Time to Lock Up: Security Tips for Your Magento Store

Published May 8th, 2014 by Michael Farin

Watch out for thieves! Brick-and-mortar store owners make sure they have adequate security – locks, cameras, alarms and sometimes a night watchman. Online stores aren’t that different. It’s easy for cyber-criminals to break in and phish, spam or steal your data – so you should make sure you have good security measures in place to keep out the bad guys.

Here are a few tips to help you beef up security for your Magento store. It’s like we’re giving your alarm system a free upgrade – how about that?

#1: Make sure you’re using the latest version of Magento.

It’s easy to skip or put off upgrades because “they’re not that important.” Bad idea – they are important. Magento gets updated regularly for a reason: later versions include security features the earlier ones don’t have. As soon as a stable release is launched, test and implement it right away. Minor headache now, but great protection later.

#2: Use two-factor authentication for all your passwords.

Having a “secure” password isn’t enough – you’ve got to double up. (Think double locks on your store’s front doors.) Use a two-factor authentication extension like Rublon or Extendware to make it harder for hackers to access your passwords.

#3: Change your path for the Magento admin panel.

It’s easy to get to your admin panel via my-site.com/admin, isn’t it? Hackers think so too. And it’s simple for them to access your login page and start guessing passwords. Make it tougher for them by replacing /admin with a customized path: /magicportal or /stairwaytoheaven, for instance. Now, hackers can’t get to your login page even if they figure out your password. Just follow these steps:

  • Go to /app/etc/local.xml
  • Find <![CDATA[admin]]>
  • Replace “admin” with whatever you picked instead.

Easy for you. Hard for them.

#4: Send data via an encrypted connection.

An un-encrypted connection can give hackers a sneak peek at your data, so make sure you use a secure SSL/HTTPS connection. It’s easy to encrypt your connections in Magento – just go to the system configuration manu and check the “Use Secure URLs” tab. Bonus: This will help make your Magento store compliant with the PCI data security standard.

#5: Use secure file transfer protocol.

Hackers often try to compromise e-commerce stores by guessing FTP passwords, so make sure that you’ve enabled SFTP (SSH File Transfer Protocol), which decrypts and authenticates users only via private key files. Here’s how to set up a Magento SFTP protocol. Increased FTP password security coming right up.

#6: Make sure your site is backed up.

Let’s say you’ve done everything right, and you’ve still gotten hacked. (Sadly, it does happen sometimes.) If you’ve backed up your site regularly, you’ll be able to recover after a crash or site compromise with very little data loss. Check with your hosting provider to see if they offer automatic backups – some do, some don’t, some charge extra. (At EndLayer, we back up all our client data 4x daily as part of our standard service agreement – but that’s just us.)

#7: Disable the directory indexing in your store.

Another good way to confuse hackers: hide the pathways that lead to your domain files. Here’s how to disable directory indexing. (Keep in mind, though, that while this prevents the bad guys from accessing your core files, they can still wiggle through if they already know the full path of your files.)

#8: Be password-smart. Make sure you’ve chosen a strong password – one that’s easy to remember, yet hard to guess. Use a mix of letters, numbers and symbols, and don’t use dates or dictionary words. And don’t forget to keep your Magento passwords separate from all your other passwords – no recycling! You can read our full list of password tips here.

#9: Keep your Magento email a secret. Magento provides a password recovery service through your pre-configured Magento address – but what if that email gets hacked? Don’t make your Magento email address public. Enough said.

#10: Add firewalls to prevent MySQL injection. The newer versions of Megento provide lots of patches and resources to thwart MySQL injection, but sometimes a clever hacker can slip through the fence. Use some additional web application firewalls like NAXSI to keep the bad guys out.

For more tips on security and ecommerce, read our articles here.

Comments ()

Stay Connected

Contact Us

Phone: 1-855-363-5293 Email: info@endlayer.com

Endlayer.com Newsletter