23 Magento Security Tips To Avoid Getting Website Hacked
If you've been running a Magento store and are bothered about brute-force attacks, then this is a post that will serve as a great sigh of relief. Here, I've offered you a round-up of five simple tips that will aid you in protecting your Magento store against brute-force attacks of any level of complexity. So, let's get to know more about these tips.
Secure Your Magento Store's Local.xml File
Well, local.xml is a critical file that contains different kinds of sensitive data including the encryption key and database credentials. Hence, keeping local.xml file exposed to the public can pose as a huge problem for the smooth working of your Magento e-store. So, in order to check the visibility setting for local.xml file, all you need to do is simply visit http://domain.com/app/etc/local.xml.
If the file is visible to the public, then you can either opt for blocking the web access to the entire app directory or changing the file permissions for local.xml to 600(-rw), thereby limiting the read and access access for the public.
Opt For A Strong Password
One of the best ways of protecting your Magento store against hacks is using a strong password- one which has at least 15 characters, has uppercase and lowercase letters, doesn't contain your name, friend's name etc. Using a password manager application is an excellent way to create a strong password for your Magento store.
Also, it is recommended to change your password(s) frequently so as to prevent from previous password from being available on a common directory list that can be easily accessed by smart hackers.
Change The Traditional Admin Path To Custom One
Hackers are well familiar with the easy way to access a Magento store's backend by simply navigating to domain.com/admin within the browser. Hence, it is recommended to change the admin path to something that is difficult to crack. Here are the three steps associated with the same:
- Open /app/etc/local.xml configuration file
- Within this file, find <![CDATA[admin]]> and replace “admin” with the path you would like to use. For instance, you can opt for changing it to customadmin and hence the admin path will become domain.com/customadmin.
- After changing the URL, refresh your Magento caches
Use SSL/HTTPS For All Login Pages
In the lack of an encrypted connection, every time you login using your username and password, there is an active risk of being attacked by a hacker. However, you can eliminate any such possibility of a brute-force attack by requiring SSL/HTTPS for all your web pages which expect the user to login.
For this, you simply need to click on 'System' tab available within the main toolbar and choose 'Configuration' from the drop-down menu. After this, click on “Web” tab within the left hand navigation and choose “Secure” in the main navigation window. From here, proceed ahead to changing the base URL of the store from http://... to https://...
Once you're done with this, proceed ahead with choosing “Yes” for the two options viz: “Use Secure URLs in front-end” and “Use Secure URLs in Admin”. Finally, click on “Save Config” button to save the changes.
Opt For A Secure FTP
An easiest ways of hacking a Magento e-commerce store is by simply guessing an FTP password. To save yourself from such a hack, I recommend using a secure FTP passwords and SFTP(SSH File Transfer Protocol) or FTP-SSL(Explicit AUTH TLS).
Moreover, for an additional level of security, I would advise you using Public Key Authentication and SFTP.
Upgrade Your Magento To Latest Stable Version
By updating the current version of Magento to the latest one, you can receive all the latest security features introduced for the e-commerce development software. Running your store/site on latest Magento version will fix any/all loopholes that might render hackers a convenient way of accessing vital areas within your Magento store/website.
Upgrade Your Current Operating System To The Most Recent Version
Software upgrades not only bring you new features, but also elimination of security vulnerabilities and a lot of bug and error fixes. Hence, it is absolutely essential to use the latest version of your current operating system, ensuring that the same works perfectly for both, Magento as well as the server software.
Install Magento Security Patches On Priority
Magento Support has provided some patches for Magento CE and EE versions on its website www.magentocommerce.com. You can simply create an account at this website, go to your Magento Community/Enterprise Edition Patches section, locate the patch to install and finally click on the “Download” button.
If you're a Magento EE user, then it is highly recommended to examine your web server document root directory for searching any unfamiliar files. On finding an unknown file, you should proceed ahead with downloading the SUPEE-5344 patch from Magento Support Portal immediately.
Prevent SQL Injection Attacks
SQL injection is a common attack on tools that use PHP and MySQL technology. Though magento platform does not have vulnerabilities that expose you to these attacks. It may happen with an extension. SQL injection is severe attack and needs to handled on priority. Here is OWASP guidelines on SQL injection prevention.
Choose A Good Hosting Provider
Its important to choose a secure hosting service. Do not go for a hosting provider only based on price.
Ensure that provider is trusted and secure. Also do enough research about the provider and previous security attacks on it. Many hosting providers may not be well prepared for hacking attacks, therefore make sure you use enough tools to make your website safe.
Keep Your Admin Email Address Secret
You must not share your admin email address publicly. Any email communication for public interaction must be performed on a separate email address.
For example, you can have email@example.com for administration of magento store, however for external communication you can create firstname.lastname@example.org and share it publicly.
Never Use Your Magento Admin Password For Anything Else
If you have multiple online accounts you should never use your magento admin password on any other site.
This is important since many hackers start with weaker website and try to get into other sites with same username and password.
This is common technique to exploit multiple email accounts from various popular providers like gmail, yahoo and outlook.
Most online users keep their email account passwords same for multiple different email providers. This is not a secure way and hackers exploit it frequently.
Don’t Save Your Password On Your Computer Or Browser
You should never store you password on a computer in plain text format. In case you need to store it prefer to use a password manager application instead.
The password managers save passwords in a encrypted text format which is not easy to decrypt. This password can be obtained using a master password.
On Mac, you can store you passwords on keystore.
Disable Directory Indexing
A poorly configured magento server shows directory listing, which could potentially provide sensitive information to a hacker.
You should disable directory listing on Magento web server for protection against such attacks. In general, try to restrict access to all unnecessary directories and files.
Also add a default index file for each directory to have a manual control over listing of all files in directory.
Keep Site Backup
Ensure you always have a backup of your website to avoid loosing all data in worst case. This is a good practice to avoid problems related to hardware failures however it can also be really helpful if you site gets hacked and hackers may have corrupted your data.
You can easily restore your older data copy if it was already backed up. Prefer automated periodic backups and take manual backups when major changes are done to the site.
Things to backup
- MySQL database data
- Server redirect rules
- Magento installation directory
- Any digital assets including PDF and other documents.
Use Two Factor Authentication
Two factor authentication is highly secure way to protect your online account. We recommend you to enable two factor authentication on admin accounts in magento. This will prevent your admin account hack from brute force attacks.
Two factor authentication is not supported by magento out of the box however there are few magento extensions that you can easily install and enable.
Restrict Admin Access To Only Approved IP Addresses
You must not allow admin account access from all internet addresses. Allow only your own IP addresses to be able to access it. This will prevent unwanted people attempting to login to your admin account.
This feature is not supported by magento out of the box however there are few magento extensions that you can easily install and enable IP blocking.
Keep Your Anti-Virus Software Up To Date
This sounds naive, however many people ignore this and not keep their anti virus software up to date. Preferably keep them auto update or manually updated then frequently.
Update Your Passwords Before & After Working With Outside Developers
Many online and ecommerce business owner work with freelance developers for getting things done faster and with quality. This may require you to share the admin account details with multiple developers. Prefer to reset the password before and after the work is completed. This will avoid any exploits that may happen due to a malicious developer.
Change Your File Permissions
This is a common mistake on unix systems. You must make sure to provide limited permissions on file and documents that are just sufficient. No more, no less.
If the documents are for downloading they should have only read permissions, no write permissions should be given. This will allow any accidental corruption of documents since operating system will make sure no program can modify documents that do not have write permission.
This can get tricky with windows based system since the permission system is not as strong as unix. However try to limit the permission as much as possible.
Lockdown Your Magento Connect Manager
Magento connect manager is a way to add extension on your magento store. This is a powerful tool for setting up your ecommerce store. Many powerful and useful add-ons can be installed from this tool.
However once the setup is complete you should disable the connect manager to avoid any changes to the store. All extension installations should be a deliberate decision and must be tested on a non live site somewhere. once the extensions are tried and tested you can enable the connect manager for installing the new extensions and than disable it again once installation is done.
Disable Any Dangerous PHP Functions
There are some dangerous functions supported by PHP and may not be required by magento for standard functionality. To prevent hacks and exploits using these functions we can easily disable them in PHP.
Add below rules to your php.ini file to disable some common sensitive functions that can be used to exploit:
disable_functions = proc_open,phpinfo,show_source,system,shell_exec,passthru,exec,popen
Only Use Trusted Magento Extensions
There are many developers who create magento extensions however you can not trust everyone. Prefer extensions from trusted developer and marketplaces that are used by thousands of magento users.
MagentoConnect is a trusted website to get any extensions.
Although no e-commerce website is 100% unhackable, a serious implementation of the above mentioned tips can decrease the chances of getting your Magento store hacked.