Although the security of all websites is important, the security of an eCommerce website is particularly
important because these sites keep records of users’ data and order-related financial
information. Any attempt to hack such data can cause a huge loss to your store. Although
Magento is considered the safest and most secure eCommerce CMS, there are
still some additional security steps advised to make its security foolproof. In
this article I’ve explored some easy to implement steps to make your
Magento store even more secure and robust.
One of the first steps towards securing your Magento site is using a secure username and password. The rule of thumb for creating a secure password is to always use a password which is not easily guessable, for instance strings like ‘123’ or ‘abc’, or your phone number, date of birth, etc. It is always a best practice to keep a password longer than eight characters, and that should be a combination of letters (a, b, c, etc.), numbers (1, 2, 3, etc.) and special characters (@, &, #, etc.).
Besides having a secure password, it is also very important to create a username which is not easily predictable. Most hacking attempts succeed because hackers only have to guess the password, as usernames are mostly set to easy-to-guess names like ‘admin’, ‘administrator’, etc.
Therefore I strongly advise you to create non-generic usernames like your nickname, last name, company name, etc. There is an option to create a username at the time of installing Magento, but even after installation, you can change your Magento username and password by going to System > My Account.
By default the admin panel path for Magento looks like this: http://myexamplestore.com/admin. As it is a fairly well-known path for everyone, it is prone to many security risks. If we change the admin path to a unique and unpredictable path like http://myexamplestore.com/secureadmin, we can nip most hacking attempts in the bud. This small step can heavily contribute to making your Magento installation much more secure, and can be the best defense against Broken Authentication and Session Management Attacks.
To change the admin path in Magento, go to the app/etc/local.xml
file, find the line with this code: <![CDATA[admin]]>
, and change
the string admin
to the required admin string. For instance, if you want to
change the admin panel URL to http://myexamplestore.com/securedadmin, change the CDATA code
to <![CDATA[securedadmin]]>
A common technique for increasing any system's security is to add another security layer to it using two-factor authentication, where the system demands two separate authentications to give access.
A simple example of this is ATM card authentication. You not only have to enter your card, as one factor of the authentication, but also your PIN code, which is another factor of authentication, hence two-factor authentication.
There are some excellent extensions available which enable two-factor authentication in Magento, and make it much more secure.
One such Magento extension is Rubon. It allows you to add trusted smartphone devices, through which you can access the Magento admin panel. Another is Extendware, which adds two-factor authentication to your system through Google Authenticator. Both of them are very good extensions, and worth a try.
Another quite easy-to-implement Magento security step is to enable HTTPS/SSL secure URLs.
Whenever data is communicated between you and your server, there is a risk of that data being intercepted by third parties. As that data can contain vital information like login details, database information, etc., that data falling into the wrong hands can cause significant trouble.
It is therefore always a good idea to use secure encrypted connection for transmission of data. Making your site HTTPS/SSL encrypted will also make it PCI-compliant, and more trustworthy in the eyes of your customers.
You can do that in Magento by simply going to System > Configuration > General > Web. In Base URL, change 'http' to 'https', and enable Use secure URLs in Frontend and Use secure URLs in Admin.
While it is important to encrypt and secure the data transfer between your browser and your server, it is also pertinent to secure the data communication to your server via FTP. One of the common ways of hacking internet sites is through FTP password interceptions. This security problem can be effectively checked by using SFTP (SSH File Protocols). This protocol provides additional encryption of user credentials by using a private key file for authentication. You should also ensure that your file permissions are not set to 777, as this will make them writable by anyone, and cause a security risk.
There is an option in Magento by which we can pre-define IP addresses which can access the Magento admin panel. This step can add a great security layer to your Magento store. You can create a list of IP addresses of your and your coworkers’ computers and add them in the list of IP addresses which can access your Magento site’s admin panel. All other IP address users will not be able to access your Magento admin panel.
To enable this IP address restriction, first of all you need to edit your .htaccess file to enter the IP addresses you want to allow. For that, enter the following code in the .htaccess file:
AuthName "Protected Area" AuthType Basic <Limit GET POST> order deny,allow deny from all allow from 192.168.112.11 allow from 168.121 </Limit>
Here the IP address ‘192.168.112.11’ will be allowed, and secondly, all the IP addresses starting with ‘168.121’ will be allowed. You can allow as many IP addresses as you want, following this format. All other IP addresses not mentioned there will be denied access.
The next step is to create a new folder ‘admin’ in your Magento root directory. Copy your Magento's index.php file into that folder, and change the relative paths to config.php and Mage.php file by changing these two lines:
$compilerConfig = '../includes/config.php'; $mageFilename = '../app/Mage.php';
Notice, we have only added ../
in these file paths.
Now we have to direct the users coming to our admin paths to this directory. To do that, enter these lines into your .htaccess file:
Redirect permanent /index.php/{admin_path} /admin/index.php/{admin_path} Redirect 301 /index.php/{admin_path} /admin/index.php/{admin_path}
Here {admin_path}
indicates the new admin path we manually changed
in step 2. For instance it can be securedadmin
, as we defined in the step 2 example.
Please note that you should only implement this security step if your ISP provides you a static IP address. Some ISPs assign dynamic IP addresses to users each time they connect to the internet. In such cases, as your IP address keeps on changing, you shouldn't implement this security step.
Some PHP functions are more prone for virus injections and are security risks. It is best to disable these malicious PHP functions in the first place. If your code relies on any such functions, the best way is to use some alternative, more secure function with similar functionality. To disable such malicious functions, open your php.ini file and add the following code in it:
disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”
If you already have some code disable functions in your php.ini file, then simply append the functions given in the above code. If any of the above-mentioned functions are really important to your theme/module files, and you are unable to find an alternative, you can omit them from this list.
Directory listing is another loophole in many servers. Through directory listing, anyone can enter your website’s URL and see the directory structure and files location of all your website (like the screenshot below). This can make your website very vulnerable to security attacks.
This loophole can be effectively plugged by disabling directory indexing. For this, add the following line of code in your .htaccess file:
Options -Indexes
Like any other eCommerce system, Magento websites have many form fields where users can enter data, like order fields, profile fields, customer review fields, etc. Sometimes hackers use these fields to inject a MySQL statement, which can resultantly disclose back-end technology information, or can enable access to restricted areas of the website. Although Magento does a good job of outmaneuvering any such attacks, it is still advisable to use web application firewalls to ensure that your website remains safe from any such attacks.
There are many more ways to make your Magento installation even more secure, but I’m sure that if you implement all the above steps, you’ll have a very robust and secure Magento site, which will be able to sustain most hacking attempts.
Besides the above-mentioned steps, one obvious way to make your Magento site more secure is by always keeping your Magento installation updated. The Magento team does an excellent job of fixing possible security vulnerabilities, so the latest Magento version is usually better and more secure. You should also keep your Magento associated email address secure, because anyone who can access that email address can access your Magento store.
Do mention in the comments your thoughts and feedback about this article, and don’t forget to share it with your friends if you like it.
The Best Small Business Web Designs by DesignRush
/Create Modern Vue Apps Using Create-Vue and Vite
/Pros and Cons of Using WordPress
/How to Fix the “There Has Been a Critical Error in Your Website” Error in WordPress
/How To Fix The “There Has Been A Critical Error in Your Website” Error in WordPress
/How to Create a Privacy Policy Page in WordPress
/WordPress Website Maintenance Guide For Beginners
/How Long Does It Take to Learn JavaScript?
/Adding and Removing Elements From Arrays in JavaScript
/Create a JavaScript AJAX Post Request: With and Without jQuery
/5 Real-Life Uses for the JavaScript reduce() Method
/How to Enable or Disable a Button With JavaScript: jQuery vs. Vanilla
/How to Enable or Disable a Button With JavaScript: jQuery vs Vanilla
/Confirm Yes or No With JavaScript
/How to Change the URL in JavaScript: Redirecting
/15+ Best WordPress Twitter Widgets
/27 Best Tab and Accordion Widget Plugins for WordPress (Free & Premium)
/21 Best Tab and Accordion Widget Plugins for WordPress (Free & Premium)
/30 HTML Best Practices for Beginners
/31 Best WordPress Calendar Plugins and Widgets (With 5 Free Plugins)
/25 Ridiculously Impressive HTML5 Canvas Experiments
/How to Implement Email Verification for New Members
/How to Create a Simple Web-Based Chat Application
/30 Popular WordPress User Interface Elements
/Top 18 Best Practices for Writing Super Readable Code
/Best Affiliate WooCommerce Plugins Compared
/18 Best WordPress Star Rating Plugins
/10+ Best WordPress Twitter Widgets
/20+ Best WordPress Booking and Reservation Plugins
/Working With Tables in React: Part Two
/Best CSS Animations and Effects on CodeCanyon
/30 CSS Best Practices for Beginners
/How to Create a Custom WordPress Plugin From Scratch
/10 Best Responsive HTML5 Sliders for Images and Text… and 3 Free Options
/16 Best Tab and Accordion Widget Plugins for WordPress
/18 Best WordPress Membership Plugins and 5 Free Plugins
/25 Best WooCommerce Plugins for Products, Pricing, Payments and More
/10 Best WordPress Twitter Widgets
1 /12 Best Contact Form PHP Scripts for 2020
/20 Popular WordPress User Interface Elements
/10 Best WordPress Star Rating Plugins
/12 Best CSS Animations on CodeCanyon
/12 Elegant CSS Pricing Tables for Your Latest Web Project
/24 Best WordPress Form Plugins for 2020
/14 Best PHP Event Calendar and Booking Scripts
/Getting Started With Django: Newly Updated Course
/Create a Blog for Each Category or Department in Your WooCommerce Store
/8 Best WordPress Booking and Reservation Plugins
/Best Exit Popups for WordPress Compared
/Best Exit Popups for WordPress Compared
/11 Best Tab & Accordion WordPress Widgets & Plugins
/12 Best Tab & Accordion WordPress Widgets & Plugins
1 /New Course: Practical React Fundamentals
/Preview Our New Course on Angular Material
/Build Your Own CAPTCHA and Contact Form in PHP
/Object-Oriented PHP With Classes and Objects
/Best Practices for ARIA Implementation
/Accessible Apps: Barriers to Access and Getting Started With Accessibility
/Dramatically Speed Up Your React Front-End App Using Lazy Loading
/15 Best Modern JavaScript Admin Templates for React, Angular, and Vue.js
/15 Best Modern JavaScript Admin Templates for React, Angular and Vue.js
/19 Best JavaScript Admin Templates for React, Angular, and Vue.js
/New Course: Build an App With JavaScript and the MEAN Stack
/10 Best WordPress Facebook Widgets
13 /Hands-on With ARIA: Accessibility for eCommerce
/New eBooks Available for Subscribers
/Hands-on With ARIA: Homepage Elements and Standard Navigation
/How Secure Are Your JavaScript Open-Source Dependencies?
/New Course: Secure Your WordPress Site With SSL
/Testing Components in React Using Jest and Enzyme
/Testing Components in React Using Jest: The Basics
/15 Best PHP Event Calendar and Booking Scripts
/Create Interactive Gradient Animations Using Granim.js
/How to Build Complex, Large-Scale Vue.js Apps With Vuex
1 /Examples of Dependency Injection in PHP With Symfony Components
/Set Up Routing in PHP Applications Using the Symfony Routing Component
1 /A Beginner’s Guide to Regular Expressions in JavaScript
/Introduction to Popmotion: Custom Animation Scrubber
/Introduction to Popmotion: Pointers and Physics
/New Course: Connect to a Database With Laravel’s Eloquent ORM
/How to Create a Custom Settings Panel in WooCommerce
/Building the DOM faster: speculative parsing, async, defer and preload
1 /20 Useful PHP Scripts Available on CodeCanyon
3 /How to Find and Fix Poor Page Load Times With Raygun
/Introduction to the Stimulus Framework
/Single-Page React Applications With the React-Router and React-Transition-Group Modules
12 Best Contact Form PHP Scripts
1 /Getting Started With the Mojs Animation Library: The ShapeSwirl and Stagger Modules
/Getting Started With the Mojs Animation Library: The Shape Module
/Getting Started With the Mojs Animation Library: The HTML Module
/Project Management Considerations for Your WordPress Project
/8 Things That Make Jest the Best React Testing Framework
/Creating an Image Editor Using CamanJS: Layers, Blend Modes, and Events
/New Short Course: Code a Front-End App With GraphQL and React
/Creating an Image Editor Using CamanJS: Applying Basic Filters
/Creating an Image Editor Using CamanJS: Creating Custom Filters and Blend Modes
/Modern Web Scraping With BeautifulSoup and Selenium
/Challenge: Create a To-Do List in React
1 /Deploy PHP Web Applications Using Laravel Forge
/Getting Started With the Mojs Animation Library: The Burst Module
/10 Things Men Can Do to Support Women in Tech
/A Gentle Introduction to Higher-Order Components in React: Best Practices
/Challenge: Build a React Component
/A Gentle Introduction to HOC in React: Learn by Example
/A Gentle Introduction to Higher-Order Components in React
/Creating Pretty Popup Messages Using SweetAlert2
/Creating Stylish and Responsive Progress Bars Using ProgressBar.js
/18 Best Contact Form PHP Scripts for 2022
/How to Make a Real-Time Sports Application Using Node.js
/Creating a Blogging App Using Angular & MongoDB: Delete Post
/Set Up an OAuth2 Server Using Passport in Laravel
/Creating a Blogging App Using Angular & MongoDB: Edit Post
/Creating a Blogging App Using Angular & MongoDB: Add Post
/Creating a Blogging App Using Angular & MongoDB: Show Post
/Creating a Blogging App Using Angular & MongoDB: Home
/Creating a Blogging App Using Angular & MongoDB: Login
/Creating Your First Angular App: Implement Routing
/Persisted WordPress Admin Notices: Part 4
/Creating Your First Angular App: Components, Part 2
/Persisted WordPress Admin Notices: Part 3
/How Laravel Broadcasting Works
/Persisted WordPress Admin Notices: Part 2
/Create Your First Angular App: Storing and Accessing Data
/Persisted WordPress Admin Notices: Part 1
/Error and Performance Monitoring for Web & Mobile Apps Using Raygun
/Using Luxon for Date and Time in JavaScript
7 /How to Create an Audio Oscillator With the Web Audio API
/How to Cache Using Redis in Django Applications
/20 Essential WordPress Utilities to Manage Your Site
/Introduction to API Calls With React and Axios
/Beginner’s Guide to Angular 4: HTTP
/Rapid Web Deployment for Laravel With GitHub, Linode, and RunCloud.io
/Beginners Guide to Angular 4: Routing
/Beginner’s Guide to Angular 4: Services
/Beginner’s Guide to Angular 4: Components
/Creating a Drop-Down Menu for Mobile Pages
/Introduction to Forms in Angular 4: Writing Custom Form Validators
/10 Best WordPress Booking & Reservation Plugins
/Getting Started With Redux: Connecting Redux With React
/Getting Started With Redux: Learn by Example
/Getting Started With Redux: Why Redux?
/Understanding Recursion With JavaScript
/How to Auto Update WordPress Salts
/How to Download Files in Python
/Eloquent Mutators and Accessors in Laravel
1 /10 Best HTML5 Sliders for Images and Text
/Creating a Task Manager App Using Ionic: Part 1
/Introduction to Forms in Angular 4: Reactive Forms
/Introduction to Forms in Angular 4: Template-Driven Forms
/24 Essential WordPress Utilities to Manage Your Site
/25 Essential WordPress Utilities to Manage Your Site
/Get Rid of Bugs Quickly Using BugReplay
1 /Manipulating HTML5 Canvas Using Konva: Part 1, Getting Started
/10 Must-See Easy Digital Downloads Extensions for Your WordPress Site
22 Best WordPress Booking and Reservation Plugins
/Understanding ExpressJS Routing
/15 Best WordPress Star Rating Plugins
/Creating Your First Angular App: Basics
/Inheritance and Extending Objects With JavaScript
/Introduction to the CSS Grid Layout With Examples
1Performant Animations Using KUTE.js: Part 5, Easing Functions and Attributes
/Performant Animations Using KUTE.js: Part 4, Animating Text
/Performant Animations Using KUTE.js: Part 3, Animating SVG
/New Course: Code a Quiz App With Vue.js
/Performant Animations Using KUTE.js: Part 2, Animating CSS Properties
Performant Animations Using KUTE.js: Part 1, Getting Started
/10 Best Responsive HTML5 Sliders for Images and Text (Plus 3 Free Options)
/Single-Page Applications With ngRoute and ngAnimate in AngularJS
/Deferring Tasks in Laravel Using Queues
/Site Authentication in Node.js: User Signup and Login
/Working With Tables in React, Part Two
/Working With Tables in React, Part One
/How to Set Up a Scalable, E-Commerce-Ready WordPress Site Using ClusterCS
/New Course on WordPress Conditional Tags
/TypeScript for Beginners, Part 5: Generics
/Building With Vue.js 2 and Firebase
6 /Best Unique Bootstrap JavaScript Plugins
/Essential JavaScript Libraries and Frameworks You Should Know About
/Vue.js Crash Course: Create a Simple Blog Using Vue.js
/Build a React App With a Laravel RESTful Back End: Part 1, Laravel 5.5 API
/API Authentication With Node.js
/Beginner’s Guide to Angular: HTTP
/Beginner’s Guide to Angular: Routing
/Beginners Guide to Angular: Routing
/Beginner’s Guide to Angular: Services
/Beginner’s Guide to Angular: Components
/How to Create a Custom Authentication Guard in Laravel
/Learn Computer Science With JavaScript: Part 3, Loops
/Build Web Applications Using Node.js
/Learn Computer Science With JavaScript: Part 4, Functions
/Learn Computer Science With JavaScript: Part 2, Conditionals
/Learn Computer Science With JavaScript: Part 1, The Basics
/Create Interactive Charts Using Plotly.js, Part 5: Pie and Gauge Charts
/Create Interactive Charts Using Plotly.js, Part 4: Bubble and Dot Charts
/Create Interactive Charts Using Plotly.js, Part 3: Bar Charts
/Awesome JavaScript Libraries and Frameworks You Should Know About
/Create Interactive Charts Using Plotly.js, Part 2: Line Charts
/Bulk Import a CSV File Into MongoDB Using Mongoose With Node.js
/Build a To-Do API With Node, Express, and MongoDB
/Getting Started With End-to-End Testing in Angular Using Protractor
/TypeScript for Beginners, Part 4: Classes
/Object-Oriented Programming With JavaScript
/10 Best Affiliate WooCommerce Plugins Compared
/Stateful vs. Stateless Functional Components in React
/Make Your JavaScript Code Robust With Flow
/Build a To-Do API With Node and Restify
/Testing Components in Angular Using Jasmine: Part 2, Services
/Testing Components in Angular Using Jasmine: Part 1
/Creating a Blogging App Using React, Part 6: Tags
/React Crash Course for Beginners, Part 3
/React Crash Course for Beginners, Part 2
/React Crash Course for Beginners, Part 1
/Set Up a React Environment, Part 4
1 /Set Up a React Environment, Part 3
/New Course: Get Started With Phoenix
/Set Up a React Environment, Part 2
/Set Up a React Environment, Part 1
/Command Line Basics and Useful Tricks With the Terminal
/How to Create a Real-Time Feed Using Phoenix and React
/Build a React App With a Laravel Back End: Part 2, React
/Build a React App With a Laravel RESTful Back End: Part 1, Laravel 9 API
/Creating a Blogging App Using React, Part 5: Profile Page
/Pagination in CodeIgniter: The Complete Guide
/JavaScript-Based Animations Using Anime.js, Part 4: Callbacks, Easings, and SVG
/JavaScript-Based Animations Using Anime.js, Part 3: Values, Timeline, and Playback
/Learn to Code With JavaScript: Part 1, The Basics
/10 Elegant CSS Pricing Tables for Your Latest Web Project
/Getting Started With the Flux Architecture in React
/Getting Started With Matter.js: The Composites and Composite Modules
/Getting Started With Matter.js: The Engine and World Modules
/10 More Popular HTML5 Projects for You to Use and Study
/Understand the Basics of Laravel Middleware
/Iterating Fast With Django & Heroku
/Creating a Blogging App Using React, Part 4: Update & Delete Posts
/Creating a jQuery Plugin for Long Shadow Design
/How to Register & Use Laravel Service Providers
2 /Unit Testing in React: Shallow vs. Static Testing
/Creating a Blogging App Using React, Part 3: Add & Display Post
/Creating a Blogging App Using React, Part 2: User Sign-Up
20Creating a Blogging App Using React, Part 1: User Sign-In
/9 More Popular HTML5 Projects for You to Use and Study
/Creating a Grocery List Manager Using Angular, Part 2: Managing Items
/9 Elegant CSS Pricing Tables for Your Latest Web Project
/Dynamic Page Templates in WordPress, Part 3
/Angular vs. React: 7 Key Features Compared
/Creating a Grocery List Manager Using Angular, Part 1: Add & Display Items
/New eBooks Available for Subscribers in June 2017
/Create Interactive Charts Using Plotly.js, Part 1: Getting Started
/The 5 Best IDEs for WordPress Development (And Why)
/33 Popular WordPress User Interface Elements
/New Course: How to Hack Your Own App
/How to Install Yii on Windows or a Mac
/What Is a JavaScript Operator?
/How to Register and Use Laravel Service Providers
/
waly Good blog post. I absolutely love this…