01202 237370
Magento is not only interesting for retailers – hackers like to target those widely used platforms and the fact that online stores handle all kinds of sensitive data including payment information. If your Magento store is kept up to date, and your server is secure, the Magento platform will offer you exceptional endurance and security in return.
Thanks to Magento being open-source, it has interested somewhat of a flourishing community of independent developers, consultants and security experts who devote their time and energy into mastering both the ins and outs of the software. This dramatically increases the chances of both minor and major security flaws being flagged up and resolved before they can then be exploited. Magento carries out a lot of security work in-house, regularly releasing patches and further updates which are specifically intended to address any specific vulnerabilities.
The platform benefits from any further hands-on Magento support and a suite of built-in diagnostics that make it very easy for developers to spot any potential dangers down the line.
With all that being said, Magento is one of the biggest eCommerce platforms on the market, and that on its own can cause some security problems.
Approximately 28% of all eCommerce stores in the world are now powered by Magento which makes its codebase a rather attractive target for potential hackers looking to steal credit card and personal data or do extensive damage to a variety of businesses.
Approximately 28% of all eCommerce stores in the world are now powered by Magento which makes its codebase a rather attractive target for potential hackers looking to steal credit card and personal data or do extensive damage to a variety of businesses.
Tweet this now
Although these types of hacks and attacks are rare, they do certainly happen. Back in 2007, a vulnerability with certain editions of Magento Community enabled hackers to execute code remotely, further prompting worries about potential vulnerabilities. As a result, a patch was then rolled out and the issue was fixed in a matter of weeks – however, there was a small window within which unsecured sites might have been wide open to an attack of some kind.
It should be said that security concerns shouldn’t be enough of an issue to factor into any decisions about whether or not to even build on Magento. Any platform can be exploited and there is always going to be a risk when running an eCommerce store.
There is still a huge benefit to knowing how a Magento site can be secured, even if you tend to leave it to your Magento Support team. It’s especially necessary if you want to safeguard against any potential exploits yourself. Even making the smallest of modifications such as the implementation of better password policies can make a tremendous amount of difference, and good practices will also help to mitigate the risk of damage or data loss as hackers just seem to become ever-more superior.
Below is a guide to help you secure your Magento store using the best current practices. Carry on reading for a series of actionable steps that you can discuss with your development agency.
Ensure The Latest Patches And Security Updates Are Installed
Ensuring that you are up to date with all the latest security patches and updates should always be a top priority. When Magento is made aware of the potential vulnerability, they will pull together an update that seeks to prevent an exploit in the most efficient way possible.
Ensuring that you are up to date with all the latest security patches and updates should always be a top priority.
Tweet this now
If you fail to install the latest patch, it means that you’ll be defenseless to whichever exploit is currently under scrutiny. As soon as a new patch is announced, the risk increases too; the supporting documentation does often outline the vulnerability which the patch is designed to address and attackers are still able to use this knowledge to go out and start attacks which are targeted on sites which have not yet installed the relevant updates.
In order to constantly try and stay ahead of the game when it comes to the latest patches, you can always check Magento’s patch resource which features a chronological list of the very latest patches.
When it actually comes down to installing the latest patch, your agency (or whoever you’re working with) should always be willing to help you get the updates installed as soon as they possibly can.
The timings of how long it actually takes to install a patch can vary hugely, depending on the way that your site is structured and built, the extensions you’re using and specific bits of code that the patch changes, but it’s always worth making installation the main priority. Failure here can leave you open to attack and invalidate a lot of the advantage gained by working through the rest of the steps which are outlined below.
Scan For Any Type Of Vulnerabilities And Weaknesses
In order to be sure that you haven’t neglected a potential flaw, you can also run your domain through Magento’s own site security scan tool. This powerful application automatically scans for a variety of common problems and also provides you with a complete step-by-step analysis of the types of attacks your site may be unprotected against.
Your development or Magento support team should be more than happy to talk through the results of this test with you, as nine times out of ten, just by simply implementing Magento’s recommendations will quickly correct the vulnerability. However, where there is more work required, Magento does also publish a lot of their own research and documentation around the various safeguarding measures that you can then implement.
Magento’s site security scan tool is still fairly new, but the information it provides is clear, precise and accurate. Signing up for it is relatively straightforward but you do have to create an account and verify ownership of your site before you can then begin – once you are registered, you can simply drop your site URL into the field provided and let it go to work.
The search tool isn’t completely foolproof – as it stands, it can only identify issues that Magento are already aware of. On the other hand, it does at least allow you to ensure that a good foundation is in place for any further security work.
Mike Barnett
Magento Server & Security Specialist
Media Lounge
Often security firewalls will come with certain settings disabled. These settings can make a huge difference to the performance of your site as well as save you bandwidth from serving aggressive bots, but one setting you might want to consider turning on is the aggressive bot filter. It’s worth noting this won’t block major bots such as Google and Bing – only menacing bots. Another one is to block countries such as China, Turkey, and Russia if you don’t do business with them. The vast majority of malicious bots come from these countries, so don’t waste your precious bandwidth on them which can be very expensive!
Lock Down Access To Your Admin Panel
The majority of data breaches occur when people gain unauthorised access to your admin panel. As with all eCommerce platforms, Magento’s admin panel acts as a gateway to a wealth of knowledge which is very sensitive, including order details and personalised data around business trends. This makes ensuring people aren’t able to ‘phish’ or ‘brute force’ your password an absolute priority.
There are two ways you can do this. The first one is that you can look at locking down the admin panel so that it can only be accessed via a specific IP address. This is done at the server level and ensures that unknown third parties are blocked from even entering login details which makes it a very safe choice. There is a downside to this though – you have to manually whitelist every single IP address that you want to have access which is fine if everyone is working from the same place, but this can quickly become a headache if you are split across multiple locations.
Your other option is to set up some sort of two-factor authentication on the admin page. This involves installing an extension or purchasing a cloud-based solution that will push a randomised code to a preselected phone or tablet when you try to log in. You will then need to add this code alongside your regular password in order to gain access to your site, stopping attackers who don’t have access to the selected device from ‘brute forcing’ their way in. This is probably a more costly solution, but it’s somewhat slightly more flexible and allows you to avoid making repeat whitelisting requests to your hosting company.
Introduce A Robust Password Policy
Beyond locking down the admin and installing patches, it’s also worth considering the simpler things that can be done to make hacking into your site a bit more difficult.
Introducing a company-wide password policy where you specify minimum length, ask people to include a capital letter, or force people to change their password every 3 months can really help cut down on the chances of an unwanted user gaining access to your store.
Also asking people not to give out their password and reminding them that it’s essential not to write it down or save it on the computer they are using to access your site can also really help.
When it comes to securing your site, it’s always nice to have a second opinion. Here is what Jake Moore, Cyber Security Specialist from ESET had to say on the matter.
“Magento seems to have its customers security at heart. Surprisingly, many applications still don’t implement security from the outset and by design, is simply flawed from the beginning so it’s quite refreshing to see the extent to which Magento is going to for the protection of its customers.
However, even with the layers of protection, it features, cybersecurity is a two-way street. Patches forced down from the server, updates, 2FA and password policies can be implemented or even forced into the user but hackers are crafty little souls and use moving towards using psychological manipulation techniques in the form of beautifully crafted social engineering more and more currently.
For example, when you next receive an email with an attachment from someone you recognise, how much scrutiny would you place on the email going to the extreme to check its authenticity? Would you verify the sender with a phone call? A text? Even if it’s from your work BFF? Most of us are impulsive when it comes to emails because we are busy and have little time for that validation process so we look for anything which can speed it up.
Hackers take advantage of this and take on the persona of colleagues, friends or your gym membership – and do so very convincingly! Over the last few years I have been given the approval to send simulated phishing attacks and even when the target is fully expecting to be scammed, they have fallen for a test phishing email sent from me every single time.
So even with applications upping their game to help protect your data and systems, we need to constantly be on the lookout for scams, phishing emails, and rogue attachments. It goes without saying that you need an awesome robust anti-virus but sadly there is no silver bullet button that protects us from every cyber attack. It is an interesting time in the world of cybersecurity but working together with the tech industry, we will one day reduce the dark world of cyber criminality so it’s hardly worth the time the hackers to target us.”
Jake Moore
Cyber Security Specialist
ESET
With the layers of protection it features, cyber security is a two way street. Patches forced down from the server, updates, 2FA and password policies can be implemented or even forced into the user but hackers are crafty little souls and use psychological manipulation techniques in the form of beautifully-crafted social engineering more and more currently.
Ensuring That You’re Using HTTPS
Switching from HTTP to HTTPS is another crucial step. Doing so encrypts all of the data that flows between you, your site and your users.
This ensures that sensitive information can’t be logged by malware and used to attack your site later on down the line. Switching to HTTPS also prevents credit card information from being skimmed while it’s in transit and there is evidence out there to suggest that this change can provide a small boost to your organic search rankings.
Unfortunately switching to HTTPS will involve a reasonable amount of work – every single HTTP link will need to be redirected to prevent 404 errors and you’ll also need to obtain a valid SSL certificate from a licensed vendor.
Ultimately, investing in secure end-to-end encryption ensures that your customers are safe and guarantees that your site actually can be trusted. A lot of savvy online shoppers refuse to engage with sites that lack the universal green padlock icon which appears to the left of site URLs on the address bar.
Switching from HTTP to HTTPS is a crucial step. Doing so encrypts all of the data that flows between you, your site and your users.
Tweet this now
Audit Any And All New Code
Each time your developers push new code onto your live site, there will always be a risk that they’ll accidentally introduce a new vulnerability or break something that stops a security feature from working properly. As your site ages and the volume of new code piles up, the chances of this happening rise and you start to see a lot of rather unexpected results.
This is one of the few instances in which Magento’s complexity can act as both an asset and a weakness, and the unfortunate truth is that it’s often very difficult to anticipate the way that a piece of code will act on your site unless someone takes the time to explore any unforeseen interaction of potential pitfalls.
This is why we would always recommend testing and auditing new code on a demo site before pushing it to the live site irrespective of the size of the change that you’re making. The time that it takes in the short-term will be offset by the amount of time, money and energy that you’ll save in the long run, even if there’s only a bug 1% of the time.
Conclusion
Magento is a fantastic platform for building a thriving website. Its Magento support team are consistently working on its maintenance and security updates in order to keep its users safe. But even with the network of support, website owners have to remain vigilant in their efforts to keep their online businesses operating safely and smoothly.
Help fend off those who would do you harm and remember to stay current on the best security practices for your website as they arise, as remember it’s always better to be safe than sorry.