Just a moment...

13 life-or-death tactics for stopping Magento hacks


Everyone who runs a Magento store knows that following security best practices is important.  But too often, proper security is like flossing – everyone knows it’s a good idea, but some of us convince ourselves that an occasional Listerine rinse is good enough.  Even if it feels like a chore, failing to follow best practices can put you and your customers at severe risk.  We’ve collected 13 of the most important things you can do to keep your Magento site safe.

1. Implement 2-Factor Authentication (2FA)

Multi-Factor Authentication (often called 2FA or MFA)  refers to any log-in system that relies on two or more pieces of information to verify your identity.  Typically, the information is a password and a second code that is sent to your phone or provided in advance.  SecurID key fobs are another implementation of 2FA that you might have seen before.

2FA prevents attacks because it’s hard for a hacker to get access to your username, password, and a third thing like a randomized token. If your store is PCI compliant (and you want to keep it that way), you’ll need to implement multi-factor authentication and other PCI DSS 3.2 requirements by February 2018.

How to do it

2. Use Strong Passwords

Most people want a password that’s easy to type, easy to remember, and hard to guess. Sadly, most passwords created this way are shockingly easy to crack with modern technologies.  And if you reuse your password for other accounts, it means hackers can break into all those accounts for the price of one.

Password managers to the rescue!  Software like Keepass, Lastpass, and others provide an encrypted “locker” that stores a unique, extra-strong password for each account.  You only need to remember one password to unlock the database, and individual passwords will never be a weak point for security again.  Especially for a mission-critical account like your Magento admin, It’s essential to use a long, complex, and unique password.

How to do it

3. Use good Antivirus Software

The strongest password in the world is worthless if your PC itself is compromised.  A malware infection on your computer can hand hackers the keys to your Magento castle by spying on your connection or logging your keystrokes. To prevent intrusions, you’ll need a robust and up-to-date anti-virus solution on any computer you use to work on your Magento store.

How to do it

4. Run Quarterly PCI Compliance Scans

Whether or not you store PII or card information on your server, a PCI scan is a good way to proactively identify software and configuration vulnerabilities.  If your firewall, anti-virus, or password policies are misconfigured or out of date, the scan can help you find these vulnerabilities before hackers do.

How to do it

5. Change Magento Admin URL

By default, the log-in page for your Magento admin area is yourshop.com/store/admin. If you use the default address for the admin page, it’s easy for hackers to find that page. If they can’t find it, they can’t break in.  Changing the URL to something difficult to guess, like yourshop.com/store/Dk4u99x2i for example, will cut off that avenue of attack. This is only ‘security through obscurity’, but it still ramps up the difficulty for attackers.

How to do it

6. Keep all software patched and up-to-date

It’s critical to keep your server software, Magento, and all extensions up to date.  Magento has released 5 security updates so far in 2016.  Hackers are up to date on security holes, make sure you are too.

Beyond official Magento patches, plugins are frequent targets for hacking.  If you are using a plugin that seems buggy or hasn’t been updated in a long time, consider whether it is worth the risk to your site. Check for patches on plugins regularly.

Aside from Magento-related updates, it’s equally important to make sure your LAMP stack is up-to-date.

How to do it

7. Implement version control

Version control is the practice of centralizing, tracking and comparing all changes to files in a project over time.  It’s a fundamentally important tool for any software project, Magento stores included. We recommend using Github, one of the most popular systems.

Even though it doesn’t actively stop attacks, version control is critical for defending your store. It tracks all changes and who made them – making it much easier to find and fix any malicious changes to your code.

How to do it

8. Keep & Review logs

Activity and error logs are like security camera footage for your website. They don’t prevent attacks on their own, but they make it much easier to stop them in the future. Review your server logs regularly for any suspicious activity. Keeping logs of Magento exceptions or errors can also expose problems with your store configuration or code, a key way to plug holes and prevent hacks.

How to do itLogs for nginxlogs for Apache

9. Use a CDN like CloudFlare

We encourage our customers to use services like CloudFlare with their sites.  It’s a Content Delivery Network (CDN) service that can block a wide variety of attacks (everything from DDoS to e-mail scraping) by filtering all traffic to your site. It’s a simple way to make your website more resilient with an extra layer of security, and can help achieve PCI compliance. As an added bonus, running a site through a CDN can make your site significantly faster, especially when users are geographically distant from your server – even overseas.

How to do it

10. White-list IPs for Admin access

If you change the admin path, it makes it harder for attackers to find.  Lock it down further by keeping out everyone except pre-approved users, by creating what’s known as an IP Whitelist on the server. Any IP not on the list is sent packing – including hackers.

How to do it

11. Lock down file and folder permissions

Linux operating systems control who can read, write to, and execute files.  These permissions are set using a 0-7 numbering system, with each number corresponding to a set of access privileges.  It’s a lot more detailed than that, but the upshot is you need to lower many of the permission levels on your server after setting up Magento. Set correctly, file permissions are a serious roadblock for an attacker trying to compromise your store.

How to do it

12. Never use unsecured Protocols

Using an unencrypted FTP or HTTP connection to edit/upload files as opposed to SFTP or HTTPS can easily expose your information to attackers.  Make sure you are using SFTP or SSH for any changes to your Magento store.  Use a graphical FTP client, or do it from the command line, but make sure it’s SFTP.

How to do it

13. Create a backup and recovery plan

If your site is compromised, you’ll need to restore a previous version. Unless you want to re-build from scratch, a consistent backup policy is the best insurance you can have.  We handle backups for our customers, but we advise all store owners and administrators to maintain backups and actively test them, regardless of where they host.

How to do it

There are more tactics that can help keep your Magento site secure, and they are worth a look.  Good security is not something you get, it’s something you do – a set of habits.  Maintaining a fully secure Magento site might seem a bit involved –  because it is.  It’s a good idea to get help.  eBoundHost encourages and helps all of our Magento customers to follow these best practices.  Make sure that your developer, hosting provider, and all admins share a good security mindset, and your store will be a hard target.

Read This Next:

Just a moment...
Just a moment...