If you have never heard of Magento Commerce (now known as Adobe Commerce), it is “an eCommerce platform built on open source technology…a flexible shopping cart system, as well as control over the look, content, and functionality of their online store” that is utilized as a solution for the eCommerce industry for small-to-medium businesses. This became an important solution as eCommerce rose 110% early in 2020. As part of the cloud, it is very secure, but no system is perfect. Experts say that almost 60 percent of website attacks are done by programmed bots.
Read on for a list of 30 Magento Store Protection security tips and tricks for automated security improvements for your website from us here at Jamerson.
As a cloud-based website, Magento Commerce, or Adobe Commerce, offers complete data protection for a business, but all systems are somewhat vulnerable to hackers. Take proactive steps to fortify your website by adopting Magento security strategies. The cost savings by using a set of tools for protection is far more than what you would spend to recover from an unprotected attack.
As one of the most widely-used platforms on the world wide web, Magento Commerce sees its fair share of intrusions and attacks to steal information. Here is a bit of hacking statistics: 50% of those attempts in 2019 came from Cross-Site Scripting (XSS) attacks, which inject malicious script into regular sites to steal information from online customers.
Ensure that you are frequently downloading the latest version, Magento Commerce 2.4.4., which has the most up-to-date security features and prevents Zero-day Exploits. It also gives more access to automated security functions.
Make sure your hosting provider has anti-hacking features and is the most secure. One way to do this is to find and use a hardened server that is managed by a cloud hosting provider, which could be more secure.
Never run a website or access one that does not use an encrypted URL connection, such as SSL or HTTPS that is attached to Magento online stores. It can be enabled in the settings. IT professionals say that HTTPS is becoming the gold standard for network traffic.
Using the default Admin URL (typically the website name/URL) is a serious risk given its known security vulnerabilities to lucky guesses and brute force hacking. Change the default URL in the settings by changing the Custom Admin Path to “Yes.” Then, enter the name of your new Custom Admin Path.
Hackers love it when you have a generic admin username because then they can start trying to crack your password. Simply changing your admin username gives hackers more work, which makes a breach less likely. Here’s a link from Adobe to show you how to change your Magento admin username and password.
2FA (or Two Factor Authentication) is more than a modern buzzword. It is an essential tool that adds a guardian to your account and makes it harder for unauthorized access. The confirmation popup can be sent to a secure app such as Google Authenticator or Duo Mobile.
Activate a forced password policy change in your access settings by lowering the amount of time between mandatory password updates, and doing so regularly. Frequent password changes prevent others from learning the current one.
Experts recommend using a unique password for every site. This is especially true for a platform like your Magento storefront, given its popularity for hackers. Do not save it in a file on your computer either.
Protecting your Magento Store with .htaccess (a type of hidden file) is a great idea if you are changing the account or want to fortify it. There are step-by-step guides available online to walk you through it.
Disabling admin account sharing in the Magento Commerce settings allows for only one set of admin logins to be used at once. If someone else tries to access it, the user will be logged out, demonstrating that someone else is trying to log in. This can be found in your settings.
Similar to the above tip, adding a Security Key to your admin panel controls who you share the Admin root access with and adds an extra layer to your account to shield against unauthorized access.
By enabling Captcha challenge fields as an embedded piece or as a pop-up and their special characters requirements fields on your Magento forms, you can help weed out bot access attempts.
IP whitelisting is done by adding an extension like GeoIP Ultimate Lock that allows or blocks ranges of IP addresses to avoid malicious network traffic. By focusing on specific countries, you can only allow whitelisted addresses to access your site.
Just like the above step, blocking specific regions by using IP Whitelisting and through Firewalls can invalidate access to your site to entire countries.
Having a limit to the login attempts for Magento Admin helps protect root access and shuts down the access when too many guesses are made. This is useful for avoiding brute force attacks from hackers. This is also managed through your settings.
It almost goes without saying, but always use a strong password, not hackable weak admin password ones like Magentostore123. If it helps you, passwords can be saved on browsers like Google Chrome or through apps like RoboForm and prevent you from adopting identical passwords. The industry standard is at least a 10-12 character alphanumeric password.
An active login of an admin session can be set to expire/terminate after a set period. If you leave your computer for a period, an automatic logoff avoids unauthorized access. This is done also through the settings.
Similar to the tip about the session timer, disabling directory indexing in the settings helps control the running of the site. A site’s indexing displays the pathways and links which control the consumer side of your website, so you will want to protect it.
A firewall can be directly compared to a shield around your website. Your Magento storefront can be secured with a Web Application Firewall as a security solution.
IT experts recommend adding background files and directory permissions to your website. This is a way to specifically avoid XSS attacks by setting a numerical file guideline.
Another way to control access to your site is to avoid sharing the root admin logins with as few people as possible, and by setting up recommended roles in the settings. By putting this in place you can detect suspicious activity from unauthorized users. Also, avoid sharing your security checklist too broadly.
MySQL injections are a type of code-based malware and are done by bad actors against your website. They can be prevented by ensuring you have firewalls and the latest Magento updates.
Email loopholes occur when a hacker gets access to your email and can set up a password reset to take over admin duties. These can be eliminated by using a private email address for it and ensuring 2FA is added to your admin login.
Data backups are a vital piece in running a website, and not just for security reasons. Using an offsite cloud-based active backup plan which saves your website information daily (or even hourly) avoids too much downtime and allows for recovery if hit with a ransomware event. Magento Commerce also allows you to manually start a backup.
Magento 2.0 is the latest version of the platform, so you will want to upgrade as soon as possible, and make sure you are proactively downloading the new Security Patch. And keep an eye on the list of notes for the patches to stay on top of vulnerabilities.
When adding third-party add-ons and security extensions to your eCommerce platform, always double-check the source and make sure you trust your vetting process. Some extensions create the ability to set automated security so be sure to download those.
Forget using FTP in your background website protocols; they are a relic of the old internet days. You should prefer using the newer SFTP systems or HTTPS as a shield against intrusions.
Magento’s Admin Activity Module is a first-party plugin that can be activated through the platform, and helps monitor the security of the site by showing all admin-based activities. This is a feature that is more hands-on than some of the other tips here.
Payment Card Industry Data Security Standard (PCI DSS) is an industry-level requirement. Magento already comes PCI compliant through its payment gateways so a customer’s credit card info is protected. This is more for consumer confidence than security, but still a good tool to have in your box.
A Security Audit, a thorough review of your platform’s strengths and weaknesses, can be done through the Magento Commerce platform itself, and should be done regularly. If that is not practical for a small-to-medium business and project owner, a trusted third-party professional can be contracted for it.
There are thousands of hack attempts every day, so chances are, you may become a victim of one. How to respond depends on the attack, whether it is ransomware or XSS. Do not be devastated by worrying too much about it. These 30 tips can reduce your security risk. If it has happened and you can’t solve it by yourself, consult with a Magento specialist. Or you can reach out to us at Jamersan for eCommerce support.
Security Scan Tools are another tool in your arsenal to defend against hackers. Here are seven of them that can be integrated with your Magento storefront to protect your customer accounts and your reputation as a business owner.
MageReport is an online service that can be deployed to scan and audit your Magento Commerce store. MageReport has a free version available, and it also analyzes popular third-party extensions.
This one focuses on malware and intrusions. Sucuri SiteCheck works through cloud-based instruments including execution improvements using a content delivery network (CDN). It is as easy as going to their website and entering your own URL.
The Foregenix Website Security Scan works by passively scanning for security weaknesses and delivers a total danger score to you, grading you on potential vulnerabilities to known hacks. Like Sucuri, it is available on its own website.
Qutterra is another cloud-based website scanner. It scans for hidden malware and specializes in code that otherwise appears normal. Qutterra is available on its own or as a plugin.
MageScan is an executable program to discover site and software vulnerabilities and offer suggestions for fixes. You can get it through its website to find hidden files on your platform.
By running your URL through Google Safe Browsing, you can discover if your site’s security certificate is out of date or if it has been corrupted with malware or other compromises.
Astra Magento Malware Scanner is another free website scanner where you enter your URL. After running through its machine learning program, it gives a report showing 60 known blacklists and over 140 security tests to see if your site was compromised.
The Magento 1.0 site version has reached its End Of Life (EOL) stage, or in other words, is “feature complete” as of June 2020. This means that although it is still used to run Magento storefronts, it is receiving no further support or a new security patch. This matters because sites running 1.0 are growing increasingly vulnerable and make attractive targets as hackers attack known issues, and official updates are no longer available to keep pace. We definitely recommend updating to version 2.0 as soon as possible.
What is Magento Commerce, now known as Adobe Commerce? It is the premium suite and generally offers more bang for the buck for an established business. It has built-in security and more features such as PCI Compliance. This means it is far more secure than using the Magento Open Source platform and has more frequent upgrades to stay ahead of problems and prevent credit card hacks.
Doing a Magento Commerce Security Assessment and features audit using a paid third-party application or an expert team can be more expensive than some of the scanner options listed here, but it is worth it for the peace of mind. Consider making the investment to ensure your site is fully protected.
Are you a business owner who still has a Magento Security Question or needs advice on which tools to use for your storefront? Request a FREE Consultation now!