Over 12% of all e-commerce websites are built on Magento. Magento is a PHP-based open-source Content management system that attracts online merchants with its spectrum of features. At the time of writing this, Magento has 170,282 active customers all across the world. Astra in collaboration with Magecloud hosted a webinar on securing your Magento store.
Although Magento developers are quite hands-on with the Magento platform’s security, hackers have found ways to breach that.
Soon enough, attacks picked up and vulnerabilities compiled. And Magento store owners experienced some of the brutal breaches and hacks over the past few years. What’s really threatening is that attacks are only increasing with every passing day.
Why Did Your Magento Website Got Hacked?
The numbers are really alarming. This makes us question Magento’s security. But when looked deeper, we found out the problem doesn’t lie with the Magento core as much as it lies on the insecurity of extensions and ill-maintenance from merchants.
If you don’t believe it, here are some shocking revelations:
- 90 % of Magento websites run an older PHP version.
- Out of all Magento websites, only 6.4 % of Magento users are running the Magento 2 version.
Doesn’t it speak for itself?
Someone hacked your store because it was vulnerable! It’s as simple as that.
What is even more vexing is that most Magento store owners are clueless about how to secure their websites until they are hacked.
As the famous cybersecurity expert, Stephane Nappo put it,
One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks.
Not accepting that you are at risk and not doing anything about it is the chief reason anyone gets hacked. Stephane Nappo also talks about fixing the basics and having an incident response ready.
Fix the basics, protect first what matters for your business and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation.
How Do I know I am Hacked?
Not knowing when your store is hacked is another common phenomenon we see with Magento merchants and website owners in general. Hackers are smart and have sophisticated ways to get into a website. Some of these hacks are so well disguised that it can take months for one to realize they are hacked.
But most hackers are not as sophisticated and leave a trail behind. Identifying these hack signs sooner can help you minimize damage to your store immensely.
Hack signs you should look for:
- Customers complaining about credit card abuse
- Fake payment form or checkout option added
- Unfamiliar admins and users added to the database
- A redirecting website
- Malicious pop-ups
- Data breaches
Here’s how Astra’s malware scanner flags malware in a Magento website:
Besides malware & vulnerability scanning, regular security audits detect any loopholes in your web store.
How Do Hackers Hack Into Your Magento store?
XSS, CSRF, SQL injection, Bad bots, session hijacking, Brute-force, information gain, Remote code execution, are some of the common attacks that attackers use to steal data and compromise your store.
Take a quick look at these numbers.
- 40.8 % of all attacks on Magento are XSS
- 23.9% are Code Execution
- 9.9% are each CSRF, Gain Information, and Bypass
- 2% are SQLi and Directory traversal
Best Security Practices For A Magento Store
Whereas getting a security extension does reduce most cyber risks, there are some Magento security best practices and maintenance habits that you need to follow on your own. These are:
- Update! Update! Update!
- Install security patches
- Configure your security settings
- Regularly back up
- Install a firewall
- Do regular malware checks
- Get your website, code, extensions audited.
Having said that, the need for automated monitoring and protection tools can not be overlooked. Thus, having a strong firewall to filter traffic and to offer you protection from a complete suite of attacks is a must. Attackers can exploit any security gap that may be present in your system, including open ports, unsecured connections, missing configurations, weak permissions, and several others.
Astra’s firewall monitors your website and protects you from all types of attacks. Astra also helps you manage your Magento store’s security better with its intuitive dashboard and additional security features.