Ecommerce is money. Wherever there are money, there are thieves. Keeping your store secured is very important nowadays. Even though Magento itself constantly improving its security yet there is still more you can do to protect your Magento installation. By following these simple steps you can make your Magento 2 store secured.
- Scan your shop for known vulnerabilities
- Always have a backup
- Login and Password strength
- Use unique Admin Path
- Use Two-Factor Authentication
- Do you keep your Magento up-to-date?
- Admin panel access
- 3rd-party Extensions
- Monitor the activities in admin panel
- Magento Security Configuration
- Wrap Up
Scan your shop for known vulnerabilities
There is an excellent community resource to scan your shop for known vulnerabilities – https://www.magereport.com/. As they wrote about themselves:
This free service gives you a quick insight in the security status of your Magento shop(s) and how to fix possible vulnerabilities. MageReport.com is made by the Magento hosting specialists of Dutch provider Byte. With a dedicated team of 40 skilled colleagues, we protect performance and security of several thousand Magento shops.
Always have a backup
Even if your site has top notch security it still can crash for various reasons like data center power-off or hard drive error. To prevent data loss you need to have a backup. Think about activating backup plan for your server right now. Backup frequency depends on the amount of orders you receive. It can be even hourly backups.
Login and Password strength
- Do not use common login name like ‘admin’, ‘administrator’ and so on. Choose something less predictable
- Use a mix of uppercase and lowercase symbols, numbers and special characters like !@#$%^
- Do not use same password for different services / stores. Your magento password should be unique
- Do not save password in browser. It is not safe
Use unique Admin Path
store.com/admin would be the first thing hacker will check. Admin panel can be abused be hackers, for example they can launch the brute-force attack. Luckily it is pretty easy to setup custom admin path.
- Navigate to Stores > Configurations
- In the panel on the left, under Advanced, click Admin and expand the Admin Base URL section.
- Set Use Custom Admin Path to “Yes” and enter custom path in field below
Use Two-Factor Authentication
Two-Factor Authentication is an additional step that request verification code to login into admin panel. It gives you the ability to:
- Enable authenticator support for the Admin.
- Manage and configure authenticator settings globally or per user account.
- Reset authenticators and manage trusted devices for users.
Check magento documentation for details – Installing Two-Factor Authentication
Do you keep your Magento up-to-date?
Magento team constantly working on improving the system. New versions include security patches, performance enhancements and user interface improvements. Usually you will see new version notification in admin panel.
If for any reason you cannot upgrade to the latest version, make sure to install all security patches as recommended by Magento.
Admin panel access
Limit access to admin panel. Changing admin URL is not enough to protect your store. Consider using a whitelist of IPs that allowed to access admin. It will prevent even accidental access to your admin panel. There are a plenty of tutorials on how to create a whitelist, for example Restrict access to admin area by IP
- Check extension author reputation and reviews
- Do not install new extensions on production server. Test it on staging server for crash with unhandled errors, performance and possible conflicts with other extensions
- Hire a profession to detect the presence of malware, security leaks, performance issues and backdoors in extension code
Monitor the activities in admin panel
If you are not the only admin panel user, you should monitor other users activities to track unwanted behavior. User should not access non-allowed resources. Consider using admin logger extension. Desired functionality:
- login attempts list ( successful | failed )
- list of certain user actions
- monitor change of user role
- keep track of new admin users
Magento Security Configuration
- Navigate to Stores > Configurations
- In the panel on the left, under Advanced, click Admin and expand the Security section.
- Add Secret Key to URLs = Yes. Secret Key is useful for preventing CSRF (Cross-site request forgery) Attack
- Login is Case Sensitive = Yes
- Admin Session Lifetime = 3600. Time for user to be idle. System will logout user after 1 hour.
- Maximum Login Failures to Lockout Account = 5
- Lockout Time (minutes) = 30. Number of minutes to lock an account before the user can log in again. Helpful against bruteforce attacks.
- Password Change = Forced. Require the users to change their password before it expires.
That’s the basics of Magento security. Remember that store security is owner responsibility. Configure your admin security effectively.
Share your security tips in comments.