follows:

  1. Log into your Magento admin panel
  2. Go to system >> My account
  3. Type in the new and unique username in the ‘Username’ field.
  4. Click “Save Account.”

3. Change Admin URL in Magento

Almost all websites have /admin as the default URL for their admin pages. Not changing this default admin URL in Magento makes for a serious vulnerability. On the other hand, changing the default URL would hide your website’s admin page thus improve Magento security. Further, we recommend you choose a value other than `admin` or `backend` or another term that isn’t easy to guess.

You can change the default admin URL by following a few steps as below:

  1. On the Admin Panel, select System > Configuration.
  2. Select Admin in the left-most column.
  3. Navigate to the Admin Base URL section, and do the following:
    a) Set Use Custom Admin URL to “Yes.” Then, enter the Custom Admin URL in a format like this:
    http://yourdomain.com/magento/
    b) Set Custom Admin Path to “Yes.” Then, enter the name of the Custom Admin Path. Choose something that is not easily guessable by attackers.
  4. At last, hit the Save Config button, and log in with the newly created URL.

4. Use Two-Step Verification for Magento Login

The two-step verification considerably reduces the security risks related to your Magento passwords. Even if a hacker has access to stolen credentials, he just can’t log into your admin panel due to an added security. Additionally, two-factor authentication also checks brute-forcing. You can install TFA for your login page too for authentic access to user accounts.

There are loads of extensions that provide the utility of two-step verification, choose the best based on the ratings.

 

5. Use IP Whitelisting and .htaccess in Magento

Next up is the IP whitelisting and .htaccess. Whitelisting only select IPs to reach Magento’s admin panel is a smart way you can secure your site. Thus, use IP whitelisting and .htaccess password protection to block access to any development, staging, or testing systems. Since these are highly sensitive systems and any compromisation to these would lead to an ugly data leak or brutal attack.

Here is how you can modify your .htaccess file to protect certain URLs from lurking attackers

For a single-store view Magento installation

#####Secure admin RewriteCond %{REQUEST_URI} ^/(index.php/)?admin/ [NC,OR] RewriteCond %{REQUEST_URI} ^/downloader/ [NC] RewriteCond %{REMOTE_ADDR} !^my.ip.add.ress RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

For a Store View in a Subdirectory

If you have Magneto installed in a sub-directory or a store view as a virtual sub-directory of the main domain name,
Eg. https://www.getastra.com/features/
Eg. https://www.getastra.com/en/
Eg. https://www.getastra.fr/

#####Secure admin RewriteCond %{REQUEST_URI} ^/(downloader shop/ en fr/)?(index.php/)?admin/ [NC,OR] RewriteCond %{REQUEST_URI} ^/downloader/ [NC] RewriteCond %{REMOTE_ADDR} !^my.ip.add.ress RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

6. Use Strong Passwords

If you are still using a password that is easy to guess kindly reconsider. Using a strong password helps you to:

  • Keep your personal information safe
  • Protect your emails, files, and other content
  • Prevent someone from breaking into your account

Strong password stands in a crisis like a brute-force attack. Now, what qualifies as a strong password and what doesn’t? Combination of letters, numbers & symbols as passwords makes for a strong password. Since, passwords are case sensitive, using both uppercase and lowercase letters make it even stronger. The ideal password length is between 8-14 characters. On the other hand, a weak password is that which uses easy to guess words, phrases & combinations. For example, password, 12345678, 9874561, etc. categorizes as weak passwords.

You can create passwords either on your own or use an online password generator for the purpose. However, if you are creating a password on your own, here is an example of how you can convert that to a strong password.

Replace letters with numbers & symbols
Example-“Spooky Halloween” becomes “sPo0kyH@ll0w3En”

7. Limit Login Attempts for Magento Admin

Another secure way to lock your admin panel from attackers is to limit the number of failed login attempts. You can also go on and limit the maximum number of password reset requests. This will protect your website from unauthenticated login attempts.

To configure your website, you can follow the below steps:

For Magento 1.x:

  1. Log into your admin panel.
  2. Navigate to System.
  3. Next, go to Configuration.
  4. Click on Advanced > Admin.
  5. Click to expand the Security option there. And change respective settings

For Magento 2.x:

  1. Log into your admin panel.
  2. Navigate to Stores >Settings
  3. Next, go to Configuration.
  4. Click on Advanced > Admin.
  5. Click to expand the Security option there. And change respective settings

8. Enable Captcha in Magento Login & Forms

CAPTCHA is an abbreviation for Completely Automated Public Turing test to tell Computers and Humans Apart. It is rather self-explanatory. So, CAPTCHA is the best bet to discourage bot attacks on your Magento’s admin panel. You can enable CAPTCHA on your site by following these simple steps:

For Magento 1.x:

  1. Navigate to System
  2. Click on Configuration
  3. Go to Advanced>> Admin in the left-most panel
  4. Expand the CAPTCHA section; Select ‘Yes’ to enable CAPTCHA.
How to change Admin URL in Magento 1.x
How to change Admin URL in Magento 1.x

For Magento 2.x:

Navigate to Stores > Settings>Configuration > Advanced > Admin > CAPTCHA

  1. Navigate to Stores>>Settings
  2. Click on Configuration 
  3. Go to Advanced>> Admin in the left-most panel
  4. Expand the CAPTCHA section; Select ‘Yes’ to enable CAPTCHA.
Changing admin URL in Magento
How to change admin URL in Magento 2 (Source: Amasty)

9. Set Recommended File & Directory Permissions in Magento

To suit Magento for your specific business needs, you may need to customize the platform. Files and folders and their respective permissions play an important part in this. However, it is also complex.

As a security person, I recommend having the permission of 755 for directories and 644 for files.

Here is how you can set correct file permissions:

Set Folder permissions as:

  1. Access your website through FTP.
  2. Navigate to your Magento installation folder. Ex: (/path/to/your/Magento/install/)
  3. Right-click on the folder and select the File Permissions option
  4. Once you click on the option, a new window will open. Insert “700” in the Numeric value field.
  5. Then enable the “Recurse into subdirectories” option. In the list seen below, select the checkbox titled “Apply to directories only”.
  6. Hit the OK button.
  7. The process may take several minutes for a large number of files.

Set File permissions as:

  1. Access your website through FTP.
  2. Navigate to the where Magento is installed. Ex: (/path/to/your/Magento/install/)
  3. Right-click on the file and select the File Permissions option
  4. Once you click on the option, a new window will open. In the Numeric value field input the value “600”.
  5. Then enable the “Recurse into subdirectories” option. In the list seen below, select the checkbox titled “Apply to files only”.
  6. Hit the OK button.
  7. The process may take several minutes for a large number of files.
Magento File & Directory Permissions
Recommended file & directory permissions as per official Magento documents

10. Set Recommended User Roles and Permissions in Magento Store

Defining correct user roles helps in segregating duties. It also enhances Magento security since every user does not enjoy all the permissions. There are different levels of permissions. You can assign a user a role based on their duty and your preference.

Here are the steps to set correct user permissions:

  1. Log into your website and  navigate to ‘System’
  2. Click on ‘Permissions’, you will see two options ‘Users’ & ‘Roles’
  3. ‘Roles’ is the section where you can define roles, whereas ‘Users’ is where you assign them.

11. Backup Your Data Regularly

In the case of an unexpected attack, a backup can save your site. A good backup helps restore your hacked website in minutes. It is the best disaster management you’ve got. But, to make backups functional you need to take care of a few things, like-

  • the files to include
  • the frequency of the backup
  • the functionality of the backup

Before you start backing up your site, understand the necessities correctly. A backup should include all the files necessary for your website’s configuration, look, and workings. A Magneto website allows you to take four kinds of backups such as:

  1. System Backup (includes source code+database+media),
  2. Database Backup (exclusively for the database),
  3. Database with media backup, and
  4. System without media Backup.

Note:

  • Put your website on maintenance mode before taking a backup. The website automatically comes out of the Maintenance mode after the backup.
  • Make sure that your server and database are backed up to an external location other than your server.

A system backup is the most functional backup as it includes both the source code and the database. However, you can shuffle the types according to your needs.

Coming to the frequency of the backups. Well, it can vary depending on how often you update the content of your website. You can opt for either daily, weekly, or monthly backups.

Now the methods of backup, you can opt either for a manual backup or automate the process.

The purpose of a backup is to restore your website back to its original & healthy position. Thus, always check backup rolls back to your website completely. In case of a large site, the restoration of a backup becomes too tedious & time-consuming. In such situations, it would be better to work with your hosting provider in order to deploy a professional database backup solution.

12. Update Missing Magento Security Patches

Running websites on outdated and vulnerable versions remain the biggest cause of hacks in CMS. Always run your store on the latest version of Magento. This ensures that your installation doesn’t contain any vulnerability. Every update includes the latest security enhancements.
Check for security updates here – https://magento.com/security

If for any reason you cannot upgrade to the latest version, make sure to install all security patches as recommended by Magento. Although Magento releases security patches to fix major issues, new product releases also include additional improvements to help secure the site.

Check for security patches here – https://magento.com/security/best-practices

13. Install Extensions from a Trusted Source

Unupdated and vulnerable third-party extensions are again the root cause of many hacks. Make a point to install extensions only from trusted sources. Never use paid extensions that are published on torrent or other sites. Check for the support an extension provides. It is the second most important thing after checking if the extension is updated & maintained often. Always review the extensions for security issues before installing them.

Do not click on suspicious links, or open suspicious email.
Do not disclose the password to your server or to the Magento Admin.
Check periodically for unauthorized Admin access.
Work with your hosting provider to review server logs for suspicious activity, and to implement an Intrusion Detection System (IDS) on your network.

14. Secure Magento Store with a Web Application Firewall

E-commerce stores are a prime target of Hackers. Using a Web Application Firewall like Astra can help analyze the traffic and discover suspicious patterns. A firewall can block malicious traffic and IPs attempting hacks on your website. It safeguards your store from XSS, LFI, RFI, SQL injection and 100+ security threats.

Having a firewall on top of your website is like having a security shield. A firewall is the best way to deploy a real-time website monitoring mechanism. Here is how the Astra firewall protects your website:

Firewall working
How Astra Web Application Firewall protects your WordPress website

15. Secure Your Magento Store Server

Securing your server is another pillar in the Magento security structure. Before you host your website, weigh the hosting provider well for its offerings, such as –

  • Security
  • Support
  • Customization
  • Loading time

If you can, ask the hosting provider what security measures it undertakes. Also, review the support it provides. A hosting without proper support can become really frustrating in case anything goes south with your website. A managed hosting solves this problem quite acutely. With a managed hosting, you get a dedicated host, who looks after your website and is there to solve 911 emergencies with the site.

Other than managed hosting, hosting on a cloud is quite a rage at present. Cloud hosting reduces the loading time of your site as the information is coming from the closest cluster. Several companies like Amazon, Kinsta, Serverguy, etc. offer cloud hosting at reliable prices.

16. Magento Security Audit

Maintaining a website also includes auditing it regularly. A security audit helps you identify loopholes, backdoors, broken security structure before a hacker does. Now, thorough scanning such as an audit might not be feasible for a business owner. Still, you can opt for a professional security audit by Astra.

Astra security experts will do an in-depth security audit and pentesting for you, while you do business. This security audit will uncover each and every vulnerability, loophole & backdoor your site might contain. Our security engineers will also help you with the fixation steps and promises to be there till the time your developers fix it.

Magento Security: In The End…

I know, building a dashing web store requires enormous effort, maintaining it more so. But it is not impossible. To be honest, it is quite the contrary. And, I hope I made a successful attempt at putting across the essential Magento security measures. Follow the mentioned fundamental practices and improve your Magento security ten-fold.

If you believe I missed some, just comment below. I will be happy to hear from you!

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cyber security community and shared his knowledge at various forums & invited talks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close