Magento-Security

 

  • Create a complex password

This is one of the cardinal rules to be followed while running an ecommerce store. Being a Magento store owner you will have access to sensitive information. So you need to set a strong admin password so that hackers find it tough to crack your passwords. While creating a password make sure

  • Your password contains a minimum of 10 letters.
    • Comprises of numerical and special characters.
    • Mashed up with upper and lower case letters.
    • Should not have been reused.
    • Your name or your company’s name is not used as a password.

Remember these instructions while creating a password and in the end make sure you create a password that is easy to remember.

  • Modify the admin path

By using a default admin path you simplify a hacker’s job of cracking the admin’s username and password. Because when hackers access the path they can spot the admin’s credentials using Brute Force technique. So it is highly recommended to change the admin path. There are two ways of doing it.

From the admin backend

Go to System → Config→Admin→Admin Base URL→Use Custom Admin Path→Click ‘Yes’.

The other way is to implement changes in your local.xml configuration file. You can access it by traversing the below path
app/etc/local.xml
You will find the below code in local.xml configuration file.

  1. <admin>
  2. <routers>
  3. <adminhtml>
  4. <args>
  5. <frontName><![CDTA[admin] ]</frontName>
  6. </args>
  7. </routers>
  8. </admin>

Now place the new admin path in the place of [admin].
After performing the modification, save the configuration file and refresh your cache.

 

  • Use the recent Magento version or install security patch

It is always advisable to use the latest version of Magento. Magento development firms constantly scrutinize their products’ vulnerability toward security attacks. Whenever they find one such vulnerability they try resolving it in their next version release. Sometimes, if the issue is grave they develop a security patch and instruct their customers to install the patch immediately. Never neglect such messages.

  • Two-factor authentication

This is one of the best methods to ward off potential security attacks as it prevents unreliable sources from gaining access to your Magento backend. Two-factor authentication adds an additional layer of security to your Magento site. As per this technique, apart from entering the username and password, you need to enter a security code that is generated randomly once in every 30 seconds. So even if the hacker has your credentials he cannot log in to site as he won’t be having access to the security code that is sent to your mobile phone.

  • Encrypt pages where credentials are being entered

When vital credentials are sent over unencrypted connection you run a huge risk of granting access to unauthorized sources. To avoid customer credentials landing in unsafe hands, use a secure URL. It is mandatory to deploy secure URLs especially while processing a financial transaction. Magento gives you the option of using SSL for your site.

Under System→Configuration →Web →Secure

Under ‘Secure’ tab you will come across ‘Use Secure URLs in Frontend’ and ‘Use Secure URLs in Admin’. Select ‘Yes’ for both.

  • Change password before & after working with third party developers

Some situations might demand the assistance of third party Magento developers. Say for instance, when you require a new feature you will have to share your login credentials with third party developers. Before granting access to them, change your credentials and don’t fail to change it again after the work gets completed. The Magento developers you hire may be trustworthy but you just cannot afford to take a chance.

  • Use genuine Magento extensions

No doubt, Magento extensions simplify our job at little or sometimes at no cost. But some spurious Magento extensions act as a gateway for hackers to penetrate. So do an extensive research (analyze the developer’s background, go through customer reviews and ratings, etc.) before integrating a third party Magento extension to your site.

  • Take a backup data of your store frequently

To mitigate the impact of damages caused by security attacks, take a backup of your database and Magento files on a regular basis. Keep in mind to store the backup data in a different server where your Magento store is not hosted. It is widely recommended to use cloud based servers like Amazon S3 as it is very secure and synchronizes well with your Magento store.

  • Strictly use superior quality anti-virus software

Using free antivirus software or one that comes for a paltry sum might work out well for domestic PCs. But on an enterprise level, you need to go in for superior quality antivirus software as they can plug all the security leaks and protective sensitive information from pilferage. Also never forget to update your antivirus software regularly.

  • Get your Magento site reviewed by security expert

Although you’re Magento developers might have the potential to layer up your Magento store’s security, it is still advisable to seek the services of a security expert. Because they will be completely aware of the current security trends and will be adept at spotting the security loopholes in your Magento store. They will carry out a security test to unravel flawed application codes and detect SQL injections, cross-site scripting and many such security vulnerabilities.

In the end no site can be 100% secure. You need to be wary about the security threats around you and equip your Magento site accordingly. Try implementing the precautionary measures mentioned above and you can successfully shield your site from security attacks.