Welcome to the Magento security article. In this article we will discuss ways to keep your Magento based website secure and how to minimize the possibility of your website being breached.
Because Magento is a very popular website application, assailants are always attempting to find weaknesses inside of the code that will allow them access to the core administrator features. When a Magento site is breached, it is normally because of one of the following:
- To Create a Public/Hidden Phishing Site
- To be used as an Email Spam Source
- To Deface your Site
- To steal Member Details (emails, encrypted passwords, etc.)
Now onto the good part, how we can help prevent security breaches.
- Magento releases updates all the time. A large majority of them have security fixes in addition to the standard feature upgrades. It is VERY important that you update your Magento application as soon as possible when a new version is available. Always be on the lookout for updates that may be available.
- Make sure you use strong, hard to crack/guess passwords on all of your sites. You should avoid using words as passwords and it should be a mixed set of characters with no less than 10 characters in length. It is also HIGHLY recommended that you do not use the same password for different aspects of your site. For example, do not use the same password for your administrator login as your MySQL password. Try to use different passwords whenever possible! This will help isolate breaches (if they happen) to just one or two services rather than your entire site/hosting account.
- For more information about secure passwords, please see our dedicated article on the topic here.
- Make sure you have an active backup plan. If for some reason your site were to be breached, it is possible that your data could be lost. You can prevent this by backing up your site often and storing it off site, either in your home, or at an online backup provider.
- Magento has a very active community that can be helpful in times of need. Use their community site to search any problems you may be having with a Magento feature. Also keep an eye out for community members posting security issues for the version of Magento you are using.
- Secondary Password
- Some hosts (including us) allow you to use server based authentication to help reduce the possibility of breaching your password through cracking. This works by having 2 login prompts. One login uses htaccess, while the other is the standard Magento administrator login. You must enter your htaccess credentials before you even see the Magento login form. For information on how to password protect your administrator directory, please see the following two links.
- SiteAdmin: /control/siteadmin/siteadmin-how-to-password-protect-directories/
- cPanel: /control/cpanel/cpanel-password-protect-a-directory/
- Directory Index
- A good way we can help protect our files is to disable directory indexing. This makes it so that when people try to access just a folder they do not see the files inside of the folder. However, please keep in mind that they can still access them if they know what the full file path is. For information on how to disable indexing, please see one of the following two links.
- SiteAdmin: /control/siteadmin/siteadmin-index-manager/
- cPanel: /control/cpanel/cpanel-default-index-page/
- Use SSL/HTTPS
- If your Magento site is an active site with lots of customers, it is a good idea to pick up a SSL certificate and require all users to use https. This provides added security when placing orders, logging in, or registering new accounts. It will also give your customers a feeling of better security because the site is using SSL.
- Custom Admin Path
- Normally you would access the admin panel by going to your-domain.com/admin, however this can make it easier for attackers to try and breach your site because they know the path to the admin login page. In addition to the secondary password we mentioned above, we recommend changing the default path for the admin section to make it even more difficult for would be attackers.
- For information on how to change your admin directory, please click here.
- Use sFTP
- When possible use sFTP rather than standard FTP. sFTP offers a much higher security layer because it uses the SSH file transfer protocol and all traffic is encrypted.
- For information on how to use sFTP, please click here.