Top 20 Magento Security Best Practices

mobile phone with ecommerce capabilities to showcase Magento Security Best Practices

Magento is the most-used e-commerce store front software, and is thus presents an attractive target to cyber-criminals. Sometimes, hackers attempt to steal personal customer data, misuse credit cards or perpetrate identify theft. Other times, they simply want to deface a site by hacking into it or to take it down with a Distributed Denial of Service (DDoS) attack.

Even though Magento is a relatively secure system and is frequently patched, it is critical that you (or your Magento site administrator) invest time and effort in order to ensure that your Magento security is as robust as possible.

To this end, we are pleased to present the following top 20 list of “security best practices” for Magento websites.

Keep your Magento software up to date

While frequently needing to update the software can be annoying to some users, it is very important to always run the latest available version. This is because new weaknesses and “exploits” are continuously being discovered, and the Magento development team is responsible to promptly address every new threat by patching their software.

To ensure that hackers are unable to use known threats against your site, it is important to always be running the latest version.

Maintain regular backups

In the worst-case scenario that a hacker was able to penetrate your store and delete or vandalize data, you want to be able to quickly return the system to its previous state. In order to do this, you need to have an up-to-date backup. Note that having backups is also valuable in case you accidentally delete files, make a configuration change that “breaks” part of the site, or install a new extension that causes problems.

Magento’s Admin Panel makes this easy with its built-in functionality to create backups and to restore the system to previous versions, when necessary. You can find these features in System > Tools > Backups. Note that there are three types of backups: System Backup, Database and Media Backup, and Database Backup. Learn about what each one contains and develop a backup schedule that makes the most sense for your store and each kind of data you maintain.

It is also important to store your backups in one or more physical locations away from your Magento installation – so that even in a “doomsday” scenario where your entire hosting environment goes up in smoke, you will still be able to quickly resurrect your site from the backup. Options may include a cloud hosting provider and a hard drive in your home or office.

Use up-to-date antivirus software

Trojans, traditional email- or network-borne viruses and other types of malware are still choice tools used by hackers and data thieves. These nefarious software programs can steal your data and transmit it to hackers, they can send spam to your customer list, they can capture your screens and your keystrokes (gaining access to your passwords and accounts), they can inject dangerous or spammy links into your site and they can erase data from your site or database.

Your best line of defense against these critical threats is to keep your reliable anti-virus software constantly up-to-date. All anti-virus software can be set to update itself automatically; this setting is recommended because the anti-virus vendors continuously update their threat databases as new malware is discovered.

Implement a strong password policy

You would be surprised how easy it is for hackers to gain complete access to your Magento environment by obtaining your password through the use of brute-force and dictionary-based password-cracking software. On the other hand, it is also very easy to defeat these systems by making sure that your passwords are too complex to be cracked using the computer power available to hackers today.

We suggest immediately going into to Admin Panel > System > My Account to implement a strong password policy like this:

  • Passwords must be at least 10 characters in length.
  • Passwords must contain at least two alphabetical characters.
  • Passwords must contain both lower-case and upper-case letters.
  • Passwords must contain at least two numerical digits.
  • Passwords must contain at least two special characters (such as & ^ % * $).
  • Passwords may not contain any words in the dictionary or any commonly-used IT login names (e.g., admin, administrator).
  • Passwords may not contain any personal information (such as names or birthdates).

Other important password-related best practices include:

  • Passwords may not be used for more than one account.
  • Passwords may not be stored anywhere on your computer or in the cloud.
  • Passwords must be changed immediately after outside developers, writers and designers have completed their work.
  • You can go even further than having a strong password by making sure that hackers cannot easily guess your admin panel or other system usernames. Common user names such as admin and administrator give hackers a huge head start on worming their way into your system.

Therefore, we recommend going into to Admin Panel > System > My Account in order to change all usernames to unusual names that will be easy for you and your team to remember, but that will be very difficult for a hacker to guess.

Lock down the admin password reset email address

As you may know, Magento allows users to recover a forgotten administrator password by sending an email to the address associated with the account and providing ways to reset the Magento admin password. This is a potentially very weak link in your Magento security posture: anyone who can access that email account can initiate a password reset and gain access to your entire Magento store.

Therefore, it is critical to ensure that your Magento admin email address is not publicly known or listed anywhere. Do not use your own email address, or any email address associated with your store. Ideally, you should create a unique email account used exclusively for Magento administration. This address should not be shared with anyone else, it should use a complex, non-guessable address and it should reside on a different server than your regular email server – so that if your mail server is compromised, your Magento installation will remain secure.

Create a custom path for the Admin Panel

Because the standard URL for a Magento store’s Admin Panel is http://store.com/admin, it is a simple manner for a hacker to reach your Admin Panel and begin trying to log in using brute-force or dictionary-based attacks.

Therefore, an easy way to increase your security posture is to change the path at which your Admin Panel is located to something that others will have a hard time guessing. This kind of thing is sometimes called, “security through obscurity.”

To make this change, open the /app/etc/local.xml file (it’s in your Magento installation directory) in a text editor and find this line:

Change “admin” to something complex and non-guessable, using only numbers and letters, such as Mng52314.”

(Note that you never want to change the “Admin Base URL” parameter in the Admin section of your configuration, as this will actually make your Admin Panel inaccessible.)

After making this change, refresh the Magento cache. Do this by logging into the server and running this command in the Magento installation root directory:

rm -rf var/cache/*

Using the above example, you will now be able to access your Admin Panel at http://store.com/Mng52314

Use encrypted connections (SSL)

Whenever information is exchanged between a website and a browser, there exists the possibility that a third party is intercepting that information. This is a particularly significant vulnerability when it comes to login pages: every time you enter your username and password at an unencrypted website, a hacker could potentially be “eavesdropping” on the line and capturing your credentials for nefarious purposes.

Webpages with a URL beginning http://… are running without encryption. A URL starting with https://… indicates that the site is using Secure Sockets Layer (SSL) for encrypted connections.

Fortunately, it is a simple matter to implement this important security mechanism for your Magento store. In the Admin Panel, go to System > Configuration > General > Web > Secure. In that section, make the following three changes:

  • Change the Base URL setting from “http” to “https”
  • Set Use secure URLs in Frontend to Yes
  • Set Use secure URLs in Admin to Yes

Besides adding an extra layer of protection to your site, using encrypted connections will give your (observant) customers more peace of mind shopping at your store. Also, note that PCI mandates the use of HTTPS/SSL encryption.

Use only secure FTP (SFTP)

Similar to the previous point, it is important to require encrypted connections to your site’s FTP server. This is known as Secure FTP (SFTP). A common means of breaking into a Magento store is by intercepting the unencrypted (plain text) FTP credentials and using them to log in to the server. Once a hacker has FTP access to your server, he can pretty much do anything he wants.

To turn on SFTP for your store, go to FTP Settings and select SFTP.

Restrict access via particular IP addresses/ranges

If your team members exclusively access the Magento Admin Panel from specific computers or networks (such as an office or a number of home offices), you should definitely configure your server to prevent access to the Admin Panel from any other IP address. This is a very strong security measure.

You can do this by editing your server’s .htaccess file to list the permitted IP addresses or using the Apache directive LocationMatch. Alternatively, you can install a Magento extension that manages IP-based access for you.

Additionally, if your customer base is limited to one or more particular countries, you can completely block IP addresses from all other countries. Since many hackers operate from countries in which you may have no customers (or potential customers), this is another very strong protection to implement. On the other hand, keep in mind that doing this may limit the ability of some legitimate customers – including repeat customers who may be traveling – from using the store. You’ll need to weigh the pros and cons of this approach and decide accordingly.

Implement two-factor authentication

Magento’s built-in administrative access requires the entry of a single set of credentials, namely username and password. Two-factor authentication takes this one step further by restricting access until two different forms of identification are provided to the system.

Two-factor authentication addresses a major weakness of relying on a user name/password combination alone: it makes it far more difficult for a hacker to discover credentials and thus gain access to the database. Hackers use various techniques to obtain privileged user credentials, such as brute-force password-guessing and social engineering techniques (such as phishing). However, when two-factor authentication is implemented, having only a set of user credentials becomes worthless to the hacker, because the hacker would also need physical access to your computer or smartphone.

Because two-factor authentication is not built in to Magento, you will have to install a Magento extension that provides this functionality. There are two types currently available: one ensures that only trusted devices (such as your team’s laptops and smartphones) are allowed to connect, and the other is based on a random code that is generated anew every 30 seconds (an app on your smartphone provides the code that you need to log in each time).

With two-factor authentication implemented, it would be almost impossible for a hacker to log in to your Magento administration interface.

Disable directory indexing

On most webservers, “directory indexing” is turned on by default. This means that anyone can manually enter the URL of a directory in your site to see a list of the files contained in that directory (unless there is a “default document” in that directory). Giving a hacker access to lists of files can only make his life easier.

To configure your webserver to respond with an error message instead of the list of files in a folder, simply add the “Options -Indexes” line to your server’s .htaccess file. Alternatively, ensure that there is a default document in every directory.

Harden your file permissions

When sensitive files on your webserver have “write” permissions set for anyone else other than the site administrators, it becomes one step easier for a hacker to access your server and vandalize your store’s files. Therefore, it is important to make sure that all sensitive files and directories are not writable by anyone other than the administrators.

To do this, you need to change file permissions to 644 and directory permissions to 775. Any files or directories with permissions of 777 or 666 are problematic, and should be changed.

How to change file and directories permissions differs slightly among servers and hosts, so refer to your environment’s documentation for the best way to find and change file/directory permissions.

Harden your file permissions

When sensitive files on your webserver have “write” permissions set for anyone else other than the site administrators, it becomes one step easier for a hacker to access your server and vandalize your store’s files. Therefore, it is important to make sure that all sensitive files and directories are not writable by anyone other than the administrators.

To do this, you need to change file permissions to 644 and directory permissions to 775. Any files or directories with permissions of 777 or 666 are problematic, and should be changed.

How to change file and directories permissions differs slightly among servers and hosts, so refer to your environment’s documentation for the best way to find and change file/directory permissions.

Secure the Local.xml file

Local.xml is a sensitive configuration file that stores key information that Magento uses to access your database. This file contains database connection details to your store and the encryption key used to secure your data. It’s located in your /app/etc/ folder and, if compromised, hackers would have access to much of your customer data. They could also use it to cause caching problems with your server resulting in store downtime.

In older installations, the local.xml file is still often publicly accessible. Even in new installations, this file could be publicly accessible if the Apache server doesn’t have AllowOverrides enabled in the /app/etc/ directory. It is important to ensure that local.xml is not publicly accessible!

An additional step to secure local.xml is to set this file’s permissions to 600 (-rw), making it more difficult for outsiders to access the file.

Disable dangerous PHP commands

Unsecured PHP code is another important security hole you need to address. Hackers who manage to execute certain PHP commands on your server may be able to take complete control of your server. You should disable these commands in your PHP configuration file, php.ini. The syntax for doing this is:

disable_functions = proc_open,phpinfo,show_source,system,shell_exec,passthru,exec,popen

Lock down Your Magento Connect Manager

Magento Connect Manager simplifies the installation process for third-party party extensions, but it is also used by hackers as an entry point for brute force attacks. If you look at your log file, you may be shocked to discover how many pageviews are recorded for www.yoursite.com/downloader.

There are three ways to mitigate this risk:

Change the default Connect Manager path from /downloader to something that only you know.
Restrict access to the Connect Manager path modifying .htaccess to only allow your team’s IP addresses to access this path.
Completely disallow access to the path (e.g., using an .htacess “Disallow from all” directive). When you want to use Magento Connect Manager, temporarily remove this directive.

Only use trusted Magento extensions

Your security perimeter is only as strong as its weakest point. When extensions are installed in Magento, any vulnerability in any extension may provide a hacker with all that is needed to breach your site. It is therefore very important to only install reputable Magento extensions. These include extensions which have been around for a while and which are used by many other sites

So, if you are considering installation a particular extension, make sure to check out the extension’s reviews, ratings and popularity score in Magento Connect. Also, make sure to keep all your extensions up to date when new versions are released; just like with Magento itself, new versions of extensions may contain fixes which close recently-discovered security vulnerabilities.

Deploy an SQL injection firewall

The most prevalent database breach method today is known as SQL injection, and SQL injection attacks against e-commerce sites are twice as common as against other websites! These attacks involve entering malicious SQL queries into forms on webpages that can sometimes result in the form returning sensitive information that the hacker can then use to breach the site.

While Magento contains built-in facilities to try prevent SQL injection attacks, third-party application firewalls and proxy servers dedicated to this line of defense will always be stronger. These products filter all traffic going into and out of the database, allowing them to identify and prevent malicious attacks by comparing every query’s structure with a constantly-updated signature bank of known attacks. These systems prevent suspicious or dangerous queries from ever reaching the database.

Invest in VPS, dedicated or cloud hosting

Small Magento deployments are almost always implemented using inexpensive shared hosting services. While this may make sense when getting started, shared hosting environments are much less secure than dedicated server options. This is because breaches in another site sharing the same server have the potential of giving hackers access to your site as well. Another downside of shared hosting is that “resource hogging” by one site on the server can dramatically impact the performance of all the other sites on that server.

For these reasons, consider moving your Magento store to a virtual private server (VPS) or a dedicated hosted server.

Of course, if you’re store is large and you expect extreme spikes of traffic at times, you should consider moving your site to a cloud hosting environment. The big advantage of the cloud is “elasticity” – your server can be configured to automatically get access to more memory, CPU and bandwidth as necessary to smoothly handle these spikes. This is something you cannot do with a standard dedicated server or VPS. Of course, you need to make sure that the cloud hosting provider’s security measures are up to snuff.

Regularly review activity logs

It is a good idea to frequently inspect you web server logs for suspicious activity. You want to be aware if there are large volumes of repeated attempts to access particular pages or system areas of your site. How you respond depends on the type of activity you observe: you could change the default paths of administrative areas that are being attacked (as described above), you could block the IP addresses of these attacks (also as described above), you could inform your hosting provider and you could hire a security professional to further explore what implications the suspicious activities might represent.

A more efficient way of keeping any eye on your log files is to install a Magento extension that alerts you about unusual, suspicious or dangerous activities, such as repeated failed login attempts to the Admin Panel, connections from unusual geographic regions and patterns of attempted access that might indicate hacking attempts.

Get a professional security review

Whether or not you invest the time and effort to address everything else described in this document, it might be a good idea to retain the services of a professional security expert experienced with Magento installations. These consultants have vast experience with the vulnerabilities and common attack vectors related to Magento sites, and webservers in general. They also have tools that can test if the code running on your server exposes any security vulnerabilities (such as SQL injection and cross-site scripting), and how resilient a site is to hacking and denial-of-service attacks.

After their evaluation of your site, they will be able to advise regarding (and/or actually implement) all the best practices that will ensure that your Magento site is a secure as possible. For maximum protection, you should have this process, known as “hardening,” performed once or twice a year – because new vulnerabilities and attack vectors are being discovered all the time.