Tags:

How to secure Magento?

Profile picture of Christoph Maßmann Chris
created on , last updated on Follow me

Especially for Magento 1 after its end of life but also for Magento 2 it is important that you secure the Magento instance as best as possible.

In the following I will list some tips of that I use for my clients to secure their Magento backends.

1. The obvious: Use SSL certificates

Using a SSL certificate for your Magento online shop and especially for your Magento backend should be a no-brainer today. In times of availability of free SSL certificates and with the importance of encryption in search engine optimization (SEO) you should simply ask your Magento hoster to get one SSL certificate for your store.

The certificate ensures that no external hacker can read your passwords, uploads, etc. on the way from your browser to the server. So simply do it

If you have assured that all pages in your Magento 1 store are reachable via HTTPS, you should send the HSTS-Security Header. In a nutshell, this header forces the browser that no content over unsecure connections is allowed.

There is a really helpful tool that checks all security relevant headers of your website.

2. Use strong passwords

First of all the most important thing, which applies to all your internet accounts, is to use strong passwords. Each Magento account (backend and frontend) should have a strong password which especially means it is long enough and does not contain known words (e.g. 20 characters or more).

The Magento 2 built-in password configurations to enable password rotation and complexity rules for passwords are a good starting point for that. Though it is nowadays not necessary to change a password regularly (except it has been breached).

Magento 1/OpenMage have similar features under System › Configuration › Admin › Security.

3. Regularly check Magento users

Even if every user has a strong password, it does not help security-wise if there are backend accounts from old employees or former service providers still active or other unknown user accounts enabled. So go through the list of users in the Magento backend regularly to check if there is anything to do.

You should also activate the OpenMage feature to send an email every time a new Magento backend user gets created.

4. Change Magento default admin route

Security by obscurity is never a good thing, but if it prevents even some attacks, I am happy to apply it. So I would definitely recommend to change the default Magento backend route from /admin to something unique to your store.
This can be easily done in app/etc/local.xml in Magento 1 / OpenMage or app/etc/env.php in Magento 2.

5. Use 2-Factor-Authentication

A more advanced solution is to use 2-Factor-Authentication for your backend accounts or at least for the Administrator ones. This is a little bit more complex as Magento 1 and 2 do not provide such a feature out of the box. So you have to use some extensions like this 2-Factor-Authentication extension for Magento 1 .

Of course a 2-Factor-Authentication also comes with a little bit more complexity for your users, so you have to decide if that is an option in your case.

6. Secure Magento backend by IP or cookie

An additional measure to protect your Magento backend from unplanned access is to use some form of whitelist protection - examples are by allowing only specific IP addresses or requiring a set cookie/header/etc.
Allowing only specific IP addresses in most cases of course only works if you have some sort of VPN so that the IP range does not change (everyone should have a VPN by the way ;-).
If your IP address changes regularly another way would be to use some secret cookie that must be set in order to access the Magento backend.

Both measures can easily be applied e.g. by using a rule in your .htaccess file like this for the cookie limitation:

RewriteCond %{REQUEST_URI} ^/(index.php/)?your_admin_route/ [NC]
RewriteCond %{HTTP_COOKIE} !TheSecureCookieName=TheSecureCookieValue;? [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/ [R=302,L]

7. Apply all Magento security patches

Whether you use 3rd party vendors like MageOne, OpenMage, SanSec or tools from your hoster, it is always important to apply the latest security patches as soon as they are released to avoid known vulnerabilities. Because after they have been published even the last malicious hacker knows the weaknesses and tries to exploit them.

If you are managing your Magento installation through composer (and you really should ;-)), do not forget to add the package roave/security-advisories to your dev-dependencies. This package simply checks for any known vulnerabilities in your dependencies each time you do a composer update.

8. Use a Content Security Policy

A Content Security Policy (CSP) is a powerful feature in modern browsers to prevent common security threats like Cross Site Scripting (XSS) and to avoid loading uncontrolled content in the browser of the user. Therefore you define a set of rules, e.g. from which hosts may images, scripts, frames, etc. be loaded, forms posted to, and so on and the browser enforces these restrictions.

There is a CSP Evaluator Tool from Google to check the validity of your CSP rules.

In another blog post I described how I implemented a CSP with Magento.

9. Choose a reliable hoster

The hoster is your most important business partner in terms of providing the online shop service to your customers. Therefore I cannot recommend enough to carefully choose a Magento specialized hosting company with experts in data privacy and security.

A modern hoster will have several security measures in place for you. With these, in the event of unauthorized access to the environment, additional monitoring is in place to log and alert of any injection of card skimming code in files or the database:
  • Intrusion Detection System (IDS)
  • Web Application Firewall (WAF)
  • File Integrity Monitoring (FIM)
  • Database Activity Monitoring (DAM)

In addition there should be a detailed alert and response plan to identify the individuals or parties that are responsible for receiving and processing alerts, applying patches. and responding to security incidents. The response timeframe and process as well as the contact data of the partner or individual should be explicitly written down so that everybody is crystal clear in the case of an emergency what to do.

10. Minimize Attack Surface

It is also very important not to expose any sensitive files from your file repository (Github, Bitbucket, ..) to the public which means you need an offsite version control system. For my Magento 1 / OpenMage customers I also apply a special fix to create a separate pub/ directory that only contains the files that needs to be accessible publically.

In addition I also recommend to disable all unused Magento Extensions and to prohibit access to unused Magento routes. Therefore you should go through the complete list of your installed Extensions and check the frontend controllers one-by-one and - if not used - disable the controller like this in your .htaccess file:

<IfModule mod_rewrite.c>
    RewriteRule ^(de|en)/catalogsearch/(advanced|ajax|term)(.*)$ - [NC,L,R=404]
    RewriteRule ^(de|en)/newsletter/manage/(.*)$ - [NC,L,R=404]
    RewriteRule ^(de|en)/oauth/(.*)$ - [NC,L,R=404]
    RewriteRule ^(de|en)/shipping/tracking/(.*)$ - [NC,L,R=404]
</IfModule>

11. Automatic Malware scanning

In combination with a reliable hoster your second next best business partner is a company that regularly scans your Magento shop for vulnerability and malware and generates a report in case of any issues.

Which measures do you take to secure your Magento instance? Let me know in the comments.


Post Comments to "How to secure Magento?"

Submit Comment

With the use of this comment form you agree to the saving and processing of your data by this website. More information about the processing of your data can be found in our privacy statement.
Your data will be transmitted securely via SSL.

Meine Magento Extension Bestseller