The fact that Magento is the renowned pinnacle of ecommerce software it naturally becomes the targeted platform for hackers, especially when it comes to lifting your customer’s credit card and personal details.
Unfortunately, the struggle is real, when it comes to protecting your ecommerce site against outlandish, unprovoked attacks by those horrible hackers and spiteful spammers. But, luckily for you, our handy guide should help prevent any future headaches or mishaps.
1. Update to the latest version of Magento
Credit to Magento, they often introduce new versions as a software upgrade, in order to patch up any recently discovered security risks, amongst other things. Therefore, by updating your ecommerce store so that it has the latest software, you will help protect yourself that little bit more.
2. Only trust Magento
There are a lot of extensions out there that have been created for Magento but are not necessarily made by Magento. Ensure your extensions are from within the Magento community; directly from their developers and sustain the credible rule of security you require.
3. Make your own admin path
Unless you change your admin path, hackers will simply knock down your doors and take a leisurely stroll around your site, pillaging and lifting whatever they wish. Their software is more than capable of guessing a username and password and will trial millions of combinations per second until it unlocks.
4. The Two-factor
Technological advancements now enable us to add an extra layer of security to your Magento site. Available from the Magento Connect Marketplace, a smartphone app’ has been designed to randomly generate a security code every 30 seconds which reinforces your generic username and password. Two-factor authentication extensions help to ensure that only trusted devices can access the back-end of your Magento store.
5. Restrict Admin Access
It’s as simple as it sounds. What’s more is that if you’re already on with bullet-proofing your site, this is a sure fire way of dodging another potential bullet: restrict admin access to only the IP addresses you have whitelisted.
6. Require HTTPS/SSL
On that note, without an encrypted connection you run the risk of being hijacked by a hacker. You are open to attack every time you use your username and password, so eradicate this by requiring HTTPS/SSL in Magento.
7. File permissions – change them
666 really is the devil, in this case. If you see that any of your file permissions are 666 or 777 you need to fix them promptly! Your files and folders should not be writeable by anyone else except you. You can do this by changing your file permissions to 644 and your folders to 755.
8. Fortify your Magento Connect Manager
We’re all a big fan of Magento’s Connect Manager, as a quick and easy way to install programs but, once again, it’s a well-known sneak hole for aggressive attackers. Similar to your admin path, change this path/downloader to make it trickier for hackers to invade. Additionally, you can also restrict the downloader path by its IP address.
9. Disable directory indexing
This is just another trick which will make Mr. Hacker’s pastimes less enjoyable. This will prevent the hacker from viewing all the files in a specific folder, giving them an uncertainty as to what and where your files are located. Ultimately, this makes it harder for them to find the loop holes or vulnerabilities of your site.
10. Professional security regularity
Although the above tips may be digestible to most people with some sort of knowledge of the back-end of a Magento site, and even if they’re a talented and experienced web developer, you can’t compare to a trained security expert who handles Magento on a daily basis. Therefore, it’s worth spending a bit of your hard earned cash on a skilful individual who will readily identify and flaws or exposures in your site. Their methods of testing are highly sophisticated and can perform all kinds of magical scans and tests to uncover anything you may have missed such as SQL injections, cross-site scripting, file path traversal and many other things you may not have heard of.
Don’t take these tips for granted.Yes, they’ll help preventhackers having an easy ride but no site is 100% unhackable. There are other methods you could employ too, to decrease the chances of being exploited, hopefully these will help you along the way to a more invincible Magento site.
If you have any questions about e-commerce, buying and selling online, building effective websites and other online services, get in touch with Studioworx either via email (firstname.lastname@example.org), telephone (+44 (0)1482 659362) or the website (http://www.studioworx.co.uk).
Submitted by Studioworx Social Media Team on 03/08/2016