Magento is a hugely popular platform, and with that level of success comes downsides. One of those downsides is that the platform attracts unwanted attention from those with malicious intent. Magento can and does typically store customer information, and merchant payment details – the impact of a breach can be huge on your business. Here are some tips that will help you take positive steps towards hardening your Magento site security. This advice is based on my long standing experience with Magento as well as being a qualified Magento Solution Specialist.
Set up the Magento security scanning tool
The Magento Security Scan Tool is a 1 line script that can be added to your website, that enables you to regularly receive a report of security vulnerabilities such as malware and unauthorised access attempts. The tool is available in both the Commerce and Open Source versions. There are occasional false positives, but it’s a useful reassurance to have. We’ve written on this tool in more detail here.
Set up Roles And Permissions
You’ll have a need for different people to access your site, and the bigger your team is, the more people will need access. Unfortunately, it’s really common for us to see all users given admin privileges. This means all these users for example can access and export customer details, and even edit payment details and prices. The list goes on and is simply an unnecessary amount of access for everyone on your team to have. We recommend that you restrict access based on who needs it applying the principle of “least privilege”. It makes sense and is just good IT housekeeping.
Had multiple developers or agencies working on your site?
Then you really need to check who is being sent your site information. There are a number of alerts that can be sent out from Magento controlled by the admin panel, including error reports from Shopping feeds, failed payments and evening being bcc’d on sales emails. Often we find old developer or agencies’ contact details hidden away and we’ve seen it before where customer details have been sent to these people even though you may have left the agency. Be sure to check what is being sent and to whom.
Consider 2FA (2 Factor Authentication) and ReCaptcha to avoid spam submission
2FA (2 Factor Authentication) and ReCaptcha are now built into Magento as of 2.3 and are well known for restricting access and stopping malicious intent. There are a number of excellent authentication methods, but we often use Google’s own authenticator which gives you a code from your mobile to input into Magento. We’ve written more on the subject here, including solutions for Magento 1.
Ensure the admin URL isn’t the default one to avoid brute force attacks
A brute force attack is a trial-and-error method, usually by using automated software, to obtain information such as a user password. These kind of attacks should be picked up by your managed hosting provider, but one of the ways you can protect yourself and your site better is to ensure your admin URL isn’t the stock one provided to you by Magento. This ensures no-brute force attacks can happen as they won’t know where the login form is to target.
Ensure Magento Is patched and up to date
Do ensure that your Magento eCommerce are up to date – you’ll get bug fixes, features and security patches periodically. You can do this by checking in the footer of your admin panel against Magento’s releases (1.9.1 onwards). Alternatively, you can install the Magento Security Scan Tool – this will alert you to missing security patches. The releases are provided for a reason for Magento and shouldn’t be ignored.
Taking Your Security Seriously
At magic42, we take care of these kinds of security concerns for all our clients as standard. Speak to us for any concerns or to find out how an agency should be proactively helping you manage your Magento site’s security.