Being one of the world leading eCommerce platforms makes Magento an attractive prospect to hackers looking to disrupt your operations, leak financial data and expose your customer information. As security breaches remain a constant threat, it’s important for Magento users to understand how to effectively protect their websites. Follow these 6 Magento security tips to keep your eCommerce business safe.

#1 Stay Ahead of Hackers

Being up to date is one of the key factors in protecting your business online. Magento is continuously transforming their security processes to help protect your eCommerce site. As new threats emerge, their software is enhanced to guard you against these attackers. If you aren’t onboard with their latest technology, unfortunately, you compromise your safety.

Update To The Latest Version

Magento periodically publishes patches to improve general maintenance and bug patches, along with fixing arising security issues. It’s important you apply these patches to keep your site secure. 

With every latest patch, Magento release accompanying notes to publicly point out the fixes that have been made. Although this gives you a great understanding of the changes, it also highlights the problem areas to hackers all over the web. Essentially, they get a first-class ticket to exploit your outdated website. In effect, you would be pretty daft to risk not updating to the latest version of Magento.

Backup Your Website Frequently

If you do the above, amazing, we love that you’re proactively taking preventive security measures but you shouldn’t stop there. Although incorporating the latest updates to your website is helpful in staying safe online, backups are necessary too.

If for any reason your website was hacked, regardless to how secure you thought it was with Magento, an offsite backup or downloadable backup, can ensure the continuity of your eCommerce services. This method can also apply for when your website crashes.

Off-site backups help to prevent data loss by storing your web files elsewhere which should mean minimal, or zero, data loss. So, when your Magento security is breached you have an additional layer of safety to keep your business stable.

#2 Be Clever With Your Passwords

Don’t let your passwords be a part of someone’s guessing game. Practice how to create a proper password that doesn’t let malicious intent get the better of them.

Make Your Password Complex

A password that combines lower-case and upper-case letters, numbers and special characters is going to be pretty strong and hard for hackers to figure out.

Make your password completely random. We strongly advise that there is no  information that is relevant to yourself, such as pet names, favourite places or special dates. All of which, are a blessing to those wanting to break into your account. 

Be Unique With Every Password

Be unique. That’s with each and every password you create. Having the exact same password, (or even slightly different alterations) for multiple logins, can have critical consequences. Although, you may think it’s a great way to remember them all, using identical passwords in lots of places on the web means the chances of it being discovered, is extremely high.

What’s worse, because the hacker now has access to one of your accounts – yeah, you guessed it – they actually have access to all of your accounts. It’s an online nightmare!

Make Periodic Changes to Passwords

Making regular changes to your login data can be rather boring. But, to keep your password predators at bay, these frequently adjustments can up-the-anti on your eCommerce store security.

Even if hackers were able to win the guessing game this time, with consistent changes, the old password will soon enough lock out any infiltrators.

Say “Never” To Saving Passwords On Your Computer

It may seem a great pain to retype your login details each time you need to access an account. But, the threat of hackers to your business could, for some, wipe your brand credibility and put you into a worse state.

With a whole range of malware roaming the internet, it’s possible one or more of them, could infect your computer. Your stored passwords can then be easily found, making them susceptible to prying eyes that are ready to abuse them. To keep your eCommerce store safe, it’s best to spend those few moments retyping, than to take risks.

> Check out this Password Guide for more advice.

#3 Two-Factor Authentication

Particularly with big organisations, completing all of the steps above doesn’t quite deter hackers fully. Many companies have a huge problem with password thieves hence the creation of two-factor authentication.

So, what is it? Two-Factor Authentication is an extra layer of security that requires not only a password and username to log in but also something that only that user has to hand to grant them access. For example, in many cases this is a piece of information such as a number sequence or letter combination.

Magento have two-factor authentication extensions available for download in their marketplace and as smartphone apps.

Example 1: Rublon

Rublon is an excellent two-factor authentication extension which provides a layer of stealth. It only allows trusted devices to access Magento backend by using a smartphone app. The app is available for all popular mobile OS platforms.

Example 2: Magento Hackathon

Another useful extension is the two-factor authentication by Magento Hackathon. The extension allows you to implement complex authentication mechanisms which include limiting login attempts.

“This ensures that critical resources in the admin have extra protection layer that cannot be accessed by third parties without one-time security code. It includes cases when someone’s laptop is stolen or accessed by third parties.” – GitHub

#4 Use Encrypted SSL or HTML Protection

Unencrypted connections bring huge risks to a business, particularly when they are used to send data such as login details. Incerptions can easily be made, giving assailants a sneak preview of your credentials. It’s important that you eliminate this risk by using a secure connection. This is in the form of an encrypted SSL or HTTPS URL.

With Magento, getting a secure HTTPS/SSL URL is pretty simple. By checking the tab “Use Secure URLs” in the system configuration menu, you are able to see whether your connection is secure or not.

Having a secure site is important for ensuring your eCommerce store complies with the PCI data standard and helps protect all online transactions. If you’d like to swat up, here’s one we wrote recently about making the switch from HTTP to HTTPS.

How To Configure Magento With SSL

To configure Magento to work with your SSL certificate, firstly you must log in to your admin area. Then navigate to System > Configuration.

Magento Security Tips | iWeb

Next, click on the Web link that’s found under the General tab in your left menu.

Configure Magento With SSL | Security Tips

On this Web page, you will have a range of options that you can configure. You should focus only on the Secure tab. This tab will give you the choice to configure your settings to Use Secure URLs in Frontend and Use Secure URLs in Admin.

Magento Security Tips | iWeb

By setting these options it will make your Magento application work with SSL for the stated parts of your site. And that’s it! Your Magento store will now be set to work with SSL.

#5 Prevent SQL Injection With a Firewall

In simple terms, SQL injection is a technique used by hackers through carrying out coded commands that make changes to the backend of a site. This leads to hackers accessing a site and its sensitive data to then tamper with or lose.

SQL injection attempts are common attacks made against many eCommerce stores. So, while Magento does take steps to prevent SQL injection, it is advised to better protect your business by implementing a firewall application to defend your site against such attacks.

Key Benefits of a Firewall

  • Detect SQL statements that do not match those approved and alerts administrators
  • Monitors out of policy SQL statements made in real time
  • Blocks attempts of SQL injection before they are complete
  • Logs SQL activities for the tracking and analysis of so incoming threats
  • Selection of statements for approval to minimise false positives
  • Builds whitelists of SQL statements per user basis for user level flexibility
  • Instance based firewall is easy to use as they do not require additional products for configuration or administration

Obviously, the most important benefits of a firewall is that it blocks SQL injection attacks. Whether you are a computer whizz or not, the key point is that your website may be prone to getting hacked and the added protection of Firewall helps to prevent this.

#6 Change Admin Panel URL

Carrying out changes to your admin panel URL can be a key factor in protecting your website. When hackers obtain access to your Magento admin page, making brute force attacks to figure out your login details is a lot (lot, lot, lot), easier. Even if you did follow our tips for a secure password.

How Does This Effect Magento Security?

By default, the standard URL of your store’s admin panel on Magento is For those who shouldn’t be able to access it, finding it is as simple as one single search.

In the interest of safety, preventing them from getting that far in the first place is vital. So, what should you do next?

Setting Up A Custom Path

We advise that you change the /admin of your website’s URL into a unique term to up make finding your panel a lot harder. For those who require assistance, Magento have created a simple guide. Creating a custom path to your store’s admin URL has never been easier!

Follow these six tips to help secure your Magento store and you’ll sleep much easier at night!

If you have any concerns about the security of your website, drop us a line and we’d be happy to help. Always better to be safe than sorry!