Everyone who runs a Magento store knows that following security best practices is important. But too often, proper security is like flossing – everyone knows it’s a good idea, but some of us convince ourselves that an occasional Listerine rinse is good enough. Even if it feels like a chore, failing to follow best practices can put you and your customers at severe risk. We’ve collected 13 of the most important things you can do to keep your Magento site safe.
Multi-Factor Authentication (often called 2FA or MFA) refers to any log-in system that relies on two or more pieces of information to verify your identity. Typically, the information is a password and a second code that is sent to your phone or provided in advance. SecurID key fobs are another implementation of 2FA that you might have seen before.
2FA prevents attacks because it’s hard for a hacker to get access to your username, password, and a third thing like a randomized token. If your store is PCI compliant (and you want to keep it that way), you’ll need to implement multi-factor authentication and other PCI DSS 3.2 requirements by February 2018.
Most people want a password that’s easy to type, easy to remember, and hard to guess. Sadly, most passwords created this way are shockingly easy to crack with modern technologies. And if you reuse your password for other accounts, it means hackers can break into all those accounts for the price of one.
Password managers to the rescue! Software like Keepass, Lastpass, and others provide an encrypted “locker” that stores a unique, extra-strong password for each account. You only need to remember one password to unlock the database, and individual passwords will never be a weak point for security again. Especially for a mission-critical account like your Magento admin, It’s essential to use a long, complex, and unique password.
The strongest password in the world is worthless if your PC itself is compromised. A malware infection on your computer can hand hackers the keys to your Magento castle by spying on your connection or logging your keystrokes. To prevent intrusions, you’ll need a robust and up-to-date anti-virus solution on any computer you use to work on your Magento store.
Whether or not you store PII or card information on your server, a PCI scan is a good way to proactively identify software and configuration vulnerabilities. If your firewall, anti-virus, or password policies are misconfigured or out of date, the scan can help you find these vulnerabilities before hackers do.
By default, the log-in page for your Magento admin area is yourshop.com/store/admin. If you use the default address for the admin page, it’s easy for hackers to find that page. If they can’t find it, they can’t break in. Changing the URL to something difficult to guess, like yourshop.com/store/Dk4u99x2i for example, will cut off that avenue of attack. This is only ‘security through obscurity’, but it still ramps up the difficulty for attackers.
It’s critical to keep your server software, Magento, and all extensions up to date. Magento has released 5 security updates so far in 2016. Hackers are up to date on security holes, make sure you are too.
Beyond official Magento patches, plugins are frequent targets for hacking. If you are using a plugin that seems buggy or hasn’t been updated in a long time, consider whether it is worth the risk to your site. Check for patches on plugins regularly.
Aside from Magento-related updates, it’s equally important to make sure your LAMP stack is up-to-date.
Version control is the practice of centralizing, tracking and comparing all changes to files in a project over time. It’s a fundamentally important tool for any software project, Magento stores included. We recommend using Github, one of the most popular systems.
Even though it doesn’t actively stop attacks, version control is critical for defending your store. It tracks all changes and who made them – making it much easier to find and fix any malicious changes to your code.
Activity and error logs are like security camera footage for your website. They don’t prevent attacks on their own, but they make it much easier to stop them in the future. Review your server logs regularly for any suspicious activity. Keeping logs of Magento exceptions or errors can also expose problems with your store configuration or code, a key way to plug holes and prevent hacks.
We encourage our customers to use services like CloudFlare with their sites. It’s a Content Delivery Network (CDN) service that can block a wide variety of attacks (everything from DDoS to e-mail scraping) by filtering all traffic to your site. It’s a simple way to make your website more resilient with an extra layer of security, and can help achieve PCI compliance. As an added bonus, running a site through a CDN can make your site significantly faster, especially when users are geographically distant from your server – even overseas.
If you change the admin path, it makes it harder for attackers to find. Lock it down further by keeping out everyone except pre-approved users, by creating what’s known as an IP Whitelist on the server. Any IP not on the list is sent packing – including hackers.
Linux operating systems control who can read, write to, and execute files. These permissions are set using a 0-7 numbering system, with each number corresponding to a set of access privileges. It’s a lot more detailed than that, but the upshot is you need to lower many of the permission levels on your server after setting up Magento. Set correctly, file permissions are a serious roadblock for an attacker trying to compromise your store.
Using an unencrypted FTP or HTTP connection to edit/upload files as opposed to SFTP or HTTPS can easily expose your information to attackers. Make sure you are using SFTP or SSH for any changes to your Magento store. Use a graphical FTP client, or do it from the command line, but make sure it’s SFTP.
If your site is compromised, you’ll need to restore a previous version. Unless you want to re-build from scratch, a consistent backup policy is the best insurance you can have. We handle backups for our customers, but we advise all store owners and administrators to maintain backups and actively test them, regardless of where they host.
There are more tactics that can help keep your Magento site secure, and they are worth a look. Good security is not something you get, it’s something you do – a set of habits. Maintaining a fully secure Magento site might seem a bit involved – because it is. It’s a good idea to get help. eBoundHost encourages and helps all of our Magento customers to follow these best practices. Make sure that your developer, hosting provider, and all admins share a good security mindset, and your store will be a hard target.
From using your hosting services for dozens of web clients and appreciating your wonderful customer service (all the while enjoying spending my meaty affiliate checks), I look forward to growing with you and watching you evolve surely and steadily into a powerhouse of a force to be reckoned with for your competitors. In an overcrowded abyss of hosting providers it is an absolute MUST to stand out above the crowd if you want to claim your stake and play with the big boys. Period. All I can say is this...Look Out World - GAME ON!!!
Fast, reliable, full of features... Over the years, I have used more than a dozen hosts, both the big ones and smaller ones; eBoundHost.com is by far my favorite.
I'm Stan Bogdashin, a customer of your hosting company for the past 2 years. Our company provides web design, development and Search Engine Optimization (SEO) services. Want to thank you for helping us by providing great hosting seamless support - this is why I continue to recommend you and don't use anyone else for hosting!
I have worked with many hosting companies over the course of my years in the website building and design business. I can say with certainty that eBoundHost.com is among the elite companies. I would and have recommended them to anyone.
1) Their technical support people are always available to help with questions. 2)Server and network speed excellent. 3)Everything works great. 4)I highly recommend them!!!Thank you.
EXCELLENT across the board, super quick reply to questions (about 15-30min). Outstanding! Loads of features, excellent price! Loads of space and bandwidth!
I was just looking over our emails and adding up how much time you guys have taken to get me squared away with my new eboundhost account. I can't tell you what a relief it is to have fast, dependable hosting and the kind of immediate support I've gotten from you, after having struggled with a sub-standard host for years. eboundhost has, in the short time I've been with you, already saved me hundreds of dollars of billable time. My thanks.
Great customer service. After looking around for a while we signed up with eBoundHost. And I can assure you that we made right decision. Customer service is so good that I don't have words to explain. I would recommend this service to everyone.
Cost, technical support and promptness of return calls are of paramount importance to me since most of my work is done on the road and waiting for a reply is frustrating. eBoundHost has been a pleasure to work with friendly, courteous and professional.
eBoundHost.com has the best customer service in ANY industry. Their support staff answers phone calls and emails immediately and they have time and time again gone over and above their responsibilities to make sure I am taken care of and that my clients are happy. I have many websites hosted here from small business to corporate level and have dealt with many hosting companies in the industry and eBoundHost.com is by far the BEST hosting provider there is. Great prices, great service, great hosting packages, and a killer reseller program! THANK YOU AGAIN :)
Over the years, I've dealt with many companies. None come close to equaling the service and price offered by eBoundHost.
SUPER SUPPORT - even during "off hours" - Sundays & holidays. Responses have always been within minutes of the initial call or email. The BEST vendor I have ever used in my 10 plus years as a webhosting services consumer.
Every time I have contacted my host provider. They have responded with speed, courtesy and accuracy they are professional and a joy to work with.
Reliability and customer service that is rare and refreshing. We have been using eBoundHost for several years and unlike many companies who's service wanes over the years, the staff at eBound has consistently delivered top notch performance. Bravo!