As is stands Magento is one of the biggest open source eCommerce platforms in the world; with large amounts of people helping develop, solve common issues and create unique extensions for the platform which provides abundant benefits to the people using them. However, as Magento grows, so does the opportunity for it to be hacked. Sadly, it is the enormity and success of Magento that has made it an ideal target for online hackers so recently.
Magento is one of the biggest open source eCommerce platforms in the world; with large amounts of people helping develop, solve common issues and create unique extensions for the platform which provides abundant benefits to the people using them.Tweet this now
If you are someone who stays up to date with Magento news, you will have seen that in the last month Magento sites running Mirasvit Helpdesk, a popular help desk extension that enables site owners to add a “Chat with us” widget to their storefronts, have been hot picks for cyber-criminals. How may you ask? Somehow the attackers have found a way to upload files to underlying Magento servers and insert an invisible malicious code to the store’s footer section. Once this code is viewed, it begins stealing customers payment card data – scary stuff!
After these recent attacks, we feel it is important to inform our fellow Magento users of the best ways to stop your store from being next on the hackers hit list. We’ve devised a list of our top tips and tricks which hopefully you already know about, but if you don’t, then it is particularly important that you read this article!
Use A Secure Connection For Your Checkout Process
Using an SSL (Secure Socket Layer) not only makes your checkout process a lot more secure but it also helps to make your store look more trustworthy to any new visitors. It’s never an easy task to convince people to have faith in your online store, especially when web-based attacks are increasing year on year. SSL can be used for most transactions and credit card validations working to reassure the user that their sensitive data inputted at the checkout is safe from harm.
Check The Web Root Folder For Any Suspicious Files
Webroot folders is a common place for hackers to drop exploited files, so it’s very important these are checked frequently for anything suspicious looking lurking in there. If something peculiar does crop up, then our first recommendation is to internet search the issue and see if these provide an instant answer. If not, suspicious files are usually just the tip of the iceberg and actually often lead to a much larger problem the further you dig. Best thing to do here is delete the irregular file immediately.
Check Your Admin User Permission Regularly
In order for people to gain access to your Magento admin panel, an admin user must be created. Checking your admin user permission area frequently allows you to keep a close eye on who exactly has access to your information. If you spot an account in there that you do not recognise, there is a very high chance that your Magento admin panel has been breached and this user should be investigated as soon as possible. Get in touch with the rest of your team and, if necessary, delete the account. In this instance, it is also important you contact the developer, provided you did not develop the site yourself, as soon as you can since the user could very well be a hacker.
Adding Extra Layers Of Security
One of the best ways to keep your business safe from cybercriminal acts is to add layers of security. A good place to start is with a firewall system. Firewall systems are easy to install and work exceptionally well at protecting your software and sensitive data from any unwanted prying eyes.
Following this, it’s probably a good idea to start adding extra layers of security. Things like login boxes, contact forms and search queries are all precautions that can be taken to ensure your eCommerce store is protected from application-level attacks such as SQL injections and XSS.
Do Not Use Simple Text As Your Password
Always bear in mind that there are now lots of tools out there to crack passwords. As you know, a simple password like “password123” will be far easier to crack than a more complex password like “85hghdue29” so get creative. Additionally, using the same password for different accounts puts you more at risk because it only takes hackers to crack one password and to their amazement, they’ll have access to everything!
Now, you might be sat thinking it will take far too much time to create and remember a dozen of encrypted passwords, but don’t worry, we’ve got you covered! With cyber-security such a rising concern, there are now lots of secure and trusted password storing tools such as KeePass or Last Pass.
Update Your Password
It’s so important to regularly change your passwords. We recommend a change occurs once every quarter. Additionally, the fewer people who know your admin passwords, the better. If you have no choice but to work with someone externally to fix a problem on your site, don’t forget to change the password as soon as the job is done. If you can’t think of any that you think are suitable enough on your own, can use password generators to help you create the strongest passwords.
Consider Using A Two Factor Authentication System
While a strong and unique password increases the safety of your online store, however, we wouldn’t recommend relying on this solely. An easy way to make your login that bit more secure is to install a two-factor authentication system. This refers to an extra security code being inputted after the initial username and password login. You’ll often see these on online banking sites since these sites contain some of the most sensitive data.
Don’t Forget To Install Security Patches
A lot of people think that installing security patches is a waste of both time and money. But actually, those people couldn’t be more wrong. In fact, it could be some of the best investments you will make. The true value of Magento security patches can be seen based on just how much damage there could be if someone gained access to your store without permission.
Give Your Staff Official Security Training
This one is pretty straightforward but still just as important. Make sure you have trained up your staff in cybersecurity and that they are aware exactly what data they can and can’t share. For example, staff should not share sensitive data in chatbots.
Staff also need to be properly trained in the company policies and what is legal in terms of sharing data. With the introduction of the new GDPR laws coming into play in May 2018, this is a hot topic for any eCommerce owner.
Audit Magento Core Files
A decent Magento developer knows that there is no need to do any modifications to core framework files in order to edit a function or add in a new feature. In fact, you should not install any core modifications at all. In a few previous cases, a hacker has modified the Magento core files to get access and steal customers information from a database. Make sure this isn’t you by checking your Magento core files every so often.
Whitelist All Known IP Addresses
This is probably up there with one of the best ways to protect your Magento site. However, it requires being worked on by trained professionals as well as contacting your hosting partner. Whitelisting all known and familiar IP addresses means you will only grant access to the sites admin panel to users with those exact IP addresses.
The only issue here is, if you are trying to access your admin panel from a different place than you usually would such as a local cafe where the IP is not registered, you will not be able to get access. However, how often is that the case? We think it’s worth the protection!
Always Monitor Your Site And Ensure Whoever Is Hosting Your Site Does This As Well
It is vital to have real-time analytic tools running 24/7 on your site, you may think it a little over the top but it’s just the same as having CCTV in a physical store. Observing how visitors navigate around your site and interact with it in real time allows you to detect any suspicious behaviour and act upon it right away. A lot of nifty tools can now connect your real-time view to your smartphone and even alert you if it detects any unsavoury activity going on.
It is also recommended you ask your website hosts to regularly monitor the server for viruses, malware and any other harmful software.
Check Your CronTab Regularly
Cron is a task that runs on an ongoing basis on your server. It can be used for various things such as updating or clearing caches, cleaning or rotating log files, batching sent emails and so much more.
However, it can also be used by the attacker for various harmful activities too. The hackers may use your Cron to post-harvested information onto their own server which makes it so that their attack remains in place even after you removed it.
Create Backup Data On A Regular Basis
The last measurement we recommend is: always create backups!
If you have taken all the necessary precautions to protect your online store from hackers and still get attacked, by creating backups you can rest assured knowing all damaged or lost data can be restored.
So there we have it, the best tips and tricks around to make sure you keep your online store as safe as possible. Hopefully, you read this and realised you already knew everything we suggested but has done the job of jogging your memory to go and check everything again and perhaps again!