Everyone who runs a Magento store knows that following security best practices is important. But too often, proper security is like flossing – everyone knows it’s a good idea, but some of us convince ourselves that an occasional Listerine rinse is good enough. Even if it feels like a chore, failing to follow best practices can put you and your customers at severe risk. We’ve collected 13 of the most important things you can do to keep your Magento site safe.
Multi-Factor Authentication (often called 2FA or MFA) refers to any log-in system that relies on two or more pieces of information to verify your identity. Typically, the information is a password and a second code that is sent to your phone or provided in advance. SecurID key fobs are another implementation of 2FA that you might have seen before.
2FA prevents attacks because it’s hard for a hacker to get access to your username, password, and a third thing like a randomized token. If your store is PCI compliant (and you want to keep it that way), you’ll need to implement multi-factor authentication and other PCI DSS 3.2 requirements by February 2018.
Most people want a password that’s easy to type, easy to remember, and hard to guess. Sadly, most passwords created this way are shockingly easy to crack with modern technologies. And if you reuse your password for other accounts, it means hackers can break into all those accounts for the price of one.
Password managers to the rescue! Software like Keepass, Lastpass, and others provide an encrypted “locker” that stores a unique, extra-strong password for each account. You only need to remember one password to unlock the database, and individual passwords will never be a weak point for security again. Especially for a mission-critical account like your Magento admin, It’s essential to use a long, complex, and unique password.
The strongest password in the world is worthless if your PC itself is compromised. A malware infection on your computer can hand hackers the keys to your Magento castle by spying on your connection or logging your keystrokes. To prevent intrusions, you’ll need a robust and up-to-date anti-virus solution on any computer you use to work on your Magento store.
Whether or not you store PII or card information on your server, a PCI scan is a good way to proactively identify software and configuration vulnerabilities. If your firewall, anti-virus, or password policies are misconfigured or out of date, the scan can help you find these vulnerabilities before hackers do.
By default, the log-in page for your Magento admin area is yourshop.com/store/admin. If you use the default address for the admin page, it’s easy for hackers to find that page. If they can’t find it, they can’t break in. Changing the URL to something difficult to guess, like yourshop.com/store/Dk4u99x2i for example, will cut off that avenue of attack. This is only ‘security through obscurity’, but it still ramps up the difficulty for attackers.
It’s critical to keep your server software, Magento, and all extensions up to date. Magento has released 5 security updates so far in 2016. Hackers are up to date on security holes, make sure you are too.
Beyond official Magento patches, plugins are frequent targets for hacking. If you are using a plugin that seems buggy or hasn’t been updated in a long time, consider whether it is worth the risk to your site. Check for patches on plugins regularly.
Aside from Magento-related updates, it’s equally important to make sure your LAMP stack is up-to-date.
Version control is the practice of centralizing, tracking and comparing all changes to files in a project over time. It’s a fundamentally important tool for any software project, Magento stores included. We recommend using Github, one of the most popular systems.
Even though it doesn’t actively stop attacks, version control is critical for defending your store. It tracks all changes and who made them – making it much easier to find and fix any malicious changes to your code.
Activity and error logs are like security camera footage for your website. They don’t prevent attacks on their own, but they make it much easier to stop them in the future. Review your server logs regularly for any suspicious activity. Keeping logs of Magento exceptions or errors can also expose problems with your store configuration or code, a key way to plug holes and prevent hacks.
We encourage our customers to use services like CloudFlare with their sites. It’s a Content Delivery Network (CDN) service that can block a wide variety of attacks (everything from DDoS to e-mail scraping) by filtering all traffic to your site. It’s a simple way to make your website more resilient with an extra layer of security, and can help achieve PCI compliance. As an added bonus, running a site through a CDN can make your site significantly faster, especially when users are geographically distant from your server – even overseas.
If you change the admin path, it makes it harder for attackers to find. Lock it down further by keeping out everyone except pre-approved users, by creating what’s known as an IP Whitelist on the server. Any IP not on the list is sent packing – including hackers.
Linux operating systems control who can read, write to, and execute files. These permissions are set using a 0-7 numbering system, with each number corresponding to a set of access privileges. It’s a lot more detailed than that, but the upshot is you need to lower many of the permission levels on your server after setting up Magento. Set correctly, file permissions are a serious roadblock for an attacker trying to compromise your store.
Using an unencrypted FTP or HTTP connection to edit/upload files as opposed to SFTP or HTTPS can easily expose your information to attackers. Make sure you are using SFTP or SSH for any changes to your Magento store. Use a graphical FTP client, or do it from the command line, but make sure it’s SFTP.
If your site is compromised, you’ll need to restore a previous version. Unless you want to re-build from scratch, a consistent backup policy is the best insurance you can have. We handle backups for our customers, but we advise all store owners and administrators to maintain backups and actively test them, regardless of where they host.
There are more tactics that can help keep your Magento site secure, and they are worth a look. Good security is not something you get, it’s something you do – a set of habits. Maintaining a fully secure Magento site might seem a bit involved – because it is. It’s a good idea to get help. eBoundHost encourages and helps all of our Magento customers to follow these best practices. Make sure that your developer, hosting provider, and all admins share a good security mindset, and your store will be a hard target.
Fast, reliable, full of features... Over the years, I have used more than a dozen hosts, both the big ones and smaller ones; eBoundHost.com is by far my favorite.
Reliability and customer service that is rare and refreshing. We have been using eBoundHost for several years and unlike many companies who's service wanes over the years, the staff at eBound has consistently delivered top notch performance. Bravo!
eBoundHost.com has the best customer service in ANY industry. Their support staff answers phone calls and emails immediately and they have time and time again gone over and above their responsibilities to make sure I am taken care of and that my clients are happy. I have many websites hosted here from small business to corporate level and have dealt with many hosting companies in the industry and eBoundHost.com is by far the BEST hosting provider there is. Great prices, great service, great hosting packages, and a killer reseller program! THANK YOU AGAIN :)
I waited to write a review until I had absolutely everything working, thinking that something would come up that eboundhost couldn't solve almost immediately. I've never been so happy to be wrong - their customer support is just incredible.
eBoundHost.com has been a dream to work with. My questions are answered in minutes, the price is very reasonable, the interface is great, I am very happy with how smooth everything works.
Over the years, I've dealt with many companies. None come close to equaling the service and price offered by eBoundHost.
I'm Stan Bogdashin, a customer of your hosting company for the past 2 years. Our company provides web design, development and Search Engine Optimization (SEO) services. Want to thank you for helping us by providing great hosting seamless support - this is why I continue to recommend you and don't use anyone else for hosting!
I have worked with many hosting companies over the course of my years in the website building and design business. I can say with certainty that eBoundHost.com is among the elite companies. I would and have recommended them to anyone.
eBoundHost provides the very best service I've experienced in hosting. It takes less than 24h to get an answer to any question. They're great.
SUPER SUPPORT - even during "off hours" - Sundays & holidays. Responses have always been within minutes of the initial call or email. The BEST vendor I have ever used in my 10 plus years as a webhosting services consumer.
I came to eBoundHost after a very bad experience with a so called "big boy" - you know one of those places you are only a number. I have been a satisfied customer for more than 4 years now. The support is second to none.
EXCELLENT across the board, super quick reply to questions (about 15-30min). Outstanding! Loads of features, excellent price! Loads of space and bandwidth!
Every time I call with a problem or question, Everyone, especially Denis has always stepped up to the occasion. As usual he solved yet another problem I had. You have a superlative customer service. It doesn't get any better. Keep it up guys.
We at Alico have 4 domain names which we started subscribing at eBoundHost since more than 4 years. In brief they are the best webhosting provider with a sexy Control Panel and perfect fast response support.