Download our free guide - 42 ways to improve your product page
Flying Spares Case Study by magic42

Flying Spares

International B2B Magento with 240k catalogue, Khaos Control Integration and digital marketing.
Find out more
Stone Computers Case Study by magic42

Stone Computers

Adobe Magento Commerce B2C, B2B portal and PunchOut sites and bespoke loan payment solution.
Find out more

Alan Paine

Multisite, B2C migration from Magento to Shopify Plus with ERP integration.
Find out more
haws case study image (1)

Haws Watering Cans

B2C eCommerce strategy, UX improvements, AdWords and Klaviyo email marketing management.
Find out more

Alan Paine

Multi-site, B2C migration from Magento to Shopify Plus with ERP integration.
Find out more
RCM Roger Clark Motorsport Case Study

Roger Clark Motorsport

B2C and B2B migration of bespoke, global automotive parts website to Shopify.
Find out more

Call Us

Speak to a Shopify expert:

0121 663 6360

Get in touch 
September 24, 2019

Magento tips for security - 7 you just can't ignore

Magento is a hugely popular platform, and with that level of success comes downsides. One of those downsides is that the platform attracts unwanted attention from those with malicious intent. Magento can (and does) store customer information, and merchant payment details - the impact of a breach can be huge on your business. Therefore, I have put together some tips towards hardening your site's security as part of my long standing experience as a Magento Solution Specialist and Magento partner.


1: Set up the Magento security scanning tool

The Magento Security Scan Tool is a 1 line script that can be added to your website, that enables you to regularly receive a report of security vulnerabilities such as malware and unauthorised access attempts. The tool is available in both the Commerce and Open Source versions. There are occasional false positives, but it’s a useful reassurance to have. We’ve written on this tool in more detail here.


2: Set up Roles and Permissions

You’ll have a need for different people to access your site, and the bigger your team is, the more people will need access. Unfortunately, it’s really common for us to see all users given admin privileges. This means all these users for example can access and export customer details, and even edit payment details and prices. The list goes on and is simply an unnecessary amount of access for everyone on your team to have. We recommend that you restrict access based on who needs it applying the principle of “least privilege”. It makes sense and is just good IT housekeeping. 


3: Had multiple developers or agencies working on your site?

Then you really need to check who is being sent your site information. There are a number of alerts that can be sent out from Magento controlled by the admin panel, including error reports from Shopping feeds, failed payments and evening being bcc’d on sales emails. Often we find old developer or agencies' contact details hidden away and we’ve seen it before where customer details have been sent to these people even though you may have left the agency. Be sure to check what is being sent and to whom.

4: Consider 2FA (2 Factor Authentication) and ReCaptcha to avoid spam submission

2FA (2 Factor Authentication) and ReCaptcha are now built into Magento as of 2.3 and are well known for restricting access and stopping malicious intent. There are a number of excellent authentication methods, but we often use Google's own authenticator which gives you a code from your mobile to input into Magento. We’ve written more on the subject here, including solutions for Magento 1.


5: Ensure the admin URL isn’t the default one to avoid brute force attacks

A brute force attack is a trial-and-error method, usually by using automated software, to obtain information such as a user password. These kind of attacks should be picked up by your managed hosting provider, but one of the ways you can protect yourself and your site better is to ensure your admin URL isn’t the stock one provided to you by Magento. This ensures no-brute force attacks can happen as they won't know where the login form is to target.

6: Configure Magento's Content Security Policy (CSP)

Magento 2.3.5 and Adobe Commerce can help keep your eCommerce website secure with its Content Security Policy. A CSP enables website owners to review any webpage URLs and content using its report mode. Trusted URLs can be whitelisted, whilst unwanted links can be blocked via the CSP's restrict mode. It's important to take a look at these with an experienced developer to enable that extra layer of security, preventing harmful content from loading such as malware.


7: Maximise Magento security by making sure it's up to date

Do ensure that your Magento eCommerce are patched and up to date – you’ll get bug fixes, features and security patches periodically. You can do this by checking in the footer of your admin panel against Magento’s releases (1.9.1 onwards). Alternatively, you can install the Magento Security Scan Tool – this will alert you to missing security patches. The releases are provided for a reason for Magento and shouldn’t be ignored. 


Taking Your Security Seriously

At magic42, we take care of these kinds of security concerns for all our clients as standard. Speak to us for any concerns or to find out how an agency should be proactively helping you manage your Magento site's security.

Related services

Iterative eCommerce Growth
Magento integrations
International eCommerce

To find out how we can help with your eCommerce website, please contact us.

magic42 is unique in that it evolved from Mobile Fun, an award-winning online retailer with 20 years of experience, 27 international websites and a global distribution network managed from the heart of Birmingham.
Company No. 11572347 VAT No. 310 2436 61
© Copyright 2023 magic42 Limited - All Rights Reserved
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram