Securing Magento 101: The Basics

Securing Magento

“It takes 20 years to build a reputation and five minutes to ruin it.”

— Warren Buffett

In the age of e-commerce that five minutes could be considerably shorter. Your e-Commerce business hinges upon your customer’s trusting your site completely.

With an install base of nearly 100,000 live websites, and a market share that’s surpassed 13%, Magento sites around the globe represent a huge target for malicious actors looking to compromise a sites for profit.

Just last week, a “massive website hacking campaign that has infected 7,339 Magento stores” was announced. Would you want to be one of those site owners? Would you want to explain to your customers that their credit card info was stolen.

Nope.

That’s why securing Magento is an absolutely critical step for your e-commerce business.

Typically the way that hackers compromise a Magento site is a cyclical process. It looks something like this:

The four stages of an eCommerce attack; you need to understand this process in order for effectively securing Magento.

  1. Identify a specific vulnerability in the e-commerce platform (Magento).
  2. Target an e-commerce store with this vulnerability.
  3. Attack the store with this vulnerability.
  4. Exploit the vulnerability until it’s found and patched; then repeat.

So our goal is simple… we prevent the cycle show above from ever starting. Here are some super-simple basic rules that every Magento site-operation should follow.


Ten Tips for Securing Magento

1. Regularly Apply Patches

Patches remove security holes regularly, and provide critical improvements to your Magento store that can prevent holes from being found by forcing a “moving target.”

2. Use Modules/Extensions from Authentic Sources

One of the reasons that your probably chose Magento was it’s sensibility and the large number of modules and extensions available for the platform. Make sure you only install modules and extensions from Magento Marketplace. You should also investigate the background of a module’s developer, and thoroughly read the module’s reviews, before you trust installing it to your store.

3. Change Passwords Before and After you Seek Any External Assistance

Any time you ask a developer to work on your store — even us — you’ll need to share credentials with them. You should always provide the minimal set of credentials needed for the work. This usually amounts to a Magento admin username and password. The proper way to do this is to make a new administrator account for the developer, with a random password, and once they have finished the work they set out to do you should disable that account and/or change that account’s password. In some circumstances, they’ll need SSH access, and the same principle holds there… disable that SSH user account and/or change the account’s password.

Bonus tip: restrict only certain IP addresses from connecting to your store via SSH, and use a non-standard TCP port number for added security. Your hosting provider can assist you with configuring this aspect.

4. Schedule a Recurring Security Review

We highly recommended not becoming complacent about securing Magento; that is, just because you’re safe today doesn’t mean you’re safe tomorrow. With that in mind you aren’t a security expert, either, so it makes sense to have an independent review of your store regularly to ensure that everything is working smoothly and, most important, securely.

Schedule a recurring security review of the Magento e-commerce store with a certified Magento developer to ensure that your store is always as safe as it can be.

5. Use SSL/HTTPS

SSL is to encrypts all data that passes between browsers and servers; this ensures that a third-party can’t view or manipulate the data as it passes from the user to the server. It’s absolutely essential to securing your store and is a strict requirement for PCI compliance.

6. Use SFTP

SFTP uses encryption to upload data to your Magento store. Like SSL/HTTPS, using SFTP prevents third parties from intercepting or manipulating data that you upload to your store.

7. Change the Administrative URL, Username and Password

One of the commonly exploited vulnerabilities across web is using default administrative URLs and credentials. You’re in a hurry to get your store up-and-running, you don’t have a good way to store a password, so you just leave things set to the default. Making just a few small changes — setting the admin URL to something that only you know, specifying a robust admin username, and using a secure password — can change your store from a soft target to a hard target instantly.

8. Consider Using a WAF for Added Security

A Web Application Firewall (WAF) works differently than a traditional firewall. A “regular” firewall typically only looks at network traffic at a very low-level; for example, to allow TCP port 80 (web traffic), or deny TCP port 22 (SSH traffic).

A WAF works at the layer closest to the user, looking at the actual HTTP requests, and can be used to block attempts at injecting SQL, preventing Cross-Site Scripting (XSS), and other complex attacks that no traditional firewall would ever detect.

Therefore WAFs assist in securing Magento by providing an added layer of protection to your threat reduction model and could very easily save your business someday.

10. Have a Disaster Recovery and Backup Plan in Place

An often unrecognized aspect of securing Magento is knowing what to do when something goes wrong. Think about how you would recover from a hack before it happens and have a plan in place. You’ll react quicker when you discover a problem, and won’t have to worry about what to do; just follow the plan and solve the problem. Having a good backup strategy, talking through with a developer what to do if you discover a problem, and staying calm because you have a plan can mean the difference between your site being down for a few hours and a few days.

Time spent preparing now will work out in the long run to be much less expensive than the lost revenue of an extending downtime event.


Conclusion

Because Magento is a robust platform, it has many safeguards to keep your e-Commerce store safe, but no piece of software is ever 100% invulnerable. The best thing that you can do is to implement a security-first mindset, follow expert advice on securing Magento, and never hesitate to ask questions about what’s best for your e-Commerce environment.

If you’d like to discuss your Magento store’s security, contact BCS Engineering: our professional, Magento-certified staff can assist you with improving your site’s speed and security today!