Magento Security Tips

Magento Security Tips

Alex Rhodes

Due to its popularity, Magento faces a large number of attacks from hackers.

Whilst it comes out-of-the-box with lots of security features, here are some steps to follow to make your e-commerce site more secure.

  • Create a Custom Admin Path

Software is available to guess username and password combinations eight million times per second. With an unchanged admin path it’s only a matter of time before hackers force their way in.

When changing this, don’t change the “Admin Base URL” setting in the admin section of system configuration as this will stop you from accessing the admin panel. Locate “<![CDATA[admin]]>” in your local.xml file at /app/etc/local.xml then change “admin” to the path you want to use.

  • Choose a Strong and Unique Login and Change it Regularly

Changing the admin URL is recommended, but not much more than ‘security by obscurity’ – it’s helpful to do it, but don’t put too much faith in it! There is still the chance a hacker could find your login page, so make your login tough and don’t use the same login for multiple sites. It is also a good idea to change your login details often, particularly if you have been working with outside parties. The internet standard of 15 characters long, upper and lower case, punctuation and numbers is a good start.

  • Don’t Save Passwords on Your Hardware

Never allow browsers or password manager software to save your passwords on your devices. Some of these services are cloud-based meaning your data is out there waiting for a hacker. Also, by keeping passwords on your devices, if the device gets stolen or hacked all your details are at risk.

  • Two-Factor Authentication

These require you to not only know your login details, but also send a security code that is randomly generated every 30 seconds on a smartphone app. The app can be purchased from the Magento Connect Marketplace.

  • Stay Up-To-Date

Magento issues the occasional security patch. Set to work as soon as you receive the notification in your admin panel. Update your other software regularly too. New versions often include patches to repair newly discovered security risks. This also applies your anti-virus software and operating system.

  • Use HTTPS/SSL For Your Login Pages

Every time you use your login, you are at risk of a hacker intercepting it so require an encrypted connection.

Go to “System” tab in the toolbar. Select “Configuration” the click “Web”. Choose “Secure” in the main window and then change the Base URL of your store from http://… to https://… Next, choose “yes” for both “Use Secure URLs in Frontend” and “Use Secure URLs in Admin”. Finally, click “Save Config”.

  • Use a Private and Secure Email Address

If your email is available on social media sites, hackers can find it. If they can hack in they will go to the Magento admin panel, request a password reset and soon be in control of your site. Use a private email address not available publicly.

  • Use Secure FTP

An easy way to hack a Magento e-commerce store is to intercept an FTP password. Instead use secure FTP passwords and SFTP or FTP-SSL. To go even further you could SFTP and a Public Key Authentication.

  • Use Only Trusted Extensions

Check feedback and reliability for any extensions you use, and keep them up to date.

  • Regularly Back Everything Up

A very common sense thing to do. Backups can help you recover from any number of problems.

These tips may seem obvious, but you’d be surprised how often one, or even many get overlooked. A regular professional security review is also a good idea.

Alex Rhodes

Author Alex Rhodes

More posts by Alex Rhodes