Magento Security Tips for Beginners
The internet can be a scary place, and if you manage a Magento site, Exinent wants to help you stay safe.
If you’re not actively protecting your Magento site, every single day, and taking the proper steps to eliminate security vulnerabilities and flaws, you’re putting your entire site at risk. Every day, sites, computers and users are getting hacked by malicious attackers all across the world, without warning.
Managing a website, especially if it’s an eCommerce or Magento site, means you’ll need to pay as much attention to your security as you do your sales. Security is something you need to understand and build a plan to address.
Interesting Internet Security Facts
Hackers will always be one step ahead. As soon as security systems develop a patch or update, hackers begin searching for a new exploit.
Did you know?
- It only takes 10 minutes for a lowercase password to be cracked. Adding 3 additional lowercase letters extends the time needed to 4 months.
- According to one study by Ponemon Research, 90% of businesses suffered some sort of computer hack in the past 12 months.
- More than 30,000 websites become infected with some type of malware every day. These are mostly small business sites.
- In 2008 alone, there was over $1 trillion dollars’ worth of intellectual property stolen by hackers who gained access to confidential data.
Most Common Techniques for Hacking a Website
There are countless ways to attack a website or computer. Some of the most common techniques include:
DDoS (Distributed Denial of Service) Attacks
This technique involves repeatedly sending an excessive number of requests to a server and exceeding its capacity, thus making a website unavailable. This is one of the most popular methods and can be implemented by mostly anyone; even people without hacking experience.
Exinent once had a client that received over 100,000 requests per minute, causing the site to slow down every 5 minutes and stop functioning, eventually causing it to shut down completely.
This method of attack allows hackers to enter malicious commands into forms on a website and force it to provide valuable data. SQL injection has been used to steal personal information from the smallest of businesses, to the World Health Organization and even the U.S. government.
XSS (Cross-Site Scripting)
A type of security vulnerability that enables attackers to inject client-side script into a web page. This typically allows attackers to bypass access to controls and policies.
An example of cross-site scripting recently occurred when an XSS bug allowed attackers to take over Magento online shops through their email addresses during registration upon checkout.
Broken Authentication and Session Management
This occurs when authentication functions aren’t implemented correctly which allows hackers to compromise passwords, sessions IDs and exploit other flaws with another user’s credentials.
Arbitrary Command Execution
This is commonly achieved when a hacker gains control of a running process, which allows an attacker to execute any command of their choice on the target machine or process. This is the most powerful effect a bug can have because it allows an attacker to completely take over the vulnerable process.
A good example of this is ransomware. You can read more about it in our Crypto-ransomware Targets Magento Sites blog.
How to Protect Your Magento Site from Attackers
There are easy-to-implement techniques which can greatly improve your Magento site’s security and reduce vulnerability. All of these methods can be set up by admins and site owners without an expert-level understanding of technology.
The following are some of the best Magento security tips for beginners.
Implement Two-Factor Authentication
The only thing safer than using a strong password is using two strong passwords. With two-factor authentication, you can mitigate the risks associated with having a single password, and prevent others from obtaining it through brute-force password guessing or social engineering.
Two-factor authentication is not available in Magento 2.0 out of the box, but there are many excellent extensions which can be installed to add this additional layer of security.
Some of the best two-factor authentication extensions include:
- Rublon Two-Factor Authentication
- Enhanced Admin Security: Two-Factor Authentication
- Two-Factor Authentication from Extend ware
Always Use the Latest Version of Magento
With each new update, Magento closes open loopholes and fixes vulnerabilities and security risks associated with the current version. Installing patches and fixes as soon as they’re released is one of the best ways to keep your site safe.
It’s important to track all of the new updates and stay informed. Magento offers a few pages which should be visited weekly (or daily) to check for new releases.
Consider signing up for Magento’s security alert registry, which alerts admins and developers to new security alerts as they’re released.
Restrict Admin Access to Only Approved IP Addresses
Besidesimplementing two-factor authentication security, restricting admin access to only approved IP addresses is one of the best ways to prevent malicious logins. Restricting access will make it nearly impossible for unapproved people to access the admin panel.
If you’re comfortable configuring the rules within your site’s .htaccess file, add the following snippet:
Deny from All
Allow from 184.108.40.2069
This code permits access to only the 220.127.116.119 IP address, and denies all other attempts.
If you’re not quite sure how to edit your server’s .htaccess file, there are some Magento-approved extensions which can also be installed.
- ET IP Security
- Visitor Ip Security
- Country IP Filter
Use Up to Date Anti-Virus Software
The same rule applies to your personal computer as it does to your Magento site. Invest in industry-leading, commercial anti-virus software. Make sure it updates daily because vendors work around-the-clock to keep pace with hackers and implement fixes and patches constantly.
Don’t fall victim just because you didn’t want to pay the price for enterprise-level anti-virus software. The price won’t compare to the cost if your site gets hacked.
Without the latest version of anti-virus protection, your site is vulnerable to even the most basic hacking techniques. This means all of your data is vulnerable and can be obtained without you noticing. Not only could this cause you to lose access to your own site, but it puts at risk all of your customer’s personal information as well. In the long run, an attack on your site won’t be as much of a headache as trying to explain to your customers why you weren’t able to protect their data.
Create Regular Backups and Store Them Offline
Just in case a hacker ever penetrates your site, or gains access and deletes data, it’s vital that you have the ability to quickly revert the site back to a previous state. This is why creating regular backups is something you should be doing every day (or hour).
Utilizing hourly offsite backups, and downloadable backups, will reduce your site’s downtime should it ever get attacked. Not to mention, having backups is a great idea should you ever accidentally delete files, make configuration changes that harm the site, install extensions which cause problems or the site crashes.
Creating a backup with Magento’s Admin Panel is easy. To create a backup, navigate to:
System > Tools > Backups
There are 3 different types of backups to choose between.
- System Backup – will back up the entire source code and database.
- Database and Media Backup – will back up the database and the contents of the media directory.
- Database Backup – will back up only the database.
It’s important to store your backups in more than one physical location. Consider saving copies to a cloud hosting service or an external hard drive. Having additional copies is insurance in case your entire hosting environment fails.
More Ways to Secure Your Magento Site
All of these are excellent ways to immediately protect your site and data, and are easy for any admin to integrate without much technical experience.
For even more advanced tips, check out our other blog, “Magento Security for Experts.” Here we cover best practices such as:
- Utilizing Encrypted Connections (SSL)
- Only Using Secure FTP
- Securing Local .xml Files
- Disabling Directory Indexing
- and more
If you require help implementing any of these techniques or want to learn other ways to increase the security of your site, give us a call or send us an email.