Magento is one of –if not the best ecommerce CMS. Reliable studies conducted confirm this truth that 26%-29% of ecommerce sites use Magento CMS to run their sites. As in so many popular web applications, Magento is highly susceptible to security attacks. Cyber criminals are already looking to devour any ecommerce site with exploitable weaknesses. The good thing about Magento is that it is regularly updated. Even with its popularity, a large chunk of users do not invest heavily on their security as they do their online store.
The focus tends to diminish with the establishment of a functional ecommerce site. The problem with security hacks on ecommerce site lies with private information such as credit cards held on the site –this makes it a more lucrative venture for cyber criminals.
Let’s look at some of the ways you can make Magento secure.
Table of Contents
Create a custom admin path
In most cases users rarely change the admin path on their sites which increase the security risks. In such vulnerability hackers can easily head on to the exposed admin path and start guessing your email and password which with advanced hacking software means it’s only a matter of time before they get it right.
The idea is to come up with an admin path that is hard to guess somewhat created in a combination of letters, and numbers. Here is an example:
Instead of www.example.com/store/admin you can have www.example.com/store/secure-path
Note that when you change the admin path you should not change the admin base URL setting in the admin section of the system configuration. The end result is that Magento will deny you access to the admin panel. The changes can be implemented under
<![CDATA[admin]]>
which is located in the .xml file at app/etc/local.xml.
From there you can change the word admin to a more secure path such as the example above “secure-path”. Make sure that the path is not easily identifiable. In order to access the admin panel you will have to follow the new path you’ve just created.
Create a strong admin name and equally strong password (make the long and complex)
The rule of thumb in creating log in passwords is to simply make them long and complex. The passwords need to be at least 8 characters long while the username should also be hard to guess for hackers. Users tend to leave the admin username bare such as “administrator” or “admin”. The ideal admin username should approach a different path such as a made up name that is easy to remember, your nickname etc.
When you are designating password you should ensure it contains letters, numbers and characters. During the initial creation of the Magento site there is a provision for username and password creation. However, you can change that later on under the System > My account.
A word of caution is that you should never use the admin password to access any other site. The reality of the matter is that most people use a single password to access various accounts online. This makes hacking all your accounts a walk in the park. The password on your Magento site should be unique to avoid getting hacked by hackers.
Another caution is that you should never store your password in your personal computer. Typically browsers and password manger software stores your passwords to your computer. In some instances these services are cloud based meaning that you can retrieve your data anytime you want to. Similarly, your data lay exposed out there where hackers can easily capture and use it to harm you. And even storing the spreadsheets documents isn’t an option either, since it proves riskier in case your laptop is hacked or stolen.
Use two factor security authentications
For the uninitiated, a two factor authentication is the process of using two tier security methods to gain access to a system. A great example of this process is using an ATM card. Usually an ATM machines requires you to insert the ATM card into the slot then input your pin code to access your money. In such a system, you have to go through two identification processes before you can access your money. Now Magento provides for such a two factor authentication whereby in addition to adding your username and password you also have to place a security code that is generated every 30s seconds. The security code can be accessed through a SmartPhone app which can be purchased on the Magento connect place.
By now it would be practically impossible for a hacker to log into the ecommerce backend because of the measures put in place. The hackers would have to identify your custom admin path, know your unique username and password and get a security code generated every 30 seconds.
Disallow access from unauthorized IP addresses
Magento has an option which allows you to restrict the access of the admin panel in non-predefined IP addresses. This can either be achieved through the .htacesss or through the Apache Directive Location Match. This option allows you to create a collection of IP addresses of you and anyone you feel deserve to be allowed access. This list will form the IP addresses authorized to access the Magento’s site admin panel. The rest of IP addresses cannot access the admin panel.
Through the .htacess you have to edit the code to enter the IP addresses that should be allowed.
Enter this code in your .htacess
AuthName "Protected Area" AuthType Basic <Limit GET POST> order deny,allow deny from all allow from 154.122.79.218 allow from 168.121 </Limit>
In the above example “154.122.79.218” will be allowed plus all the IP addresses starting with “168.121”. Any unspecified IP addresses will be denied access. Next up you have to create an admin folder in the ecommerce site root directory. Copy the index.php and change the relative path to config.php and mage.php by changing the following two lines
$compilerConfig = '../includes/config.php'; $mageFilename = '../app/Mage.php';
Then you have to go back to the .htaccess and redirect users coming to the admin path to the directory. The following lines are added to the .htaccess.
Redirect permanent /index.php/{admin_path} /admin/index.php/{admin_path}
Redirect 301 /index.php/{admin_path} /admin/index.php/{admin_path}
In the above, the admin path signifies the new admin path we changed in the second step. Note that this process is only possible if the internet company allows you to have a static IP address.
In the Aapche Directive Location Match you use the following code:
<code> <LocationMatch "admin"> Order Deny,Allow Deny from All Allow from 154.122.79.218 </LocationMatch> </code>
It is important to know that if you had created a new custom admin path then you have to replace it with the admin in the above code. There is a downside to the above methods in that when you need to access your admin panel while travelling or away for the specified IP addresses then you have to keep on updating to the code you’ve just used.
Use secure FTP for file uploads
There are two crucial processes that require encrypt data transfer i.e. the data transfer between your browser and server and data sharing between your server through FTP. Most importantly, the latter should be very secure to ensure there are no vulnerabilities for your Magento site. In most cases, hackers exploit the insecure data transfers through FTP password interceptions. But it can be secured through SFTP (SSH files protocols). The protocols employ extra encryption of user credentials by utilizing a private key authentication. The best thing is to make sure that your file permissions are not set to 777 because in such a state it is easy for anyone to write on them and cause irrevocable damage.
Using the latest version of Magento
Oftentimes you heae the phrase that the latest might not be the best especially when it comes to software but this might not be the case with Magento. They create new and better version with new security updates to counter any identifiable risks from the earlier version. In short, this means that you will be in better off using the latest version of Magento to ensure maximum security.
Use HTTPS/SSL (encrypted) for logins pages
The problem of using an insecure connection is the risk of your username and password being intercepted by cybercriminals. However, this can be changed by enabling HTTPS/SSL secure URLs. The process of enabling the encrypted connection is initiated under system tab located in the main toolbar. You choose configuration on the drop down menu followed by “web” and “secure” thereafter. Here you can change the base URL from http://… to https:/ /after you have changed the base URL next you should click yes for prompt “use secure URL for frontend” and “use secure URL for admin”. Lastly, clicks “save config” to save our new settings.
Use unique and secure email address
With the current state of social media exposed information it’s quite easy for a sophisticated hacker to be able to identify the admin of a site. The most likely scenario is either a company using a standard email format or you have people listing their emails on social media sites such as on LinkedIn. First they will try to hack into the email they suspect is managing the magento site which will allow them access to the backend of the ecommerce site.
As a precaution, you should never use your ordinary email to access the admin login. The email used should be private and secure enough to keep hackers at bay when they try to infiltrate into your site. Remember to make this email complex and secure like in the username and passwords as described in the previous paragraphs.
Secure your local .xml file
The local .xml file has the database connection details linked to your ecommerce store plus the encryption key utilized to secure the data. You will find it in the /app/etc/folder and it’s prone to high risk from hackers who would access your entire customer’s information –we don’t want that do we? In addition, the data can be used in causing caching issues with the server bringing down the store with it.
In normal circumstances, any new installations have local .xml tightly locked down through the .htaccess but the earlier installations make the local .xml file recognizable by the public. Not to say that even later installs won’t make the file to be viewable by the public especially if the Apache server does not have AllowOverrides enabled.
Disable malicious PHP functions
There are some PHP functions that are predisposed factors in hacking by their nature. As such it is vital to disable such functions. Of course, your site might be dependent on these dangerous PHP functions. However, there are alternatives you can rely on such as those that have closely related functions. The best way though is to disable these malicious functions is to add these rule in your PHP.ini file:
disable_functions=proc_open,phpinfo,show_source,system,shell_exec,passthru,exec,popen
Disable directory indexing
When a directory is indexed on search engines it exposes folders and what they contain therein and consequently hackers. So if the directory is not indexed by search engines it reduces the risks of hackers’ identifying what is contained in the folder and it becomes harder for them to see through your site vulnerabilities.
The simplest way of preventing hackers from viewing your files located on in folders on your web server is by adding the following to the .htaccess on your ecommerce site: options-indexes
Lock down your magento connector manager
When working with Magento connector manager installing third party extensions becomes far much easier. However, it is also a vulnerable route for hackers to get in your backend. In order to increase security you can change the downloader path to make it difficult for hackers to penetrate your ecommerce site. Additionally, you can go further by restricting the downloader path to specific IP addresses.
Change your files permissions
For added security, it’s important to ensure that your folders and files are not writable by other people besides you. This can be achieved by changing the folder permissions to 755 and file permissions to 644. Any that is either 777 or 666 should be changed instantly. The simplest method of doing this is through using the following snippet in SSH:
find . -type d -exec chmod 775 {} \;
find . -type f -exec chmod 664 {} \;
Although the VAR and media folder Can be excluded and thus retain the 775. This process is dependent on a number of factors such as the Magento version and general hosting environment.
Use only the trusted Magento extensions
The downside with third party extensions is the fact that they come along with more vulnerabilities which translate to hacking pleasures. The hackers can easily breach the security through the installed extensions. Therefore, it is vital to only install your Magento extensions from only trusted sources. And this should be emphasized even for older extensions that have been available for a while.
There are various resources at the Magento connect you can use to determine whether an extension is trusted or not such as the ratings, reviews, and popularity scores. As an added precaution, you should regularly update your extensions every time there is a new update in the market. The good thing about extension updates is the security improvements they come along with.
Deploy an SQL injection firewall
The reality is, at least according to statistics that SQL injections attacks on ecommerce sites are twice as high as in regular websites. Basically, SQL injections are database breaches that are quite common among cybercriminals. The hackers install dangerous SQL queries into forms in webpages extracting vital information which hackers exploit to breach the Magento site. The Magento framework comes with inbuilt defense mechanisms for SQL injections attacks but 3rd party applications and proxy servers focused on building this type of defense are far much better.
Sign up for a security monitoring service like Sucuri
The third party applications will scrutinize any traffic making its way to the database ensuring that no malicious SQL injection penetrates into the system. These applications compare the traffic with a collection of known scripts to help filter any bad attacks. In the end these firewalls prevent any dangerous injections from infiltrating the database. Click here for more information on sucuri.net.
Spend money on a dedicated or VPS hosting
If you are Magento user for the first time there is always the need to cut cost whereby you opt for the cheapest method of hosting (shared hosting). And it could be you have invested in better quality security system for your Magento site but still fall short of uncontrollable circumstances (attacks on other sites on your shared hosting server). Of course, the attacks are dependent on the hosting company.
Instead of the shared hosting, you can use the following: cloud hosting, Virtual private server (VPS) or dedicated server hosting for Magento ecommerce site. When you choose a reputable hosting company you will also get a solid web application firewall to prevent MYSQL injection. For example some firewall checks any incoming HTTP requests in comparison with a collection of malicious scripts in order to block them before they infiltrate the web server.
Keep the activity logs in check regularly
On regularly basis, you need to regularly check your web server logins for any unbecoming activities. You need to be certain that hackers are not repeatedly trying to access particular pages or system areas in your Magento site. Subsequently, you could perform a number of tasks to correct the issues once you discover them. However, what you do will be determined by what you find during the frequent checks.
You can change default paths of your admin panels or block the IP addresses under attack or you could hire a professional cyber security expert or inform your hosting company. Additionally, it will be more prudent to install a Magento extension that will notify you of any suspicious activities such as multiple failed log in attempts on the admin panel. Or any sign of a hacker’s attempt to penetrate the site.
Limit unsecured FTP access
There are various people who have access to an ecommerce site in a company. Therefore various professionals such as the graphic designer might be in charge of uploading visuals through FTP. Now most likely these individuals might be uploading these files through an unsecured FTP. In order to boost security you can limit access to specific folders such as the “images” folder for the visuals individual uploads.
Technically, this can be achieved through .htaccess and httpd.conf files. They help to prevent any unwanted scripts from having a leeway to change anything in these directories that should be restricted via the specific FTP account.
The following code needs to be added to the http.conf to prevent any scripts from running in it:
<directory /images> AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI </directory>
The above example limits access to the image folder in an unsecured FTP account for the individual responsible for uploading visuals. Also, you can use the .htaccess to give out similar commands. In such a case, you should insert the code below.
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
It’s important to remember to place .htaccess bearing the above code in the directory you need to protect. In our example this code will be placed in the image folder. You should also ensure that you have changed the permissions to read only (444) to disallow anyone from modify it.
Have a solid backup for your online store
You should remember to backup your online data regularly in order to prevent the extent of damage an attack can cause. It’s critical that you back up these files to a different server than where the Magento site is actually hosted.
In addition to the regular backups, you should also consider verifying that the files are actually being backed up –keep testing them frequently. The backup can be stored in physical storage space or in the cloud service to avoid redundancy.
Get a professional security review
Web developers might have limitations especially when security is concerned. Therefore, you can save a lot of time and effort hiring the services of security expert conversant with Magento installations. This means you have to hire the expert to conduct a diagnostic on your site’s security to highlight any security issues on the site. The security experts will conduct various security checks related to the common and advanced brute force attacks on Magento sites.
In a nutshell hackers tend to improve their hacking skills each day especially as technology advances. Technically this means that no site ecommerce or otherwise is 100% foolproof but if you follow the above hacks you can save yourself a lot of time and resources in site security measures.
