An estimated 240,000 ecommerce stores use Magento for their online operations, which accounts for nearly 30% of the ecommerce platform market.
Unfortunately, this not only makes clear that Magento is a worthwhile program, it makes clear something else: It’s a focus area for cyber criminals across the globe. Add to this the fact that it’s an ecommerce platform, and it’s clear how critical security for any Magento e-store would be.
Magento keeps on releasing security patches to keep client websites secure; however, the responsibility of doing everything possible to secure your Magento store also rests with you, the customer.
There are several customizations, security settings, and additional best practices that you need to be aware of in order to make your Magento based e-store secure. This piece will run through 10 tips that can help you make your ecommerce store more secure than before.
From very technical suggestions to secure your admin access, to general security practices that will keep your store secure, below covers it all.
The obvious: Make sure you have a strong password policy in place
The biggest sin that most Magento e-store administrators and owners are guilty of is having a routine, weak, and easy to crack password. It’s expected, though, considering your entire focus is on getting things off the ground when you set Magento up initially. However, in the absence of any automated password policies via Magento, you need to implement your own. Below are best practices to remember:
- Your password must be 10 or more characters long
- The password must include at least one symbol, one number, and one capital alphabet
- Don’t include your company name, or any dictionary word in your password
- Change the password every 90 days, or sooner
This can also be improved with secure two-step authentication. This helps you cover your bases if you ever give your password to another employee who may need administrator privileges at one point in time.
The not-so obvious: Modify the admin path
Chances are you have never bothered with the admin/default path. However the default path, unfortunately, makes it a lot easier for cyber criminals to crack your login credentials using brute force techniques. By changing the default admin path, you add another layer of protection to keep your store’s login credential secure. Here are ways you can change the default admin path.
2. The other method involves manipulating some code in your Magento store’s local.xml file. You can access the local.xml file by going to the following path: app/etc/local.xml.
Open the file, and look for the following code.
Here, you need to replace [admin] with the new path. Once done, save the file, and refresh the cache and you’re done!
Keep a strong watch and control on admin users
For all admin users who have admin privilege roles assigned to their IDs, you need to devise a mechanism to view their activity logs, and must remove their privileges if you detect anything unusual. This can be done within Magento from this path:
System > Permission > User and Roles
Make sure that you only provide admin privileges to a user only when absolutely necessary, and only for a necessary period of time.
Encrypt critical pages
You just can’t afford to send any sensitive information, such as your credentials, over unencrypted connections considering how common it has become for hackers to steal information over unsecure connections. The solution to this grave problem – secure URLs. Magento provides you a setting to help here.
Go to System, then Configuration, and Web. Here, select the Secure tab, and specify a Yes for the options to ‘Use Secure URLs in Frontend’ and ‘Use Secure URLs in Admin’.
Finally, remember that it’s mandatory to have secure URLs for processing financial transactions. Magento lets you add SSL for your web store, so make sure you make use of it.
Ask yourself: Am I using the most secure, upgraded, and patched Magento version?
Remember, it’s your responsibility as well as requirement to deliver 100% secure shopping experiences on your e-store. The kind of brand tarnishing that a customer data leakage brings can break your business’ back. To make sure you don’t leave any security gaps, it’s important that you always upgrade to the latest Magento version whenever such upgrades are rolled out. In addition, between version upgrades, Magento keeps on pushing out security patches when needed. It’s critical that you install these security upgrades as soon as they’re available because they’re precisely offered to combat the latest security threats.
Path: System -> Magento Connect -> Magento Connect Manager
Of course, you will get notifications when there is a critical security patch on offer, or when there’s a version upgrade. You can also check on Magento’s website for word on any planned upgrades and security patches.