Whatever website you run (ecommerce, blog, forum, etc.), it is prone to security risks. Great number of hackers would like to get inside a website to spam customers and launch phishing campaigns, or even worse – steal customers’ data and credit card information.
The more popular website platform is, the more attractive for hacking attacks it becomes. As Magento is one of the most valuable and largest ecommerce platforms, its security is particularly important. Millions of websites worldwide keep records of their customers’ information and order-related financial data. Therefore, any successful hacker attack would cause serious loss to your store.
Magento is considered quite safe and secure ecommerce software platform. Nevertheless, vulnerability is discovered from time to time, what allows attackers circumvent security mechanism and misappropriate store database. The team of Magento developers reacts to such cases fast and releases patches, so every online merchant should keep abreast of such important platform updates to maintain the security of a Magento-based website at a proper level.
Besides keeping your software up-to-date, you can implement some additional steps to make your store more secure and robust.
Use a custom admin URL
If you use the default admin path, hackers can incredibly easy navigate to your store backend page and start guessing your credentials. The current software allows them finally broke your username\password system – it’s only a matter of time.
As an example, instead of the default Magento backend login page yoursite.com/store/admin, you can use yoursite.com/store/dr2j6i.
Please note: DO NOT change “Admin Base URL” in the admin section of the system configuration!
Instead, open the local.xml configuration file, located in the app/etc/ directory under your Magento installation. Then find “<![CDATA[admin]]>” and change the “admin” word to the path you would like to use and that is almost impossible to guess (e.g. dr2j6i).
Unfortunately, there is always a chance that a hacker will find out your custom admin login page. That’s why you should create a username that is not easily predictable and a password that is not easily guessable.
Avoid those typical and widespread “admin” or “administrator” as username. Don’t use your name or company name as well.
Make sure your password is at least 15 characters long and mixes upper and lower case, punctuation and numbers.
Moreover, never reuse your Magento admin password with other sites! It should be unique.
Keep your Magento admin password securely
To increase the level of your Magento store security, you should never use your browser to save your password. If your laptop or mobile device is stolen or a hacker takes a remote control of your computer, he/she will have prompt and complete access to your Magento store backend.
Use an encrypted connection
Having enabled HTTPS/SSL secure URLs, you can eliminate the possibility of being intercepted by a hacker every time you enter your username and password at the Magento admin page.
You can do that by just navigating to System > Configuration > General > Web. In the Base URL setting, change ‘http’ to ‘https’, and choose “Yes” for the “Use secure URLs in Frontend” and “Use secure URLs in Admin” fields. Don’t forget to save the settings.
To secure your data connection to your server via FTP is very important, as it is one of the easiest ways to hack a Magento website. Hackers just guess or intercept FPT password. This security issue can be easily solved by using secure FTP passwords and SFTP or FTP-SSL.
Moreover, make sure you file permissions are NOT set to 777, as it makes them writable by anyone and causes a security risk.
If you and the members of your team access the Magento admin panel from the particular static IP addresses, it would be a strong security measure to create a list of these IP addresses or IP ranges and prevent all other users with different IP from accessing your Magento backend.
If the directory indexing option is enabled on your server, anyone can use your Magento store’s URL to see the directory structure as well as files contained there. It makes your store sensitive to hacking attacks.
Just add the “Options -Indexes” piece of code to your server’s .htaccess file and the directory indexing will be disabled. An error message will be shown instead of the files in a folder.
There are many other ways to improve the security of your Magento installation. However, having implemented at least above-mentioned steps, you will increase your web store security level and protect your database with all important information against hacker attacks.