How to secure a Magento site: checklist and tips for effective protection

Stefan Wieczorek —  April 3, 2020 — Leave a comment

How to secure a Magento site: checklist and tips for effective protection

Being one of the leading e-commerce platforms worldwide with many advantages, Magento is the perfect choice for an e-commerce shop. One of these advantages being solid security.

However, e-commerce sites are attractive targets for hackers or scammers trying to steal personal or payment data from your customers.
The consequences for your customers could be financial loss in the best case and identity theft in the worst. This is something you must take precautions against.

Highly effective and reliable protection is key when using Magento to protect against scamming and phishing.
Magento’s built-in security features are already solid. But for your clients and your e-commerce business, the best protection is just good enough.

There are many ways to secure a Magento site.
But how exactly can you ensure your Magento e-commerce site runs as safe as possible?

We at MGT-COMMERCE are daily working to ensure and increase the e-commerce security of Magento businesses. Therefore we would like to share our experience as Magento hosting provider with you so that you can make your online shop even more secure.

In this article you will find out:

Table of Contents

Is Magento secure? How secure is Magento?

First things first, the answer is yes! Magento aims to be very secure out of the box.

But since Magento is an open-source platform, security might not always be the number one priority.
Normally, for open source developers, easy installation is most important. Securing the application follows second with patches after the software is installed.

A second factor regarding security is how well the web developer installs and configures your Magento installation. Especially when accepting low cost offers you should pay attention to the quality of the protection, verify and sometimes better think twice.

While Magento turns out to be safe out of the box, it is highly recommended to increase its security. To do so, start by first:

Checking the security state of your Magento site

To check the security state of your site, the most obvious way is to use Magento’s provided solution: the Magento Security Scan Tool.

The Magento Security Scan Tool is fully free to use in both of Magento’s cloud solutions: Magento Open Source and Magento Commerce (see here a comparison of the two versions)

Reasons to protect your Magento site

There are numerous reasons for protecting your site beyond the built-in security features. There is an essential need to protect against:

  • Spamming
  • Phishing
  • Hackers and scammers
  • Malware (viruses, trojans, worms etc.)
  • DDoS attacks
  • Cross-Site Scripting
  • SQL-Injection
  • Other common web exploits

The list of possible consequences for your customers and business is similar. Consequences could be:

  • Financial loss
  • Identity theft
  • Damaged reputation
  • Claims for damages

To prevent this, we came up with a checklist on how to secure your Magento site.

Checklist: How to secure a Magento site

In our checklist we will show you the most common problems and solutions.

Following these instructions is helping to protect against most security threats.

Use the latest Magento version

Using an old version of Magento with all of its security feature patches may sound like a good alternative at first glance. However, it is very risky as recent security threats could be overseen.

With the latest version of Magento, you are always up to date with the most recent security enhancements. The concerns of some people that the latest version of Magento is not as secure as a previous version is dangerous and unfounded. Security issues that were solved in a former Magento version and reappear in a new one are normally fixed fast with patches in new versions.

Staying informed about the latest Magento version is essential.

Install Magento patches: What are they and how can you install security patches in Magento?

Next up: Magento patches. Two relevant questions have to be answered:

1. What are Magento security patches?

Security patches are correcting vulnerabilities in the system and improving its security.
They are provided by Magento and it is recommended to install them as soon as possible after its release while running the latest Magento version.

2. How is Magento security patch installation working?

Because hosting environments and access to the server varies between e-commerce shops, there is not just one ideal solution.

The general steps are:

1. Creating a backup of your Magento installation before.
2. Downloading the patch from Magento’s download page.
3. Installing Magento’s security patch. Depending on your hosting environment and server access, there are three ways:
a. Using Secure Shell (SSH), being the recommended way of security patch installation.
b. Running a script.
c. Uploading pre-patched files.

As things can get tricky, complicated and can cause downtime it’s highly recommended to do it first on separate dev/test environment.

Customize the Admin URL and use a strong password

Even though it won’t protect you from determined professional hackers, customizing the Admin URL has two main benefits:

It reduces the damage if hackers somehow only get hold of your password. It also reduces the exposure to scripts trying to get access.

Therefore, changing the default /admin with a customized term is recommended.

Additionally, using a strong password for Magento Admin is self-evident and highly recommended.
On top of the previously mentioned tips, it’s advised to allow only whitelisted IPs to access your Magento Admin.

Enhancing Magento admin security: Use Two-Factor Authentication (2FA)

Strengthen the Magento admin login security is essential as well.

Using Two-Factor Authentication allows accessing your admin login only with the combination of your password and a trusted device like your smartphone that will display a security code.

This ensures that only you are getting access. If necessary, you can share the security code with authorized users.

Use a strong password for FTP and SFTP login

Your Magento admin login is not the only one that needs a strong password. Often forgotten is the FTP and SFTP login password which could be a vulnerability and is often exploited to hack websites.

Make sure you are using a secure FTP password as well and better use Secured File Transfer Protocol (SFTP) for advanced protection.
A strong password together with an IP Port restriction is highly recommended to avoid hacking attempts.

Use a secure encrypted connection

Sending sensitive data, especially login information, via an unencrypted connection is an invitation for intercepting data.

Not only for you but primarily for your customers, always ensure that you have a secure Magento connection with a secure communications protocol, e.g. Hypertext Transfer Protocol Secure (HTTPS) or Secure Sockets Layer (SSL) URL.

Prepare yourself with a backup plan

Equally important to security is planning for the worst. At its core, a functioning backup plan.

If your e-commerce shop crashes or gets hacked, a backup has to be installed as quickly as possible. This guarantees that your site can continuously be accessed and doesn’t need to get offline for hours or days.

Otherwise, potential new customers will buy somewhere else and existing customers are at least irritated or lose their trust in your company.

Effective protection always requires proactive preparation as well.

When implementing these tips on how to secure a Magento site with our checklist your Magento is already much safer than before. But it still is not safe enough. That’s why you should intensively consider advanced actions for securing your business.

The best way to secure a Magento site: Protection solutions from the best Magento hosting provider: MGT Commerce

If you want a security solution that not only ensures common safety standards but surpasses them,
our Magento security solution, our MGT WAF – Web Application should be your first choice.

This managed web application is included by default in all of our managed hosting multi-server plans and
auto-scaling hosting plans for Magento 1 & 2.
For Magento users on a single server Magento hosting plan, we offer our Magento web application firewall as an add-on on top.

The MGT Web Application Firewall offers:

  • DDoS Attack Mitigation
  • SQL-Injection Protection
  • Cross-Site Scripting Protection
  • and many more benefits

With its highly effective and reliable protection against common web exploits that may affect availability, compromise security, or consume excessive resources, you don’t need to worry about the safety of your Magento e-commerce shop.

Contact us now to find out more about this perfect safety solution

Conclusion: An effective protection needs advanced solutions

Facing the constant threats of hackers, no security actions suffice for your e-commerce shop running flawlessly.

Understanding the reasons for protecting your Magento site and implementing the protection tips from our checklist enhances the security of your site immediately.

Nevertheless, an ambitious business needs outstanding high performing and best Magento hosting that ensure your advanced security needs with highly effective and reliable protection solutions.

To secure your website, MGT Commerce is your ideal partner.
Contact us now, and we will find out the best solution for your business!

No Comments

Be the first to start the conversation.

Leave a Reply

*