Because Magento is the most popular eCommerce software there is, it comes under the greatest number of attacks from hackers who would love to get inside your store to spam your customers, conduct phishing campaigns and steal your customers information and credit card details.
While Magento already comes with a good number of built-in security features, there is always more that can be done to protect your store from hackers and security breaches.
Over the last four years, I’ve identified 22 security improvements that I recommend for anyone looking to protect their store and keep hackers at bay.
1. Create A Custom Admin Path
An unchanged admin path makes it incredibly easy for hackers to navigate to your admin page and use Brute Force Attacks to start guessing your username and password. With software out now that can guess username and password combinations 8 million times a second, it’s only a matter of time before your Magento site gets hacked.
As an example, instead of always having your admin login page be atyoursite.com/store/admin, you can change it to anything you want, such asyoursite.com/store/Jdk25X
When changing your admin path, DO NOT change the “Admin Base URL” setting in the admin section of the system configuration as this will break Magento by preventing you from accessing the admin panel.
Instead, locate “<![CDATA[admin]]>” in your local.xml file at /app/etc/local.xml and change the “admin” word to the path you would like to use, such as an almost impossible to guess “Jdk25x”.
From here on, you’ll now be able to access your admin panel via the almost impossible to guess location of yoursite.com/store/Jdk25X.
2. Choose A Long & Complex Admin Username and Password
Because there is still a chance that a hacker will find your unique admin login page, be sure to use an almost impossible to crack username and password. It should be at least 15 characters long, mixes upper and lower case, punctuation and numbers.
Here’s are a couple of good examples:
b&q:H:-cD&’4?F>
?.~9cU=f[p[VBq4
RpaYKj*F{RM99hR
3. Never Use Your Magento Admin Password For Anything Else
Your Magento Admin password should be 100% unique and solely dedicated just for this one login. You should never use the same password you do with other sites. All too often, a hacker will get access to your usual password (that you use for almost everything online) and use it to hack your Magento site. Don’t let this happen to you.
I speak from 1st hand experience on this issue as a Chinese hacker stole $25,000 from me by using this technique! Luckily, it wasn’t by hacking my Magento site, but instead by hacking my account at the largest affiliate network online.
4. Don’t Save Your Password On Your Computer
As an added level of security, never allow your browser or password manager software to save your password to your computer. Some of these services are cloud based so that you can access all your passwords from any computer you want, but it also means that your most sensitive data is out there in the cloud just waiting for the right hacker to find it. Even keeping the password on your laptop (such as in an excel sheet) is a risk in case your laptop gets hacked or stolen.
5. Use Two-Factor Authentication
Two-factor authentication extensions ensure that only trusted devices can access your Magento backend. This extra layer of security works by requiring you to not only know your unique username and password, but also enter a security code that is randomly generated every 30 seconds on a smartphone app you can purchase from the Magento Connect Marketplace.
This makes it nearly impossible for hackers to login to your Magento backend, because not only would they need to know your unique admin login page, your secure username and password (which you never saved on your phone or laptop) but also have your smartphone in there possession.
6. Restrict Admin Access To Only Approved IP Addresses
If the above precautions weren’t enough for you (perhaps due to PCI compliance requirements), then you can always restrict admin access to only the IP addresses you have whitelisted.
This can be achieved via .htaccess, but I prefer to use the Apache directive LocationMatch:
<code>
<LocationMatch "admin">
Order Deny,Allow
Deny from All
Allow from 10.10.10.0/24
</LocationMatch>
</code>
In the above example, be sure to change “admin” to your new unique admin login page. In this article I used “Jdk25x” as the unique admin login page, so I would switch “admin” to “Jdk25x”.
You should also change the 10.10.10.0/24 subnet mentioned above to your own subnet or your specific IP address.
The only downside of this extra level of security is that if you need to make a quick update after hours from home or while traveling, you’re going to have to update the Apache directive above with your new IP address first.
7. Always Use the Latest Version of Magento
New versions of Magento often come out to patch recently discovered security risks in the software. Which is why you should always try to update your store with the latest stable version as soon as possible.
8. Keep Your Anti-Virus Software Up To Date
This should go without saying, but I’ve known other Magento store owners that update their anti-virus software once a quarter! To ensure a hacker doesn’t put a key-logger on your laptop, be sure to use a commercial grade anti-virus software that you update daily.
9. Require HTTPS/SSL For All Your Login Pages
Without an encrypted connection, every time you use your username and password, you run the risk of it being intercepted by a hacker. Eliminate that possibility by requiring HTTPS/SSL in Magento.
You can do that by clicking on the “System” tab in the main toolbar and choosing “Configuration” from the drop down menu. Next, click on the “Web” tab in the left hand navigation and then choose “Secure” in the main window. From here you should change the Base URL of your store from http://… to https://… Next, choose “yes” for both “Use Secure URLs in Frontend" and "Use Secure URLs in Admin”. Then, click the “Save Config” button at the top of the page and you’re good to go.
10. Always Use A Private and Secure Email Address
Sophisticated hackers often use social engineering to determine who runs the eCommerce site they want to hack. This can easily be done on LinkedIn by searching for “eCommerce” and the company’s name. Many people list their email address in their profile or have a standard email format at the company, such asfirstname.lastname@company.com. From there, they will work on hacking into that company email address. Once in, they’ll go to your Magento admin panel and ask for the password to be reset. When the reset email arrives, they click on it and instantly change the email address and password associated with the admin. They are now in full control of your Magento site!
To ensure this doesn't happen to you, never use your day-to-dayfirstname.lastname@company.com email address for your admin login. Instead, you should always use a private email address that is never to be used or shared outside the company. Here’s a good example: h7d4k3@company.com. And just like with your admin password, be sure to use a highly complex password to access this private email account as an extra safeguard.
11. Always Use Secure FTP
One of the easiest ways to hack a Magento eCommerce store is to guess or intercept an FTP password. To ensure this doesn’t happen, always use secure FTP passwords and SFTP (SSH File Transfer Protocol) or FTP-SSL (Explicit AUTH TLS). For an even higher level of security, I recommend you use SFTP and a Public Key Authentication.
12. Update Your Passwords Before & After Working With Outside Developers
From time to time you’ll need outside developers to help improve your Magento store. Before allowing them access, be sure to change your admin and FTP password and then change it again after the work is complete. Even though you might be able to keep your Magento and FTP passwords safe, it doesn’t mean the companies you outsource to are as guarded as you are.
13. Limit Unsecured FTP Access To Prevent Nasty Scripts From Wrecking Havoc
At many companies, the eCommerce manager is not the person that is uploading new graphics or photos to the website. That is usually handled by the graphic designer. In cases like this, where unsecured FTP is being used, you should limit the access they have to a narrow set of directories, such as the “images” folder.
You can do that by using .htaccess and httpd.conf files to prevent any unwanted scripts from running in these directories that can change other files and directories on the server that should not be accessible through that specific FTP account.
As an example, if you gave your graphic designer unsecured FTP access to the “images” folder, you would want to add the following code to your http.conf file to prevent any scripts from running in it:
<directory /images>
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
</directory>
If for some reason you don’t have access to the https.conf file, you can also achieve the same results by adding the following code in the .htaccess file in the directory you want to restrict:
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
Remember to place the .htaccess file with the above code in the directory you’re trying to protect. In the above example, you would place it in the “images” folder. Once it’s in the folder, be sure to change the permissions to 444 (read-only) to prevent it from being modified. This .htaccess file will now protect the images folder and any sub-folders.
For an even higher level of security, you can also chown the file so that the permissions cannot be changed by anyone else but you. It’s not 100% fool-proof, but it’s a great start.
14. Change Your File Permissions
Ensure your files and folders are not writable by anyone else except you by changing your file permissions to 644 and folders to 755. If you see any that are 777 or 666, fix them immediately. The quickest way to do this is by using the following snippet in SSH:
find . -type d -exec chmod 775 {} \;
find . -type f -exec chmod 664 {} \;
The only caveat to this is the media and var folders which should remain 775.
Please keep in mind that this process can be a little tricky as file permissions are dependent upon your hosting environment and magento version.
15. Secure Your Local.xml File
Your local.xml file contains your database connection details to your store and the encryption key used to secure your data. It’s located in your /app/etc/ folder and if compromised, a hacker would have access to much of your customer data. They could also use it to cause caching problems with your server resulting in store downtime.
And while all new installations have the local.xml file locked down via the .htaccess file located in the app folder, a large number of older installs make the local.xml file publicly viewable!
Even new installs can have the local.xml file publicly viewable if your Apache server hasn’t got AllowOverrides enabled in the /app/etc/ directory.
In addition, I also recommend setting the local.xml file permissions to 600 (-rw), which will limit read and write access to just your customers, while all others would be forbidden.
16. Lockdown Your Magento Connect Manager
Magento’s Connect Manager is a great way to quickly install programs, but it’s also a security risk as it’s a well known entry point for brute force attacks. Like your admin path, I recommend you change the /downloader/ path to make it harder for hackers to crack your store. For added security, you can also restrict the new downloader path by IP address.
17. Disable Any Dangerous PHP Functions
To avoid exploitation of the PHP functions that can be potentially dangerous, be sure to add the following rule to your php.ini file: disable_functions = proc_open,phpinfo,show_source,system,shell_exec,passthru,exec,popen
18. Disable Directory Indexing
Preventing a potential hacker from viewing all the files in a folder on your website prevents him or her from knowing what files you have in a certain folder, which makes it much harder for them to find the vulnerabilities in your site.
To prevent a potential hacker from seeing all the files located in a folder on your web server, all you need to do is add the following to your .htaccess file: Options -Indexes
Be sure to hit the return key to ensure that the file ends with a blank line.
19. Only Use Trusted Magento Extensions
While the Magento core code has the advantage of an active community of developers and the “many eyes” rule of security, the same can not be said of all of the extensions that have been created for it.
Because your Magento store is only as secure as your weakest link, it only takes one vulnerability in one extension to provide a hacker complete access and control over your website.
For that reason, I recommend you only use well tested and used extensions that have a track record of dependability. And just like your Magento store, be sure to update your extensions when new versions come out, as the new version is typically to plug a newly discovered security hole.
20. Invest in VPS or Dedicated Hosting
When you’re just starting your Magento store, it’s tempting to go for the cheapest shared hosting you can to keep costs down, but even the most locked down Magento store can be compromised by malicious attacks on the other sites on your shared server (depending on the security of the server and web host).
I’ve personally spent hours on the phone and online chat support trying to get my non-eCommerce websites that are on shared hosting plans back up after a site on the shared server gets attacked. Take my advice, it’s no way to spend your weekend!
For better security and control over your server’s resources, I highly recommend Virtual Private Server (VPS) hosting, Dedicated Server hosting or Cloud Hosting for your Magento eCommerce site.
A good web hosting company will also provide a web application firewall to prevent MySQL injection. Web application firewalls, such as NAXSI, inspect incoming HTTP requests and check them against existing malicious pattern rules and block them so they never reach the application running behind the web server.
21. Backup Your Store Regularly
As part of your disaster recovery plan, be sure back up your Magento files and database on a regular basis in order to decrease the amount of damage that an attack can cause. Please remember to always back it up on a different server than where your Magento store is hosted.
I highly recommend Amazon’s S3 online storage service for its high level of security and the ease in which Magento syncs with it.
Making regular backups is a great first step, but don’t forget to verify that it is indeed backing up correctly by testing your backups on a regular basis.
For redundancy, I also recommend having multiple backups that are kept in different locations, such as in the cloud (a cloud storage service like Amazon’s S3) and in secure storage in your office.
22. Get a Professional Security Review Done Regularly
Web developers are a talented bunch, but they are not trained security experts that ONLY handle Magento security day in and day out. That’s why it pays to have a security expert analyze your site once a quarter to find any possible security flaws and vulnerabilities. They’ll perform a web application security test to uncover any possible flaws in the application code, including testing for SQL injections, cross-site scripting, file path traversal and many other kinds of vulnerabilities.
While no eCommerce site is 100% unhackable, by implementing the above 22 security improvements, you will seriously decrease the amount of vulnerabilities that can be exploited and will bring your Magento site one step closer to being bulletproof.
About Brendan Monahan
Brendan Monahan is a digital media professional with 15+ years of experience in dramatically increasing online sales for startups and Fortune 500 companies via eCommerce, SEO, SEM, PPC, email marketing and affiliate marketing. Learn more about him at http://www.linkedin.com/in/brendanmonahan/
___________________________________________
more reading : http://addoa.com/blog/ten-tips-keeping-your-magento-store-secure