Skip to main content

Magento Security Checklist -How to make your Magento website secure before client delivery

Magento Security Checklist

How to make your Magento website secure before client delivery

A secure e-commerce website is a trusted e-commerce website. Trust plays an important part when you have an online store. By following this checklist, you can prevent (and to some extent, fix) Magento security issues.
TIP# 1: Use the latest Magento version
Many a time, you will be told that latest is not the best. Most of the times, it is a lie. Magento consistently gets updated at a good pace. Subsequent Magento versions fix security issues of the preceding ones. Hence, it is very important to stay informed about the latest Magento version. Once a stable release is out, test it and get it implemented.
TIP# 2: Use two-factor authentication
In today’s world, a secure Magento password is sadly not enough. In order to discourage attacks, it is best that you use a two-factor authentication for your Magento site security. There are a few extensions that deliver two-factor authentication, so that you don’t have to worry about password-related Magento security risks anymore.
Rublon is an excellent two-factor authentication extension which provides a layer of stealth. It only allows trusted devices to access Magento backend by using a smartphone app. The app is available for all popular mobile OS platforms. Click here for more details on Rublon.
Another extension which is worth mentioning is Two-Factor Authentication by Extendware. The extension allows you to implement complex authentication mechanisms which include limiting log-in attempts.
TIP# 3: Set a custom path for the admin panel
You generally access your Magento admin panel by going to my-site.com/admin. However, it is very easy for hackers to get on to your admin log-in page and start guessing passwords.
You can prevent this by /admin with a customized term (for e.g. “Store door”, etc.)This also prevents hackers from getting on to your admin login page even if they somehow get hold of your password. You can change your Magento admin path by following these steps:
  • Locate /app/etc/local.xml
  • Find <![CDATA[admin]]>
  • Replace the term “admin” with your desired word or code

TIP# 4: Acquire encrypted connection (SSL/HTTPS)
Whenever you send data, like your login details, across an unencrypted connection, there are risks of that data being intercepted. This interception can give assailants a peep into your credentials. To eliminate these issues, it is essential that you use a secure connection.
In Magento, you can get secure HTTPS/SSL URL simply by checking the tab “Use Secure URLs” in the system configuration menu. This is also one of the key elements in making your Magento website compliant with the PCI data security standard and in securing your online transactions.
In order to obtain an SSL certification, try StartSSL to get started. This will also help you in becoming PCI compliant.
TIP# 5: Use Secure FTP
One of the most commonly used ways to hack a site is by guessing or intercepting FTP passwords. To prevent this from happening to you, it’s essential that you use secure passwords and use SFTP (SSH File Transfer Protocol) which uses a private key file for decryption or authenticating a user.
This approach increases the security of your Magento site’s FTP password. Here is the documentationon how to setup an SFTP protocol for Magento. For added security (or if you are unable to place SFTP), try using a VPN (Virtual Private Network) connection.
TIP# 6: Have an active backup plan
Although, it is great that you take strict preventive measures for Magento security, it is equally essential to have an active backup plan. If, for any reason, your website gets hacked or even if it crashes, a backup plan ensures the continuity of your services.
You can prevent data loss by storing your website backup file(s) off-site or arrange for backup through an online backup provider. Data backup results in minimal (and sometimes, no) data loss.
It is always wise to check with your hosting provider if it has a backup strategy [Read: 10 Questions To Grill Your E-commerce Hosting Provider]. We, at Cloudways, take serious steps to ensure timely and sufficient backups.
TIP# 7: Disable directory indexing
Disabling directory indexing is another way with which you can harden the security of your Magento site. Once disabled, you are able to hide the obvious pathways via which the files of your domain are stored.
This prevents cyber crooks in accessing your Magento-powered website’s core files. However, they can still access your files if they already know what the full path of your files is. [Read more ondisabling directory indexing]
TIP# 8: Be wise with your Magento password
A password is the key to your Magento store. This is why you need to give special care while deciding a password. While devising a password, use one which has a mix of upper and lower case alphabets, numbers, and special characters like ?, >, etc. (Make a phonetic password if you have a problem of remembering a difficult one.) Furthermore, never use your Magento passwords anywhere else. Just like two locks can’t have the same key, keep your Magento password different from the rest of the passwords.
TIP# 9: Eliminate e-mail loopholes
Magento provides its users a great password recovering facility through pre-configured e-mail address. But if that e-mail ID gets hacked, your whole Magento store becomes vulnerable. You need to make sure that the e-mail address you use for Magento is not publicly known.
TIP# 10: Invest in a sound hosting plan
We believe that shared hosting can be the cheapest means for hosting a website. Typically, for Magento startups too, shared hosting seems like a good option. However, investing in shared hosting means you are compromising on Magento security.
Dedicated hosting can be an option too, but it may prove to be insufficient for your needs as you will be restricted to a single server. This limits your resources and if there is a sudden spike in your traffic, the website has a good chance of going down.
On the contrary, Cloud hosting, especially managed Cloud hosting, can be your best choice—one that guarantees robust security with adequate resources for your Magento website.
Remember, the dime-a-dozen hosting plans that promise features which they can’t deliver (at least, not on small prices). Stay away from such plans as they do not have a clue about Magento security issues.
TIP# 11: Prevent MySQL injection
Although Magento provides great support to outmaneuver any MySQL injection attacks with its newer versions and patches, but it is not always an ideal approach to rely only on them. We suggest that you add web application firewalls such as NAXSI in order to keep your site and your customers safe.
TIP# 12:  Get a Magento security review done
Magento developers are not necessarily security experts. Yes, many of them are good at coding but only few know the intricacies of Magento site security. This is why once (or perhaps, twice) in a year, you should get your website analyzed for apparent loopholes and security shortcomings. If properly done, these reviews help in further hardening of your Magento security measures.
TIP# 13: Get in touch with the Magento Community
Magento has a thriving community of techies which are always there to help you in the time of need. You can search and ask queries regarding any security issues of Magento or its features. The Magento Community members also release security reports on varied versions of Magento, so look out for them too.



Database logging row limit (admin/settings/logging/dblog)
I have found the default row limit of 1000 can wrap quickly, leave you without vital debugging information when you need it most. The average row length is generally around 1kB, so even boosting this to 100,000 rows will still leave you with a manageable watchdog table.
User registration settings (admin/user/settings)
The default value of Visitors can create accounts and no administrator approval is required is easily overlooked, and often undesired.
Disable devel modules admin/build/modules
Not only devel itself, but other other utilities (such as masquerade, trace, or coder) may have been installed that you wouldn't need on the production site. Leaving extra modules enabled can hinder the performance of your site, or even create security vulnerabilities if misconfigured.
Set a maintenance theme (settings.php)
By default Drupal's Site off-line page uses the Minnelli theme. Switching this is a nice enhancement, in case you ever need to use the maintenance mode, or in the unfortunate event you experience unplanned downtime. In most cases your site's theme will work fine; just add $conf['maintenance_theme'] = 'mytheme'; to settings.php. You may also need to add a maintenance-page.tpl.php to your theme; if you're using Zen this is already done for you.
Confirm email settings
Often, placeholder email addresses will be filled in during development, and should be updated before deployment. I try to start with the correct addresses from the beginning when possible, but sometimes you don't have this information until later in the project's life. In addition to Drupal's global site_mail, addresses can be stored in a variety of places: The admin user's account, contact forms, webforms, ubercart, triggers, or CiviCRM settings.
For Zen users – disable theme registry rebuilding (admin/build/themes)
If you developed your theme using Zen, don't forget to switch off Rebuild theme registry on every page. This is a huge performance penalty.
Error reporting (admin/settings/error-reporting)
On a production site, it's best to suppress on-screen error reporting by choosing Write errors to the log.
Performance settings (admin/settings/performance)
The best performance settings depends on your site. Also, don't change cache settings at the last moment without thoroughly testing your site's features. Ideally, I like to finalize the cache settings about 2/3 of the way through a project, so that the final stages of development and testing are performed with cache settings that will match production.
Redirect to/from 'www.*' (.htaccess)
Drupal's .htaccess file contains an example RewriteRule showing how to redirect from example.com to www.example.com or vice-versa. Enforcing a single domain name is essential if your site uses SSL, and even with plain HTTP I like the consistency of a single URL. Additionally, since the RewriteCond declaration is specific to a particular host, you can add multiple domains to the same .htaccess file, either for multi-site installs or for multiple testing / production host names.
Check proxy settings
If your production server uses a proxy or load balancer, Drupal needs some additional configuration to accurately record remote IPs. This impacts error logging and some modules such as Mollom.
$conf['reverse_proxy'] = TRUE; $conf['reverse_proxy_addresses'] = array( '10.10.20.100', '10.10.30.100', );
And last but not the least your web hosting plays a vital roll in your CMS security specially if you have your Drupal on cloud, your cloud provider plays decisive part in making it vulnerable or secure ! So it's always recommended to work with a reliable hosting provider.
Posted by at  
Reactions: 


Comments

Post a Comment

Popular posts from this blog

World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining

World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining Data Sets available for different sectors as follows: Science & Technology    - World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining Agricultural Experiments:  agridat {agridat}  (R) Climate data:  Temperature data (HadCRUT4)  and ftp://ftp.cmdl.noaa.go v/ Gene Expression Omnibus:  Home - GEO - NCBI Geo Spatial Data:  Data | GeoDa Center Human Microbiome Project:  Microbial Reference Genomes MIT Cancer Genomics Data:  Page on broadinstitute.org NASA:  Obtaining Data From the NSSDC NIH Microarray data:    ftp://ftp.ncbi.nih.gov/pu b/geo/D...  (R) Protein structure:  PSP benchmark Public Gene Data:  Browse literature or sequence neighbours Stanford Microarray Data:  Page on stanford.edu Social Sciences   - World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining General S
Post a Comment
Read more

Simple way 2 secure ur Privacy

Essential Checks Before Launching Your Website As ‘digital professionals’ –  Web Designers , Developers and Marketers – launching a new website is a daunting task, no matter how often you do it (like B.A.S.E. jumping). There’s lots that can go wrong, and the list of ‘ gotchas ‘ scales to the size and complexity of the project. This article is a checklist of common tasks that need to be completed before you hit the “GO” button.  A little preparation goes a long way  and could save you time and avoid unnecessary costs after you release your website. Upload a Favicon The ‘favicon’ appears to the left of the page title in the web browser, and your users will notice if your website doesn’t have one. They give your website credibility and help users navigate to your site when it’s open amongst their other tabs and bookmarks. Ensuring that your website has a favicon is probably the most basic of any task known to humanity, and yet it’s so frequently overlooked. STEP ONE: CRE
3 comments
Read more

AWS Cloud Architecture for Web Hosting | Key Components of an AWS Web Hosting Architecture

Security Architecture of AWS | Amazon Web Server Working of AWS Architecture. Content Delivery Edge caching is still relevant in the Amazon Web Service cloud computing infrastructure. Any existing solutions in your web application infrastructure should work just fine in the AWS cloud. One additional option, however, is made available when using AWS, which is to utilize the Amazon CloudFront service1 for edge caching your website Like other Amazon Web Services, there are no contracts or monthly commitments for using Amazon CloudFront – you pay only for as much or as little content as you actually deliver through the service. Managing Public DNS  Moving a web application to the AWS cloud requires some DNS changes to take advantage of the multiple availability zones that AWS provides. To help you manage DNS routing, AWS provides Amazon Route 534 , a highly available and scalable DNS web service. Queries for your domain are automatically routed to the nearest DNS server and th
1 comment
Read more