Being one of the world leading eCommerce platforms makes Magento an attractive prospect to hackers looking to disrupt your operations, leak financial data and expose your customer information. As security breaches remain a constant threat, it’s important for Magento users to understand how to effectively protect their websites. Follow these 6 Magento security tips to keep your eCommerce business safe.
Being up to date is one of the key factors in protecting your business online. Magento is continuously transforming their security processes to help protect your eCommerce site. As new threats emerge, their software is enhanced to guard you against these attackers. If you aren’t onboard with their latest technology, unfortunately, you compromise your safety.
Magento periodically publishes patches to improve general maintenance and bug patches, along with fixing arising security issues. It’s important you apply these patches to keep your site secure.
With every latest patch, Magento release accompanying notes to publicly point out the fixes that have been made. Although this gives you a great understanding of the changes, it also highlights the problem areas to hackers all over the web. Essentially, they get a first-class ticket to exploit your outdated website. In effect, you would be pretty daft to risk not updating to the latest version of Magento.
If you do the above, amazing, we love that you’re proactively taking preventive security measures but you shouldn’t stop there. Although incorporating the latest updates to your website is helpful in staying safe online, backups are necessary too.
If for any reason your website was hacked, regardless to how secure you thought it was with Magento, an offsite backup or downloadable backup, can ensure the continuity of your eCommerce services. This method can also apply for when your website crashes.
Off-site backups help to prevent data loss by storing your web files elsewhere which should mean minimal, or zero, data loss. So, when your Magento security is breached you have an additional layer of safety to keep your business stable.
Don’t let your passwords be a part of someone’s guessing game. Practice how to create a proper password that doesn’t let malicious intent get the better of them.
A password that combines lower-case and upper-case letters, numbers and special characters is going to be pretty strong and hard for hackers to figure out.
Make your password completely random. We strongly advise that there is no information that is relevant to yourself, such as pet names, favourite places or special dates. All of which, are a blessing to those wanting to break into your account.
Be unique. That’s with each and every password you create. Having the exact same password, (or even slightly different alterations) for multiple logins, can have critical consequences. Although, you may think it’s a great way to remember them all, using identical passwords in lots of places on the web means the chances of it being discovered, is extremely high.
What’s worse, because the hacker now has access to one of your accounts – yeah, you guessed it – they actually have access to all of your accounts. It’s an online nightmare!
Making regular changes to your login data can be rather boring. But, to keep your password predators at bay, these frequently adjustments can up-the-anti on your eCommerce store security.
Even if hackers were able to win the guessing game this time, with consistent changes, the old password will soon enough lock out any infiltrators.
It may seem a great pain to retype your login details each time you need to access an account. But, the threat of hackers to your business could, for some, wipe your brand credibility and put you into a worse state.
With a whole range of malware roaming the internet, it’s possible one or more of them, could infect your computer. Your stored passwords can then be easily found, making them susceptible to prying eyes that are ready to abuse them. To keep your eCommerce store safe, it’s best to spend those few moments retyping, than to take risks.
> Check out this Password Guide for more advice.
Particularly with big organisations, completing all of the steps above doesn’t quite deter hackers fully. Many companies have a huge problem with password thieves hence the creation of two-factor authentication.
So, what is it? Two-Factor Authentication is an extra layer of security that requires not only a password and username to log in but also something that only that user has to hand to grant them access. For example, in many cases this is a piece of information such as a number sequence or letter combination.
Magento have two-factor authentication extensions available for download in their marketplace and as smartphone apps.
Rublon is an excellent two-factor authentication extension which provides a layer of stealth. It only allows trusted devices to access Magento backend by using a smartphone app. The app is available for all popular mobile OS platforms.
Another useful extension is the two-factor authentication by Magento Hackathon. The extension allows you to implement complex authentication mechanisms which include limiting login attempts.
“This ensures that critical resources in the admin have extra protection layer that cannot be accessed by third parties without one-time security code. It includes cases when someone’s laptop is stolen or accessed by third parties.” – GitHub
Unencrypted connections bring huge risks to a business, particularly when they are used to send data such as login details. Incerptions can easily be made, giving assailants a sneak preview of your credentials. It’s important that you eliminate this risk by using a secure connection. This is in the form of an encrypted SSL or HTTPS URL.
With Magento, getting a secure HTTPS/SSL URL is pretty simple. By checking the tab “Use Secure URLs” in the system configuration menu, you are able to see whether your connection is secure or not.
Having a secure site is important for ensuring your eCommerce store complies with the PCI data standard and helps protect all online transactions. If you’d like to swat up, here’s one we wrote recently about making the switch from HTTP to HTTPS.
To configure Magento to work with your SSL certificate, firstly you must log in to your admin area. Then navigate to System > Configuration.
Next, click on the Web link that’s found under the General tab in your left menu.
On this Web page, you will have a range of options that you can configure. You should focus only on the Secure tab. This tab will give you the choice to configure your settings to Use Secure URLs in Frontend and Use Secure URLs in Admin.
By setting these options it will make your Magento application work with SSL for the stated parts of your site. And that’s it! Your Magento store will now be set to work with SSL.
In simple terms, SQL injection is a technique used by hackers through carrying out coded commands that make changes to the backend of a site. This leads to hackers accessing a site and its sensitive data to then tamper with or lose.
SQL injection attempts are common attacks made against many eCommerce stores. So, while Magento does take steps to prevent SQL injection, it is advised to better protect your business by implementing a firewall application to defend your site against such attacks.
Obviously, the most important benefits of a firewall is that it blocks SQL injection attacks. Whether you are a computer whizz or not, the key point is that your website may be prone to getting hacked and the added protection of Firewall helps to prevent this.
Carrying out changes to your admin panel URL can be a key factor in protecting your website. When hackers obtain access to your Magento admin page, making brute force attacks to figure out your login details is a lot (lot, lot, lot), easier. Even if you did follow our tips for a secure password.
By default, the standard URL of your store’s admin panel on Magento is yourdomain.com/admin. For those who shouldn’t be able to access it, finding it is as simple as one single search.
In the interest of safety, preventing them from getting that far in the first place is vital. So, what should you do next?
We advise that you change the /admin of your website’s URL into a unique term to up make finding your panel a lot harder. For those who require assistance, Magento have created a simple guide. Creating a custom path to your store’s admin URL has never been easier!
Follow these six tips to help secure your Magento store and you’ll sleep much easier at night!
If you have any concerns about the security of your website, drop us a line and we’d be happy to help. Always better to be safe than sorry!