Keeping your Magento eCommerce website secure is an important part of owning and operating an online store. Regardless of the size of your site (and business), ensuring that your site is as secure as possible helps you build trust with your customers as well as preventing headaches for you down the line.
Magento 2 is a comprehensive, robust eCommerce platform with an enormous active support community. As with any eCommerce platform, Magento sees security vulnerabilities and attacks from time to time.
“Magento 2 is a comprehensive, robust eCommerce platform with an enormous active support community.”
While Magento and the Magento community are quick to address these vulnerabilities with frequent patches, there are a number of additional steps you can take to keep your Magento 2 site secure and prevent attacks.
Recent Magento 2 Security Patches
Version Upgrades and Security Patches
The first (and most basic) way to keep your site secure is to routinely check for new security patches that can be applied to your site. Patches and version upgrades are regularly released to address vulnerabilities found in the platform.
Upgrading your Magento store to the most recent version, along with applying all security patches, will help keep your site secure from reported vulnerabilities and those looking to exploit them.
For example, a recent security patch, SUPEE-9767, addresses security breaches such as remote code execution in the Admin panel and uploading images with malicious code if configuration settings are set to allow symlinks.
Updating Extensions and Modules
Magento 2 has an array of extensions that can be installed to further expand the functionality of your site. However, it can be difficult to know if these extension companies develop modules in a way that will address security vulnerabilities. Magento now requires quality reviews and code checks of an extension before releasing it on the Magento 2 Marketplace.
However, it is best to always read the reviews and the developer profile on the module you’re interested in before installing it on your site. Look for the number of reviews left on the extension and how positive of a rating it has. Also, look at how long the company has been in business – do they have other extensions in the Marketplace? How are the ratings for these extensions?
Reputable extension companies will stay on top of releasing version upgrades for their modules that address security vulnerabilities and bug fixes. Keeping the most recent version of an extension on your site, just like having the most recent version of Magento running, helps close additional security gaps.
Site Backups
While a site backup may not address security vulnerabilities, it can be a lifesaver should your site be compromised – hackers adding malicious files to your site, brute force attacks, and Malware are all examples of how your site can be negatively affected, potentially causing it to be unusable by your customers or bringing it down entirely. This can also be a helpful “Plan B” if there are other issues that occur, such as a server crash or database crash. Running routine site backups keeps a copy of your site in a safe place, just in case you need to quickly restore it at any point.
This can also be a helpful “Plan B” if there are other issues that occur, such as a server crash or database crash. Running routine site backups keeps a copy of your site in a safe place, just in case you need to quickly restore it at any point.
Encrypted Connections (SSL/HTTPS)
The primary function of an SSL Certificate is to encrypt the information that is communicated between servers and web browsers. Encryption is the process of changing the data into a code to prevent unauthorized use or access. This protects the data going between the two through a secure connection (HTTPS). Sites that do not use a secure connection are susceptible to this data being intercepted by third parties.
For eCommerce system such as Magento 2, this data includes personal customer information as well as credit card details. Ensuring that this information stays protected while being communicated between servers and browsers is of the utmost importance.
As of October 2017, Google will begin penalizing sites that are not using HTTPS, by providing customers on non-secure sites with clear warnings in the URL bar.
Switching to the safer HTTPS protocol is becoming a necessity for Google rankings starting October 2017
Use Secure FTP
SFTP (Secure File Transfer Protocol) is a protocol which gives you a secure connection to access to your site’s file system. It is best to use this protocol – as well as creating a complex, randomly generated password for this – when you or your Magento development company are accessing your store’s file system.
Create a Custom Path for your Admin Panel
The standard URL path to access your Magento 2 admin panel is mysite.com/admin. Because the /admin path is common knowledge amongst hackers, setting this to a custom path is another way to prevent people from attempting to access the backend administrative dashboard of your Magento site. This path can be set by your web developer to anything you’d like.
For example: mysite.com/shirts_and_pants_admin or mysite.com/treeservicesadmin
For additional security, you can block all external IP addresses (aside from your own and that of your web developer) from being able to hit your admin panel URL. Your hosting company and/or web developer can assist with this option.
You can block all external IP addresses from being able to reach your admin panel login URL
Create a Unique Admin Password
When creating a password for your Magento 2 admin, it is best to use a mix of upper and lower case letters, numbers, and special characters such as %, ^, #, etc. You want to avoid using real words in your password. It is also recommended to not use your Magento 2 password anywhere else, to keep it from becoming compromised.
“Use unique usernames and passwords that you don’t repeat anywhere else to prevent your logins from being compromised.”
Along with this, it is best practice to create a unique username, instead of using “admin” or other commonly found usernames.
Secure your Magento Connect Manager
Magento’s Connect Manager is an easy way to install extensions on your site. However, it is a known entry point for brute force attacks. To circumvent this, you can have your Magento developer change the default file path (/downloader/) for this to something unique and more difficult for hackers to access.
Restrict File Permissions
In Magento 2, the env.php file (local.xml file in Magento 1) houses vital information, including database usernames and passwords. Ensuring that proper permissions are set for this file is extremely important to prevent any unwanted changes being made. File permissions can be restricted for other directories and files that are within your site for additional security. To understand more about file permissions, and to discuss what is best for your site, contact one of our Magento strategists today.
Use a Reliable Hosting Provider
While a shared hosting plan can cut back on costs with inexpensive options, these types of hosting plans can be more susceptible to attacks and security breaches. A dedicated hosting plan for your eCommerce site is the most secure solution. Additionally, using a reputable hosting company with proactive security measures and excellent customer service will provide the reliability and security your Magento 2 site requires. Need help finding the hosting provider that is right for your business? Talk with one of our Magento strategists today!
Schedule Security Reviews
While there are a large number of Magento developers, few are intimately familiar with the intricacies of the Magento 2 system as of yet. Having a Magento expert perform a code audit/security check of your site will uncover any security loopholes, vulnerabilities, and areas that can be improved for better performance and expanded security. Learn more about our Magento Code Audit!
In Closing
Website security will always be a concern for site owners. Magento 2 is a solid platform with a massive support community who actively work on addressing security vulnerabilities and fixes. However, taking proactive steps to increase your website’s security will maintain the health and longevity of your site, along with giving your customers the reassurance that your store is trustworthy and their private data is secure when making a purchase.
Not sure what your Magento security options are? Connect with our team of Certified Magento experts, today and let us help you reach your eCommerce goals!