Checklist for securing your Magento Store

Checklist for securing your Magento Store

Andy Holland

The main reason to protect your store is to protect your client’s data. Hackers may want your own information but your priority should be to protect your clients. If you do not, it can affect your credibility and reputation, and you could end up breaking the law when it comes to PCI compliance. To avoid letting your information – or your clients – fall into the hands of criminals, you need to follow these Magento security guidelines.


Updates for software don’t just give you new features; they also correct errors in old ones and remove vulnerabilities. It is therefore key to have the latest software versions available.


You can never be 100% secure from hackers, but by regularly saving backups you offer yourself more security and can help protect yourself from lots of problems. Never store them on the same server as the original website and make sure you regularly restore your copies on a sandbox to make sure they work.

Strong passwords

Admin password is the last line of defense for your store, so you need it to be strong! Use more than ten characters, upper and lower case, punctuation marks and numbers.

Unique passwords

As with anything you use a password for, it is a good idea to use unique ones – this doesn’t just make sense for Magento, but for everything you do online! If you use identical passwords for multiple logins you run the risk of losing all of your accounts at once.

Don’t store passwords on your computer

A major part of Trojan software is to steal saved passwords. Be particularly careful with FTP clients and browsers as passwords are stolen through these applications most. Never save passwords using this software without the master password that encrypts the rest of the passwords whilst saving access details.

Change passwords

Change your passwords at least every six months. Your passwords may have leaked but the hacker hasn’t used them yet and you wouldn’t be aware of this. Regular changeovers make leaked data useless. Ensure passwords are changed for everyone who uses the website.

Two-factor authorization

The strongest password in the word is redundant if stolen. To raise the level of security for your site you should use any second authorization factor, like an IP address. To limit backend access, add the following lines to the VirtualHost section of Apache web server configuration:

Order Deny,Allow

Deny from All

Allow from

NB: be careful – if you add these exact lines to your .htaccess file it will cause an error – use your IP address (ensure it’s static too).


Even though Magento has lots of code specifically set up to guard you from SQL injections, you should still setup a firewall to deny public access to everything other than the web server. If you have no permanent IP address to give access to it through the firewall, use VPN or Port Knocking technology.

You could also consider installing a web app firewall.


When using a public hotspot like a cafe you risking an MitM attack. Employing safe connections for authorization helps prevent that, simply generate a self-signed certificate and make it trusted in your browser.

Look for suspicious activity in logs

Regularly check your logs for login attempts from unusual countries and unsuccessful attempts: these can be signs of breach attempts. Also think about blocking countries you don’t ship to.

Forget FTP

FTP protocol is simply outdated. Use SFTP protocol instead.

Set baseline minimum access permissions

Set minimum access permissions for server activities. In Magento you need records in app/etc, media, var only and includes/ .

For security the best combination is to allow the website source code belong to the first user (for example, admin), and the web server will run the code with the second user (eg. apache).

Antivirus software

Use trusted antivirus software and keep it regularly updated. Every day this will add new information about scumware to their databases and this will add to your data protection, whilst also keeping you safe from malware.