“As on January 2015, it was found that close to 218,000 eCommerce stores were built using a Magento platform”.
Owing to the growing clout of Magento development in the eCommerce arena, it has become the apple of hacker’s eye. Despite Magento being one of the safest open source eCommerce platform and its repeated endeavor to thwart security attacks by frequently releasing security patches, hackers haven’t been dissuaded to come up with new tricks. Now let us explore some of the precautionary measures that need to be adopted for combating security attacks.
Security TIP# 1. Create a complex password
This is one of the cardinal rules to be followed while running an eCommerce store. Being a Magento store owner you will have access to sensitive information. So you need to set a strong admin password so that hackers find it tough to crack your passwords. While creating a password make sure
• Your password contains a minimum of 10 letters.
• Comprises of numerical and special characters.
• Mashed up with upper and lower case letters.
• Should not have been reused.
• Your name or your company’s name is not used as a password.
Remember these instructions while creating a password and in the end make sure you create a password that is easy to remember.
Security TIP# 2. Modify the admin path
By using a default admin path you simplify a hacker’s job of cracking the admin’s username and password. Because when hackers access the path they can spot the admin’s credentials using Brute Force technique. So it is highly recommended to change the admin path. There are two ways of doing it.
From the admin backend
Go to System → Config→Admin→Admin Base URL→Use Custom Admin Path→Click ‘Yes’.
The other way is to implement changes in your local.xml configuration file. You can access it by traversing the below path
You will find the below code in local.xml configuration file.
- <frontName><![CDTA[admin] ]</frontName>
Now place the new admin path in the place of [admin].
After performing the modification, save the configuration file and refresh your cache.
Security TIP# 3. Use the recent Magento version or install security patch
It is always advisable to use the latest version of Magento. Magento development firms constantly scrutinize their products’ vulnerability toward security attacks. Whenever they find one such vulnerability they try resolving it in their next version release. Sometimes, if the issue is grave they develop a security patch and instruct their customers to install the patch immediately. Never neglect such messages.
Security TIP# 4. Two-factor authentication
This is one of the best methods to ward off potential security attacks as it prevents unreliable sources from gaining access to your Magento backend. Two-factor authentication adds an additional layer of security to your Magento site. As per this technique, apart from entering the username and password, you need to enter a security code that is generated randomly once in every 30 seconds. So even if the hacker has your credentials he cannot log in to site as he won’t be having access to the security code that is sent to your mobile phone.
Security TIP# 5. Encrypt pages where credentials are being entered
When vital credentials are sent over unencrypted connection you run a huge risk of granting access to unauthorized sources. To avoid customer credentials landing in unsafe hands, use a secure URL. It is mandatory to deploy secure URLs especially while processing a financial transaction. Magento gives you the option of using SSL for your site.
Under System→Configuration →Web →Secure
Under ‘Secure’ tab you will come across ‘Use Secure URLs in Frontend’ and ‘Use Secure URLs in Admin’. Select ‘Yes’ for both.
Security TIP# 6. Change password before & after working with third party developers
Some situations might demand the assistance of third party Magento developers. Say for instance, when you require a new feature you will have to share your login credentials with third party developers. Before granting access to them, change your credentials and don’t fail to change it again after the work gets completed. The Magento developers you hire may be trustworthy but you just cannot afford to take a chance.
Security TIP# 7. Use genuine Magento extensions
No doubt, Magento extensions simplify our job at little or sometimes at no cost. But some spurious Magento extensions act as a gateway for hackers to penetrate. So do an extensive research (analyze the developer’s background, go through customer reviews and ratings, etc.) before integrating a third party Magento extension to your site.
Security TIP# 8. Take a backup data of your store frequently
To mitigate the impact of damages caused by security attacks, take a backup of your database and Magento files on a regular basis. Keep in mind to store the backup data in a different server where your Magento store is not hosted. It is widely recommended to use cloud based servers like Amazon S3 as it is very secure and synchronizes well with your Magento store.
Security TIP# 9. Strictly use superior quality anti-virus software
Using free antivirus software or one that comes for a paltry sum might work out well for domestic PCs. But on an enterprise level, you need to go in for superior quality antivirus software as they can plug all the security leaks and protective sensitive information from pilferage. Also never forget to update your antivirus software regularly.
Security TIP# 10. Get your Magento site reviewed by security expert
Although your Magento developers might have the potential to layer up your Magento store’s security, it is still advisable to seek the services of a security expert. Because they will be completely aware of the current security trends and will be adept at spotting the security loopholes in your Magento store. They will carry out a security test to unravel flawed application codes and detect SQL injections, cross-site scripting and many such security vulnerabilities.
In the end no site can be 100% secure. You need to be wary about the security threats around you and equip your Magento site accordingly. Try implementing the precautionary measures mentioned above and you can successfully shield your site from security attacks.