Whilst it is not clear how these exploits are being executed, it is strongly thought that unauthorised access to the admin area was gained.
To protect your admin area from unauthorised access, the following suggestions are a good place to start:
- Use secure usernames and passwords – by combining a strong password with a strong (i.e unusual) username, this will stop brute force attacks from being successful.
- Review dormant accounts – don’t leave old admin accounts active. Users may have been set-up for staff that have left the business, or 3rd party access for module developers to assist. If they are no longer needed, remove them.
- Review access permissions – when setting up a new user, don’t just give them full administrator access, restrict their permissions to the area of the admin they require. This reduces the damage possible if a 3rd party obtained access.
- Rename the admin path – automated scanners will be hunting for the /admin address. By renaming the admin path this will stop them from finding it as easy. Renaming the /admin isn’t 100% perfect as there have been other ways to detect this, but it will at least stop a percentage of attempts.
- Lock down access to the admin via IP restriction – if you work out of a fixed location that has a static IP address, then you could lock your admin access to this IP address.
- Implement 2FA – Using a Two Factor Authentication module in conjunction with the /admin login will further protect your store from unauthorised access. If a username / password combination was compromised by a 3rd party, they would still be unable to access the admin, because this extra layer of authentication is required.
- Ban persistent offenders – automatically ban people who may be trying to log into your admin with a guessed password. (If you’re an iWeb customer, this is already done for you)
- Ensure your Magento installations are fully patched, including 3rd party modules – in conjunction with the advice above, one of the basic ways to ensure you are safe from Malware is to ensure your Magento installation is fully patched with core patches, and any 3rd party module patches related to security. You can check the status of your patching via www.magereport.com
- Sign up for the Magento Security mailing list (www.magento.com/security) – Sign up to the Magento security mailing list, to be one of the first to know about patches and updates required to keep your Magento installation secure.
- Scan your website for Malware using 3rd party services such as McAfee Secure – these 3rd party services will scan your website for known malware and alert you if detected.
If you follow the steps above you will greatly reduce your chances of becoming a victim of malware.