Magento is one of the largest open-source e-commerce platforms in the world, becoming an eye candy for hackers with malicious intent. Regardless the amount of work dedicated to securing this platform, hackers will keep trying to come up with new ways to evade security measures.
Despite the fact that Magento has its own security features (and they are one of the best), you still need to be proactive and take preventive actions such as security audits and tests in order to assess all vulnerabilities.
Conducting regular monitoring and on time updates is the best way to minimise the possibilities of your Magento Store being hacked.
As Magento experts, we receive many requests from Magento ecommerce owners that need to prevent their stores from future hack attacks that jeopardise their users data.
So here is the situation: security concerns are always going to be present, reason why we want to share with you a set of audits and important steps you can take to protect your online store from hacking.
This article enlists ways in which store owners, marketing managers, e-commerce managers, etc. can implement essential Magento security measures.
CHOOSE A SECURE HOSTING INFRASTRUCTURE
When choosing a hosting provider, make sure they have a secure software development lifecycle, and that they work according to industry standards (i.e. the OWASP security best practices).
If you are on the process of building a new website, launch the site over HTTPS. This will securely encrypt your site as well as help it get higher Google rankings. For an existing website, we would advise you to upgrade the site to run on HTTPS.
Keep all software up to date and apply ALL recommended security patches. Magento regularly releases fixes in the form of patches so it’s recommended to check if all latest patches are installed on your system.
Disable FTP and make use of only secure communications (SSH/SFTP/HTTPS) to manage files. The reason why its advisable to do this is because plain FTP transmits data in plaintext, meaning that sensitive information like users’ usernames and passwords can be easily obtained.
If you are using a different server than Apache web server, ensure all system files and directories are protected.
Allow only Whitelisted IP addresses to access the admin panel. If you are unsure on how to manage this permissions, read this.
Implement two-factor authentication for Admin logins. This will provide extra security requiring an additional passcode that is generated on your phone.
Regularly update your antivirus software and use a malware scanner in order to secure the computer you use to access the Magento Admin Dashboard.
Additionally, to ensure a secure server operating system, make sure there is no unnecessary software running on the server.
To reduce exposure to scripts that might try to break in through your Admin URL, use a unique Admin URL that cannot be easily guessed.
Use a strong password for the Magento Administrator account. You should NEVER use simple passwords for Magento admin (dates of birth, names, surnames, etc) and about once a month, change your passwords. Additionally, do not share your password with third parties. If there is a need to provide access to developers, create a separate user for them and delete it after the work has been completed.
Check the admin users regularly to make sure only the right people has access to the store admin panel. This can be a good time to remove / delete old users.
It is crucial to check the appropriate permissions level in order to prevent any further unsolicited access to your Magento ecommerce. This check ensures that all groups of users are granted only intended access rights.
Adhere to Magento’s security-related configuration settings for Admin Security, Password Options, and CAPTCHA.
Use the latest version of Magento to enjoy the most recent security enhancements. Otherwise, install all security patches as recommended by Magento.
At last, some Magento extensions are not needed or no longer maintained by their creators and therefore have vulnerabilities. It’s important to review your list of add-ons and check whether they are up-to-date. This helps to remove the abandoned extensions and uninstall them.
MONITOR FOR SIGNS OR SYMPTOMS OF A HACKED MAGENTO SITE
Web store unavailability: If your store is constantly unavailable, or blocked by the hosting service, you might have been victim of a Denial-of-Service Attack. This type of atack will disturb your online presence but is not threatening your data safety.
Administration panel and content issues: If you find out there is a new user with admin rights that you haven’t created, notice changes made to your store content, or you perhaps you are not even able to login, you might be suffering a critically dangerous attack to your website and business (Admin Panel Break in)
Poor performance: The Hacked Redirect attack aims to grab your store’s traffic and expose your customers to malware, phishing attacks, or advertising spam. If you notice that your store doesn’t come up on search engines or it gets redirected to unsolicited pages, take action, you might have been hacked.
Reported data theft: You have suffered this attack if your customers report suspicious activities with their accounts, or their credit card credentials have been stolen. These are email-based attacks with the intent of data access and identity theft.
No need to remark how badly this might affect your ecommerce site.
- Periodically review server logs for any suspicious activity.
- Check if any unauthorised admin users have been created. You can monitor the Admin Actions Log.
- Check the data integrity of files on the server to avoid potential malware installation.
- Monitor all system logins (FTP, SFTP, SSH) for unexpected activity, uploads, or commands
DEVELOP A RECOVERY PLAN
Even if you have applied strict security measures, create a recovery/business continuity plan for the worst case scenario. it is essential to have your entire web store data backed up. This will help in restoring your web store in case of data loss.
Make sure there are existing backups of database and server files in an external location. Ensure these backups are taken correctly and can be restored.
In case of an attack, no matter how small, reset all credentials including the database ones, file access, payment gateway encryption keys, web services and Magento admin login, FTP, SSH etc.