Security Checklist for Magento Commerce Website
Magento is popular ecommerce platform with thousands of installations and one of the vulnerable platform as well. It is important to do routine maintenance which can provide a a good security and any Magento website by having this checklist in place. Usually, these checklist is needed before you launch and during the maintenance by Webmaster. Trust is very important for any secured e-commerce website. The routine maintenance of a Magento website should includes patches from Magento applied regularly and site administrators should follow this diligently in order to keep their efforts protected.
Choose a Reliable Hosting provider
It is general perception that shared hosting would be suitable to start with for any Magento commerce websites. Typically, it seems like a good option. But, investing in Dedicated or VPS or Cloud is better for long term plan and brand building.
Dedicated hosting would be a best option if you are re-platforming as your website may have the existing customer base and an established brand, but it may prove to be insufficient for your needs as you will be restricted to a single server. This limits your resources and if there is a sudden spike in your traffic, So you need a resilience to be built for your website to avoid the chance of going down. On the contrary, Managed Cloud Hosting can also be your choice which can guaranty you the robust security with frequent patches at server-level.
Remember, Do not go for a cheap hosting plans. If you do then you are compromising your business before even launch.
Use the latest Magento version
First and foremost piece of advise. Generally we wait for a new version to get stabilized and we don’t give an importance to migrate to latest version. It is not true in many cases. Magento consistently gets updated at a good pace. Subsequent Magento versions fix security issues of the preceding ones. So it is very important to stay informed about the latest Magento version. Once a stable release is out, test it and make all the effort to upgrade it to latest version.
Use two-factor authentication
In today’s world, a secure Magento password is sadly not enough. In order to discourage attacks, it is best that you use a two-factor authentication for your Magento site security. There are a few extensions that deliver two-factor authentication, so that you don’t have to worry about password-related Magento security risks anymore.
Rublon is an excellent two-factor authentication extension which provides a layer of stealth. It only allows trusted devices to access Magento backend by using a smartphone app. The app is available for all popular mobile OS platforms.
Another extension which is worth mentioning is Two-Factor Authentication by Extendware. The extension allows you to implement complex authentication mechanisms which include limiting log-in attempts.
Cloudways customers don’t need any extensions! The Managed Cloud Web Hosting Platform introduced two-factor authentication for its esteemed clients in 2015.
Set a custom path for the admin panel
You generally access your Magento admin panel by going to my-site.com/admin. However, it is very easy for hackers to get on to your admin log-in page and start guessing passwords.
You can prevent this by /admin with a customized term (for e.g. “Store door”, etc.). This also prevents hackers from getting on to your admin login page even if they somehow get hold of your password. You can change your Magento admin path by following these steps:
• Locate /app/etc/local.xml
• Find • Replace the term “admin” with your desired word or code
Use Secured/Encrypted connection (SSL/HTTPS)
In Magento, you can get secure HTTPS/SSL URL simply by checking the tab “Use Secure URLs” in the system configuration menu. This is also one of the key elements in making your Magento website compliant with the PCI data security standard and in securing your online transactions. So remember to secure your Checkout and Customer profile pages behind HTTPS. To obtain an SSL certification, ask your hosting provider to get started. This is a key element in making your website PCI compliant.
Use Secure FTP
One of the most commonly used methods to hack a site is by guessing or intercepting FTP passwords. To prevent this from happening to you, it’s essential that you use secure passwords and use SFTP (Secured File Transfer Protocol) which uses a private key file for decryption or authenticating a user.
SFTP access is already available on Cloudways.
Although it is great that you take strict preventive measures for Magento security, it is equally essential to have an active backup plan, including hourly offsite backups and downloadable backups. If, for any reason, your website gets hacked or even if it crashes, a backup plan ensures the continuity of your services.
You can prevent data loss by storing your website backup file(s) off-site or by arranging for backup through an online backup provider. Data backup results in minimal (and sometimes, no) data loss.
It is always wise to check with your hosting provider if it has a backup strategy.
Disable directory indexing
Disabling directory indexing is another way through which you can harden the security of your Magento site. Once disabled, you are able to hide the obvious pathways via which the files of your domain are stored.
This prevents cyber crooks from accessing your Magento-powered website’s core files. However, they can still access your files if they already know what the full path of your files is.
Use a secure Magento password
A password is the key to your Magento store. This is why you need to give special care while deciding a password. While devising a password, use one which has a mix of upper and lower case alphabets, numbers, and special characters like ?, >, etc. (Use a password management service if you have a problem of remembering a difficult one.) Furthermore, never use your Magento passwords anywhere else. Just like two locks can’t have the same key, keep your Magento password different from the rest of the passwords.
Eliminate e-mail loopholes
Magento provides its users a great password recovering facility through preconfigured e-mail address. But if that e-mail ID gets hacked, your whole Magento store becomes vulnerable. You need to make sure that the e-mail address you use for Magento is not publicly known and it is protected with two-factor authentication.
Do the Security/Penatration Testing atlease twice in an year.
Check to see that your website is meeting the OWASP Top 10 security threat protections. If not that is your priority to fix them. It is a bare minimum requirement for any transactional website to have this testing done.
Get a Third party security review done for your Magento Platform
Magento developers are not necessarily security experts. Yes, many of them are good at coding but only few know the intricacies of Magento site security. This is why once (or perhaps, twice) a year, you should get your website analyzed for apparent loopholes and security shortcomings. If properly done, these reviews help in further hardening of your Magento security measures.