How to improve the security of your Magento store

How to improve the security of your Magento store

The article presents various methods of hardening your Magento store’s security, though many of these can apply to any content management system (CMS).

While maintaining your eCommerce store’s security will uphold your reputation and avoid downtime, you are required to abide by Payment Card Industry Data Security Standards (PCI DSS) in order to process customer credit card data.

Monitor patch releases and apply them immediately

Like all eCommerce software, you must use the latest version to maintain a secure environment. These upgrades provide feature upgrades, bug fixes, and critical security updates designed to address the latest exploits and attacks. If you ignore or postpone these patches, you compromise your security and endanger your customers’ data.

To stay current, we urge all clients to sign up for security alerts at the Magento website. In addition, watch for alerts posted within the Administrative area of your specific Magento installation or installations.

Use two-factor authentication

Do not rely solely on passwords. Two-factor authentication serves as the new gold standard for security and will mitigate most password-related Magento security risks. Though you can find many options, we recommend Sentry, our free and open source plug-in designed specifically for Magento.

For more information about Sentry Two-Factor Authentication, visit our website.

Configure a custom path for the administrator panel

If someone can easily locate your administrator login page, then you are more vulnerable to brute force attacks. Many, but not all, brute force attacks use scripts specifically designed to check the /admin path for your login page. Therefore, obscuring the path to the Magento Administrator Panel can help prevent intrusions. Although this will not make your store immune to brute force attacks, it will deflect the attacks relying on those scripts.

Encrypted connections (SSL/HTTPS)

Data sent over unencrypted connections is exceptionally vulnerable to interception by third parties. A properly implemented SSL certificate will help secure sensitive information such as credit card data, customer details, and login credentials, among other types. You can purchase an SSL certificate from any verified Certificate Authority and install it through SiteWorx. Once you have the SSL certificate, configure your Magento installation to require the secure resources on certain pages, forcing the pages to be loaded over HTTPS.

Manage access points

There are many methods for accessing your site files and database. Depending on your intended task, you can access your site through SSH, FTP, or SiteWorx. Use a unique, strong password for each method, and use connection methods like SSHSFTP, or SCP for additional security.

Secure your local.xml file and other sensitive files

The local.xml file holds your most critical database information, including your username, password, and table prefixes. Furthermore, attackers could alter the code dictating your caching methods, resulting in downtime for your store. As a means of prevention, restrict this file’s permissions to 600, or -rw-------. These permissions restrict read-and-write access to your user alone.

For added security, also restrict permissions on any other files containing sensitive information, such as login credentials.

Deploy changes responsibly

If deployed without care, extensions and themes can give attackers a path to your store’s most critical areas or simply break your site. To minimize these dangers, enlist a developer to audit the code of these extensions and themes, and test new applications in development environment before deploying them to your live store. Before going live, create backups of your site files and databases as a failsafe against data corruption or security breaches.

Restrict administrator access

In addition to two-factor authentication, you can restrict the Magento administrator login page to a specific IP address by configuring rules within your site’s .htaccess file.

Implement your own password policy

A password policy outlines your password requirements. The best practices for a password policy include:

  • Use only unique passwords.

  • Establish complexity requirements.

  • Change your password regularly.

  • Do not reuse passwords.

For assistance generating a secure password, use our Secure Password Generator. For instructions on how to use it, refer to How to use the Nexcess Secure Password Generator.

For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.

Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
How to use the Nexcess Secure Password Generator
Added on Tue, Jan 15, 2019
How to activate two-factor authentication in SiteWorx
Added on Fri, Dec 14, 2018
How to reset your SSH password and add SSH keys in SiteWorx
Added on Mon, Dec 17, 2018
What is Varnish?
Added on Thu, Aug 28, 2014
How to optimize Magento performance
Added on Wed, Jan 30, 2019
What is Turpentine?
Added on Thu, Aug 28, 2014
What is Magento?
Added on Tue, Jan 29, 2019
What are the advantages of using SSH keys to control access for multiple users?
Added on Wed, Dec 26, 2018
How to set the return path email in Magento 1.x
Added on Thu, Oct 30, 2014
How to add admin users in Magento 1.x
Added on Tue, Jan 29, 2019