This Magento security guide will help you to protect your Magento store from hackers & how you can fix your hacked store website.
The Ultimate Magento Security Practices and Malware Removal Guide
Magento Security Guide- Why do you need it?
If you own an online marketing website, then it possibly is powered by Magento. Currently, according to some reports, there are about 50,000 websites using Magento. Magento is an open sourced platform for e-commerce. It supports millions of retailers and allows them to grow their business using the various features of the platform. As with all other popular innovations on the internet, this one is also plagued with repeated attacks and security concerns. If you have your website built on Magento, then hacking attempts on your website must be common. To deal with them you need to be prepared. This Magento Security Guide contains all the information and ways you can arm yourself with to protect your website.
Basic Security Steps
The basic steps are the ones we tend to really ignore. However, taking care of these steps will surely make your website a bit safer. Some of these are:
Use strong passwords & change default admin username
Using strong passwords may seem to be a redundant advice. However, not everyone follows this advice. Longer the password, harder it is to crack. Ensure that the password has a mixture of uncommon words and expressions, which will protect it against dictionary attacks. Along with passwords, you must also change the default admin name. Most of the times, keeping the default admin makes it easier for hackers since they only need to crack the password. When setting up an account in Magento, change the default username. You can also change them after setting up the account. You just need to go to “System” and then click on “My Account”.
Use two factor authentication
Using two factor authorizations is becoming common nowadays and for good reasons. Simply logging with a username and a password might not be enough. Two step authorizations is an addition layer of protection that adds another level of security to your website. Most of the two factor authorization consists of sending an OTP to the registered mobile number.
Have a backup plan
The security of your website may be strong but having a backup of all your data is a good idea. Staying prepared for all circumstances is necessary for the safety of your website. In case of emergencies, you can easily upload the backup files and get your website back online.
Hacking methods are improving every day and staying updated with them is a pressing necessity. Magento has a very active community of developers. They produce newer versions of the service with improved security features. Thus, you must be using the latest version of Magento. If you are using any plugin then make sure that you update them regularly. Avoid using any plugin or extension that does not have periodic security updates. The updates fix any previous vulnerability and prevent them for getting exploited by attackers. You can do it by going to “System” and then clicking on “Magento Connect”. Login again to confirm and then scan the account. This will reveal all the plugins that require an update.
Recommended Security Steps
The following steps will help you secure your website from most of the basic threats. These are the areas which require necessary attention of the owner. Most of these settings are set to default settings and hackers tend to exploit those. Thus, the following steps are important in this Magento Security Guide:
Custom path for admin panel
Most of the users leave the admin path to the default path and this enables attackers to launch attacks such as session management attacks and broken authentication attacks. To change the default admin name, you need to follow the below steps:
- Locate the local.xml file in /app/etc
- Search for M
- Rewrite the “admin” to an username of your choice
Hiding directory indexing
The default setting allows others to simply view the entire directory using the URL of your website. This lets attackers launch simple attacks on your website since they will be able to access all the core files of Magento. To hide the directory, you simply need to add the following lines in the .htaccess file:
File permissions are the most ignored area in securing websites and thus needs to be covered in this Magento Security Guide. You can protect important files and folders from attackers using appropriate file permissions. You must ensure that the permissions are not too strict. Since, it will cause errors in the working of the website. Below are some of the suggested file permissions for Magento:
- Directories: Suitable permission may be 500 for all directories. This gives the web server user permission to read as well as execute.
- Files: The permission for files can be set to 400. Since, this permission prevents any user from altering the files. This protects the files from attacks which overwrite the files.
- The var/ and media/ directories: The permission, if set to 700, gives complete permissions to the owner of the website and no one else.
- The var/ and media/ files: 600 will be the suitable permission for the files. This allows the web server user to read and write the file contents.
Water Tight/Ultimate Security Tips
Apart from the usual security steps, you also need to look after the few minor changes that are important. These changes can be the difference between a hacked website and a secured one. Thus, being an integral part of this Magento Security Guide.
Restrict access to admin according to IP
If you find threats originating from certain IP addresses, you can single them out and block them. This will prevent them from accessing your website and launching any attack against your website. You could add the code below in your .htaccess file:
Remember that several ISPs have assigned dynamic IP address to users and thus it may cause problems. You can use this process in case of static IP addresses.
Using encrypted connections
Whenever there is a data transfer between the servers and you, there is a chance that someone may hijack the data. Since, the data is transferred in plain text if you are not using HTTPS connection. Moreover, the intercepted data may contain important and sensitive information that the attackers can use to cause damage. Thus, encrypting your site with HTTPS/SSL which will also make your site PCI compliant is a good idea. This will result in the site becoming more popular among the users due to its heightened security. To do this, follow the steps:
- Go to System-> Configuration-> General-> Web
- In the field containing the URL of your website, change “http” to “https”
- Enable the options “Use secure URLs in Frontend” and “Use secure URLs in Admin”
Lowering the risk of SQL Injection
Magento provides necessary security features to escape SQL Injection attacks. However, using a firewall or a security service such as Astra can help you make the security watertight. Astra has several features such as File Injection Protection make your website safe from external threats.
Malware Removal Steps
Malwares are sneaky and you can never be too careful of them. If you find malware in your website, then the following steps will help you remove them. Malware removal procedures form an integral part of any Magento Security Guide since you need to know how to remove them.
Manually removing the malware from the files
When a malware infects a file, they most often cause changes in the file which are visible. By analyzing the changes made in the files, you can detect the malware infection. Once you have detected it, you need to remove the malware. To do this, you can follow the below guidelines:
- Have a clean backup ready.
- Search all the files for known malwares or malicious payloads.
- If there are any recent changes then ensure that they are legitimate.
- During the core file integrity check, review the files that the diff command flags.
- If any malware is present, then replace them with a clean file from the backup.
- Run tests to check if the website works correctly.
Cleaning hacked database tables
This segment offers you steps to clean your database since it as an important part of the website.
- Have a clean backup of your database handy.
- Look for suspicious content such as spammy keywords and links.
- Manually delete all such content.
- If needed replace the parts of the database tables with a clean copy.
- Test the website to check if it works correctly.
You can also check your database for known malicious PHP functions. Before making any changes verify that they are not genuine files by Magento itself.
Malwares often create backdoors that allows hackers to enter the website whenever needed. Most of the time, attackers hide backdoors in new files that look like genuine Magento files. They can also hide them in core places such as the footer area.
After removal of all malware, make sure to change the usernames and passwords. To be completely sure of the safety of the website you can enlist the use of website security such as Astra. They run scans on the entire website and sniff out skillfully hidden malware and backdoors. With security features such as Website Firewall, Malware Cleanups, they can remove all traces of threat from the website. Using Astra to secure your website is a smart move.