“For e-commerce, the most important thing is trust.” – Jack Ma
While this seems like a very simple statement from Jack Ma, the statement conveys the ultimate truth of the e-commerce world. Everything in e-commerce, from UI design, product information, promotions, to ratings and reviews is to build that trust with your customers.
Your customers extend a leap of faith in your brand when they purchase online. And, the fastest way to break that trust or have your customers lose confidence in your brand is by compromising on the security of your site. According to Statista, 17% customers abandon cart because they were concerned about the security of the e-commerce store.
Magento e-commerce stores are no different. Magento, over the last few months, has had its challenges with a number of security vulnerabilities identified. Magento was quick to address these vulnerabilities. However, merchants do not have to always rely on Magento or their security partner to secure their e-commerce store. Merchants can do (or adopt) a number of things to improve the security of their Magento e-commerce store; which is what we will discuss at length in this blog.
But, before we get there, let us begin by understanding how hackers (who are always ready to take advantage of these security loopholes) function:
- Step 1 – Single out a specific vulnerability in the e-commerce store (Magento in this case)
- Step 2 – Identify an e-commerce store with this vulnerability
- Step 3 – Exploit the loophole to their advantage
- Step 4 – Leverage the newly infected store/ system to infect other systems/ users
- Repeat step 3 and 4
Magento Related Guidelines
1) Regularly Apply Patches, and if required Upgrade Magento
The first and most basic rule, regularly apply patches and if required even consider upgrading your Magento. Remember, patches and upgrades are the two most important reasons why businesses often pay an ongoing license fee of any product.
Not applying patches is an invitation to hackers to exploit these vulnerabilities and can put your e-commerce at risk to threats like credit card hijack, ransomware, SQL injection, spamming, and others.
2) Use Modules/Extensions from Authentic Sources and keep them Updated
One of the biggest advantages of Magento is the availability of a wide variety of extensions. Merchants use a number of modules (free and paid) to extend the functionality of Magento to effectively run their e-commerce operations. Now, these extensions can very easily be made available from Magento Connect with just a few clicks by anybody.
It is very difficult to measure or assess if these extensions are properly tested for security vulnerabilities or know for sure if the developer will be around to fix them when the vulnerability is found. Magento has tried to address this partially by mandating quality checks (including code review) of the extension before it is approved for listing in the Magento 2 marketplace. However, merchants should check reviews and developer profile before installing an extension.
3) Lockdown your Magento Connect Manager
Magento’s Connect Manager is a great way to quickly install programs, but it is also a security risk as it is a well-known entry point for brute force attacks. We recommend you change the /downloader/ path (the default path) to make it harder for hackers to compromise your e-commerce store. As an added security measure, you can even restrict the new path by IP address.
4) Secure Deployment Configuration Files in Magento
Env.php file in Magento 2, (local.xml in Magento 1.x) holds critical information like database username, password, and table prefixes. Such codes can be easily altered resulting in unnecessary downtime. This can be easily avoided by restricting the file permissions to 600.
For enhanced security, you should restrict the file permissions of other similar files that contain sensitive information. You do not have to limit this to the configuration files, you can extend this to other files (with 644 permission) and folders (with 755 permission); with the exception of media files which should remain at 775.
Note – This process can get a little tricky depending on your Magento version and hosting environment.
5) Disable any Unnecessary or Potentially Dangerous PHP Functions
To avoid exploitation of the PHP functions that can be dangerous, ensure that you add the following rule to your php.ini file.
Disable functions = proc_open, phpinfo, show_source, system, shell_exec, passthru, exec, open
6) Change Passwords Before and After you Seek Any External Assistance
If you seek assistance from external resources that requires you to share login credentials (with limited or full access) with them, then it is always advisable to change your passwords both before and after you engage them. While you may trust them, it is best to err on the side of caution. Remember, there is no guarantee that the companies you work with necessarily have a security policy and mechanism in place to safeguard your information (in this case the credentials).
7) Schedule a Recurring Security Review
While Magento (including partners and independent developers) has over 70,000 developers worldwide, a handful actually understand the intricacies of Magento site security system. And with ongoing development happening on your e-commerce store, it is highly recommended that you schedule a recurring (the frequency of which can be decided based on the complexity of your business and e-commerce store) security review of the Magento e-commerce store.
Server/Infrastructure Related Guidelines
8) Use Encrypted Connection (SSL/HTTPS)
The main function of SSL is to encrypt all communications between browsers/servers; thus ensuring that the data flows through a secure (HTTPS) connection. Data sent over unencrypted connections are vulnerable to interception by third parties. This is very critical for an e-commerce store where sensitive information like customer details and payment information like credit card details are communicated between systems.
You can purchase an SSL certificate from any verified Certificate Authority and install it through SiteWorx. Once you have the SSL certificate, configure your Magento e-commerce store to us this on certain pages, forcing the pages to be loaded over HTTPS. This helps you protect your online transactions on the site’s server – a necessity for e-commerce stores to be PCI Compliant.
9) Use a Secure FTP
SFTP or SSH File Transfer Protocol/Secure File Transfer Protocol is a separate protocol which when bundled with SSH enables you to leverage a secure connection to transfer and traverse the file system on both local and remote systems. The SSH File Transfer Protocol also enables secure file transfer capabilities between networked hosts.
This is very important as far as Magento is concerned. With e-commerce development outsourced, most partners often deploy Magento files to the hosting server via FTP.
10) Limit Unsecured FTP Access
Beyond using a secure FTP channel, it is best to limit access to a narrower set of directories, such as the “images” folder. This can help you prevent the execution of unwanted scripts in these directories that can change files/directories on the server that should not be accessible through that specific FTP account. This can be done using .htaccess and httpd.conf files.
11) Avoid using Default Admin URL, Username and Password
One of the most basic and commonly exploited vulnerabilities across web – using default admin URL and credentials. Businesses often in a hurry to go live, or because of lack of understanding of the security implications, use the default admin URL, username, and password. While common for WordPress websites, this is true for Magento e-commerce customers as well. Always avoid using the default (or commonly used) values for admin URL, and login credentials.
You are better placed choosing a complex (and uncommon) username and password that is difficult to crack.
12) Restrict Admin Login from External IP Addresses
To further secure your Magento e-commerce store, you can limit admin login to a selected few IP addresses (or restrict admin login from external IP addresses). When you work with agencies/ partners outside your organization you can add their IP to the exception list, get the work done, and then remove them after the work is completed.
13) Prevent MSSQL Injection
Although Magento provides great support, by default, against MySQL injection attacks with its newer versions and patches, it is recommended that you add web application firewalls such as NAXSI in order to keep your site secure and your customers safe.
14) Work with a Regular Back-up Plan
This might not help you secure your Magento e-commerce store but can be a big savior when your store is compromised (and in other situations like server crash, database crash, etc.). Frequent site backups can help you get up and running quickly without losing much time and money.
Other General Guidelines
15) Use the Right Hosting Type and a Reliable Hosting Provider
Shared hosting services can help you cut down costs. But, shared hosting is a lot more susceptible to online attacks. From a security standpoint, Virtual Private Server (VPS) hosting and dedicated hosting work better for an e-commerce store. While they are more expensive than shared hosting, they also improve the performance of your e-commerce store.
It does not end with that. Work with a reliable hosting provider (like Nexcess) who not only provides you the right infrastructure but also proactively takes care of the security and provides excellent support.
16) Backup and Review Logs Regularly
Similar to database and application backup, log backups might not help you secure your Magento e-commerce store but will help you identify the source of the issue and its impact. Reviewing logs regularly can help you identify potential anomalies and even evade a potential attack.
Remember, never store the log backups (or application and database backups) on the same server as your e-commerce store. This is to avoid losing them when the server’s security is compromised.
17) Never Save Credentials on Your Computer
Viruses like trojan, spyware, malware, adware, etc. are designed to steal information from the infected system. The information can then be used to gain access to other systems. Hence you must avoid saving your login credentials (for FTP, Magento admin, etc.) on your computer. If required, use a good password protection tool to save passwords.
18) Use the Best Antivirus on Your System
You have selected the best hosting provider and you assume that your e-commerce server is secure. You are right and wrong. Right for obvious reasons and wrong because your e-commerce server can also be compromised through your system (the system you use to access Magento admin). Because viruses can steal information from your system, you must use a good and licensed antivirus software on your system also.
19) Disable Directory Indexing
Disabling directory indexing helps you to hide the common pathways where your files are stored, thus preventing cyber crooks from accessing your Magento e-commerce store’s core files. Moreover, to prevent a hacker from viewing all files located in a folder on your server add this to your .htaccess file:
Remember to hit the return key to ensure that the file ends with a blank line.
Security in the virtual world is a very serious concern. While Magento is a very robust platform, with a very active community working to identify and fix any security threats, it certainly does not hurt to be careful and put some best practices in place. This will give your customers the confidence to buy from you.
As Zig Ziglar once said, If people like you, they’ll listen to you. But if the trust you, they’ll do business with you.