Although the security of all websites is important, the security of an eCommerce website is particularly
important because these sites keep records of users’ data and order-related financial
information. Any attempt to hack such data can cause a huge loss to your store. Although
Magento is considered the safest and most secure eCommerce CMS, there are
still some additional security steps advised to make its security foolproof. In
this article I’ve explored some easy to implement steps to make your
Magento store even more secure and robust.
1. Making the Admin Name & Password Secure
One of the first steps towards securing your Magento site is
using a secure username and password. The rule of thumb for creating a secure
password is to always use a password which is not easily guessable, for instance
strings like ‘123’ or ‘abc’, or your phone number, date of birth, etc. It is always
a best practice to keep a password longer than eight characters, and that should be a
combination of letters (a, b, c, etc.), numbers (1, 2, 3, etc.) and special characters
(@, &, #, etc.).
Besides having a secure password, it is also very important
to create a username which is not easily predictable. Most hacking attempts
succeed because hackers only have to guess the password, as usernames are
mostly set to easy-to-guess names like ‘admin’, ‘administrator’, etc.
Therefore I strongly advise you to create non-generic usernames like your nickname, last name, company name, etc. There is an option to create a username at the
time of installing Magento, but even after installation, you can change your Magento
username and password by going to System > My Account.
2. Creating a Custom Path for the Admin Panel
By default the admin panel path for Magento looks like this:
http://myexamplestore.com/admin. As it is a fairly well-known path for everyone, it is prone to many security risks. If we change the admin path to a unique and unpredictable path like http://myexamplestore.com/secureadmin, we can nip most hacking attempts in the bud. This
small step can heavily contribute to making your Magento installation much more
secure, and can be the best defense against Broken Authentication and Session
Management Attacks.
To change the admin path in Magento, go to the app/etc/local.xml
file, find the line with this code: <![CDATA[admin]]>, and change
the string admin to the required admin string. For instance, if you want to
change the admin panel URL to http://myexamplestore.com/securedadmin, change the CDATA code
to <![CDATA[securedadmin]]>
3. Adding Two-Factor Authentication for Admin
A common technique for increasing any system's security is to add another security layer to it using two-factor authentication, where the system demands two separate authentications to give access.
A
simple example of this is ATM card authentication. You not only have to
enter your card, as one factor of the authentication, but also your PIN code, which is another factor of authentication, hence two-factor
authentication.
There are some excellent extensions available which
enable two-factor authentication in Magento, and make it much more secure.
One such Magento extension is Rubon. It
allows you to add trusted smartphone devices, through which you can access the Magento
admin panel. Another is Extendware,
which adds two-factor authentication to your system through Google
Authenticator. Both of them are very good extensions, and worth a try.
4. Using an Encrypted (SSL/HTTPS) Connection
Another quite easy-to-implement Magento security step is to enable HTTPS/SSL secure URLs.
Whenever data is communicated between you and
your server, there is a risk of that data being intercepted by third parties. As that data can contain vital information like login details,
database information, etc., that data falling into the wrong hands can cause
significant trouble.
It is therefore always a good idea to use secure encrypted
connection for transmission of data. Making your site HTTPS/SSL encrypted
will also make it PCI-compliant, and more trustworthy in the eyes of your
customers.
You can do that in Magento by simply going to
System > Configuration > General > Web. In Base URL, change 'http' to 'https', and enable Use secure URLs in Frontend and Use secure URLs in Admin.
5. Using Secure FTP for File Upload
While it is important to encrypt and secure the data
transfer between your browser and your server, it is also pertinent to secure
the data communication to your server via FTP. One of the common ways of
hacking internet sites is through FTP password interceptions. This security
problem can be effectively checked by using SFTP (SSH File Protocols). This
protocol provides additional encryption of user credentials by using a private
key file for authentication. You should also ensure that your file permissions
are not set to 777, as this will make them writable by anyone, and cause a security risk.
6. Restricting Admin Access to Only Pre-Approved IP Addresses
There is an option in Magento by which we can pre-define IP
addresses which can access the Magento admin panel. This step can add a great
security layer to your Magento store. You can create a list of IP addresses of
your and your coworkers’ computers and add them in the list of IP addresses which can access your Magento site’s admin panel. All other IP address users
will not be able to access your Magento admin panel.
To enable this IP address restriction, first of all you need to edit your .htaccess file
to enter the IP addresses you want to allow. For that, enter the following code
in the .htaccess file:
Here the IP address ‘192.168.112.11’ will be allowed, and
secondly, all the IP addresses starting with ‘168.121’ will be allowed. You can allow as many IP addresses as you want, following this format. All other IP addresses not mentioned there will be
denied access.
The next step is to create a new folder ‘admin’ in your Magento
root directory. Copy your Magento's index.php file into that folder, and change the
relative paths to config.php and Mage.php file by changing these two lines:
Notice, we have only added ../ in these file paths.
Now we have to direct the users coming to our admin paths to this
directory. To do that, enter these lines into your .htaccess file:
Here {admin_path} indicates the new admin path we manually changed
in step 2. For instance it can be securedadmin, as we defined in the step 2 example.
Please note that you should only implement this security
step if your ISP provides you a static IP address. Some ISPs assign dynamic IP
addresses to users each time they connect to the internet. In such cases, as your
IP address keeps on changing, you shouldn't implement this security step.
7. Disabling of Malicious PHP Functions
Some PHP functions are more prone for virus injections and
are security risks. It is best to disable these malicious PHP functions in the
first place. If your code relies on any such functions, the best way is to use some
alternative, more secure function with similar functionality. To disable such malicious
functions, open your php.ini file and add the following code in it:
If you already have some code disable functions in your
php.ini file, then simply append the functions given in the above code. If any of the above-mentioned functions are really important to your theme/module files, and you are unable to find an alternative, you can omit them from this list.
8. Disabling Directory Indexing
Directory listing is another loophole in many servers.
Through directory listing, anyone can enter your website’s URL and see the
directory structure and files location of all your website (like the screenshot
below). This can make your website very vulnerable to security attacks.
Image Credit: Red Leopard
This loophole can be effectively plugged by disabling
directory indexing. For this, add the following line of code in your .htaccess
file:
9. Lowering the Risk of MySQL Injections
Like any other eCommerce system, Magento websites have many
form fields where users can enter data, like order fields, profile fields, customer
review fields, etc. Sometimes hackers use these fields to inject a MySQL statement,
which can resultantly disclose back-end technology information, or can enable access to restricted areas of the website. Although Magento does a good job of outmaneuvering
any such attacks, it is still advisable to use web application firewalls to
ensure that your website remains safe from any such attacks.
There are many more ways to make
your Magento installation even more secure, but I’m sure that if you implement
all the above steps, you’ll have a very robust and secure Magento
site, which will be able to sustain most hacking attempts.
Besides the above-mentioned steps, one obvious way to make your Magento site more secure is by
always keeping your Magento installation updated. The Magento team does an
excellent job of fixing possible security vulnerabilities, so the latest
Magento version is usually better and more secure. You should also keep your
Magento associated email address secure, because anyone who can access that
email address can access your Magento store.
Do mention in the comments your
thoughts and feedback about this article, and don’t forget to share it with
your friends if you like it.