Table of Content
E-commerce websites are always prone to attacks because of payment gateways, and customer data involved. And, if your customer’s data or payment transactions are being tracked by someone from outside then your brand reputation and ultimately business is at huge risk. So, it is necessary to secure your e-commerce website and protect it from different kinds of attacks.
Magento is the third most popular e-commerce store for development in the world. It offers effective security features like two-factor authentication, role-based access, firewalls, regular patch updates, and more. But many site owners don’t make use of them, which in the present world is very risky, because cyber attacks are at their peak!
This magento security guide covers every aspect of how to secure a magento site. Go through the six steps mentioned in detail, and implement them right away! Once the steps are covered, we have also mentioned a few tips on protecting your site in case of sudden malware attacks.
Here we go!
Enable Two Factor Authentication
Magento’s Admin Panel offers you the functionality to allow secure access into the dashboards of your online store using 2FA. This feature gives your platform additional security in cases where your password has leaked.
For logging into the platform using 2FA, you need to use Google Authenticator app, which will generate a code. The users need to enter this code along with their password.
For online stores running on Adobe Commerce cloud infrastructure, you can add an extra security feature called SSH certificate.
SSH certificates are keys that allow access for an hour and automatically refresh themselves as the user is working on the platform.
Setup a Custom Admin URL
Using a traditional url with /admin for the login page exposes your store to hackers. This kind of url is easy to predict compromising the security of your online store. Having different login urls for different users adds a secure layer to your login process.
There are three ways to create a custom admin url in Magento.
- First method – Change the admin URL in the Magento directory using the SSH command line. You will need to find the current URL by using the command
php bin/magento info:adminuri
And, change it by using the command
php7.4 bin/magento setup:config:set –backend-frontname=’secureAdmin123′
secureAdmin123 is your new url - Second method – Editing the env.php file. You need to open the file in a text editor and change ‘frontName’ => ‘admin’, to your desired URL name. After done, clear the cache to see the immediate effect of the change.
- Third Method – Enable “Custom URL” in the configuration of the admin panel. Once enabled, enter your desired URL.
Audit & Update Your Core Files
Magento consistently releases security patches and updates to help you keep your site safe from any kind of external attacks. Many ecommerce site owners go for third party updates because they either are not aware of the latest security patches released, or they want to save some money. This is not recommended, these patches come at a cheaper price or free of cost for a reason.
To get information about latest updates you can enrol into Magento’s Security Alert Registry.
Once you enrol you will get notified on their latest security bundles, modules, plugins, templates, and extensions. You need to also have frequent auditing of these files by updating the ones you are using regularly and deleting the ones that have no use anymore.
Having unwanted models, templates, and extensions can also compromise the security of your site even when they are disabled. It’s necessary to completely remove them. You can use Magento security scanner to do regular audits and keep your files updated.
Another tool that will protect your site from external attacks is Web Application Firewall (WAF). It acts as a shield for your site from SQL injection, cross-site scripting (XSS), and distributed denial-of-service (DDoS) attacks. With WAF you site performance is optimal even in the most vulnerable situations.
Make Your Site PCI Compliant
PCI compliance is Payment Card Industry compliance, a set of security guidelines for all types of businesses that collect payments through credit or debit cards. These guidelines are set in place to protect customer’s data and prevent scams.
It’s a common scam where a hacker creates a fake transaction page that looks identical to your website, tricking customers into entering their payment details.
Here are the conditions that need to be satisfied for your Magento ecommerce website to be PCI compliant.
- Use a payment gateway that is PCI compliant. Popular options include PayPal, Stripe, and Authorize.Net.
- Upgrade to the latest version of Magento. Keep all security patches updated. Don’t use third party patches.
- Use Magento reCAPTCHA on your pages where you collect sensitive data from customers. Also, have a technical expert to conduct audits regularly.
- Use encryption keys that are circulated regularly to keep the customer’s information safe.
Use HTTPS Encryption
Needless to say, this is essential for every website. When we open a website in our browser, a continuous exchange of information occurs between the browser and the website’s server. HTTPS encrypts this data, protecting it from external threats.
Moreover, having HTTPS encryption on your eCommerce website can improve your search rankings, as Google prioritizes secure websites.
To configure HTTPS in Magento, you need to generate an SSL certificate and update the secure base URL in the dashboard to ‘https://’
Give Limited Access to Files and Directories
Magento gives you provision to decide the accessibility levels for all the files and directories. Only users you want can access, modify, and run the files. There are three kinds of permissions.
File Permissions (644): The website owner can read and edit files, while others can only read them.
Directory Permissions (755): The owner can read, write, and execute, while others can only read and execute.
777 Permissions: Gives everyone full access. Never set files or folders to 777, as this makes your site vulnerable to attacks.
What to Do in Case of Sudden Malware Attacks?
In 2022, the loss in e-commerce online payment fraud globally was $41 million and it is expected to be $343 million by 2027.
Fraudsters, or hackers consistently come up with new ways to steal money from your customers and harm your ecommerce brand reputation.
Apart from the six points mentioned above, here are a few more quick actions that can be taken in case you notice suspicious activities happening on your site.
You can use incident analysis tools offered by Adobe Commerce like Audit Admin Action Logs, Observation for Adobe Commerce, and New Relic Logs.
Audit Admin Accounts
Check if all admin accounts are active. Those accounts which are unused for a long time or are no longer needed, delete them. Create a backup of your account action logs. Change the passwords of all active accounts.
Check for Google Warnings
If Google bots find doubtful activities on your site, they send you a notification about what is wrong. It may be either from Google Search Console or Merchant center. Check for the warning and take appropriate actions.
Use Magento Backup Solutions
Create a copy of system files, media folders and database by logging into the user account through SSH. Backing up helps you protect your website’s data in case of server crashes, which is possible during external attacks.
Get Experts Onboard
It is advisable to get experienced developers, technical experts, who can solve the problem from the root. When the situation is serious you can’t rely on trial and error, or mere tools. You need expert opinions and fast actions.
Conclusion
Following Magento security best practices is not a one-time task; it requires ongoing effort. You need to regularly update security patches, audit accounts, code, and databases, and continuously monitor for suspicious activity—like a radar scanning for threats. The steps mentioned above will serve as a checklist to ensure nothing is overlooked, helping you maintain a secure eCommerce environment.
