E-commerce and financial websites stand first in the list of possible victims of cyber crime, as these websites deal with the monetary transactions. Being one of the most popular ecommerce platforms, Magento is also under threat of hacking attacks and unauthorized logins. Magento comes with various built-in security features, still there is always more that can be done in order to protect your online store from the smart hackers. With rich expertise in enhancing Magento security, I want to share with you some tips that will help you to protect your online store and keep hackers at bay.
1.Customize the admin path
First step you should do to enhance security of your e-store is to customize the admin path because unchanged path makes it quite easy for hackers to navigate to admin page and use ‘Brute Force Attacks’ to start guessing your password and username. Hacking software can guess username and password combinations 8 million times a second. Therefore, it is always a good idea to change your admin path as soon as possible. For example, instead of having your admin login page at “yoursite.com/store/admin”, try to change it to anything you want, such as “yoursite.com/store/Jdk25X”
While changing the admin path, you should not change the “Admin Base URL” setting in the admin section of the system configuration because it will break Magento by preventing you from accessing the admin panel.
2.Choose strong admin username and password
If your password is easy to guess or not unique, then hackers can crack it in no-time. Make sure to use a password which is almost impossible to crack. Ideal password should be at least 15 characters long, and it should be the combination of upper and lower case, punctuation and numbers. In this way, your password will not be hacked as even with latest hacking software because it will take years to find a match.
3.Do not use Magento password anywhere else
According to passwordresearch.com, over 15% users choose identical passwords for more than one service. Using identical passwords for several services or logins brings the risk of losing all of your accounts at once. Try to make a unique password for your Magento store.
4.Using Two-factor Authentication is a good idea
Read more: Cyber crime in financial institutions
A strong and unique password is not enough unless you do not use two or multiple layers of authentication in order to mitigate the risk of online security attacks. The extra security layer works by requiring you to not only know your unique password and username, but also enter a unique security code that is randomly generated in every 30 seconds.
Magento offers its users a wide array of extensions. There are various extensions, such as Rublon, available in Magento Connect Market that helps you to employ two-level or multiple level of authentication so that you do not have to feel nervous about the password related threats.
5.Forget FTP
The protocol FTP was created at the early stage of Internet, when security was not the issue. Now these days, FTP usage is unwanted because in this authorization is performed with the plain text which can be intercepted easily. Instead, you should use SFTP protocol because it will also relieve you from the issues related with IP streaming (NAT). In order to configure SFTP for your Magento e-store, you can follow this guide. This protocol calls for a private file submission and it also uses a special key for the authentication of user.
6.Update Magento on regular basis
You should use the latest version of Magento because it often comes out to patch recently discovered security risks in the software. If you update your Magento with the latest stable version, you can easily mitigate the problems of old security threats.
7.Create Backups regularly
In addition to robust preventive measure against the online security threats, you should have an active backup plan for your Magento e-store. If your site is being hacked by the hackers, then your backup plan ensures continuity of your website.
8.Restrict Admin Access
In case above mentioned precautions were not enough for you (perhaps due to PCI compliance requirements), you can restrict the access of admin to only the selected IP addresses. It can be achieved via .htaccess, but it is recommended to use the Apache directive LocationMatch:
Read more: How SSL encryption gives a false sense of security
In this example, make sure to change “admin” to your new unique admin login page. In addition, you should change above mentioned 10.10.10.0/24 subnet to your own subnet or your specific IP address. The only problem in this extra level of security is that if you want to make a quick update from home, you are going to have to update the Apache directive above with the new IP address that you are using at that time.9.Use HTTPS/SSL for all login pages
Encrypted connection saves your site from the hacker. Without encrypted connection, there is always risk of being intercepted by the hackers. You can eliminate this possibility by requiring HTTPS/SSL for all your login pages. It can be done by following way:
- Click on the “System” tab in the main toolbar
- Choose “Configuration” from the drop down menu
- Click on the “Web” tab in the left hand navigation
- Then choose “Secure” in the main window
- Now you should change the Base URL of your store from http://… to https://…
- Choose “yes” for both “Use Secure URLs in Frontend" and "Use Secure URLs in Admin”.
- Now, click the “Save Config” button at the top of the page
10.Use latest and paid antivirus software
You should use trusted and paid antivirus software and regularly update it to the new version, as they add fresh information about new malware and phishing attacks to their databases. Paid version of antivirus comprises more features and it will keep you safe from the malware that steals information and sends it to the cyber criminals.
Conclusion
Security is one of the major concerns of every online store. If you want to guard your online business, you should follow the above mentioned ten security tips so that you can protect your online store from the possible malicious activities.