Security is paramount for any shop. But in the case of online stores, its even more important. Why? Because online stores deals with customer information, business data & payment details on a day-to-day basis and without proper security, these highly sensitive informations are at risk. As the popularity of the online shop increases, the possibility of site hacking & data breaches also increases. And there are multiple points and openings where an online shop can be vulnerable to attacks. Even small stores can find themselves at a heightened risk if they leave gaps in their shop’s security. As in the case of any online store, this is true for online Magento stores as well.
Magento is an open source and highly secure eCommerce platform. Magento store security can be affected by a lot of things including the hosting environment and its security, SSL installation, Unsecure module installation, chargeback fraud etc. But there are some simple mistakes that may affect your Magento store security adversely like folder/file permissions, default admin url, default database password etc.
Here are some simple, yet effective things that you should check for, In order to ensure your Magento store safety.
Magento releases new versions almost every 6 months. Each new version will contain security improvements and vulnerability fixes from the previous versions. So it is advised to always keep your shop’s Magento version up-to-date.
Magento regularly releases patches to counter vulnerabilities and security threads introduced by any version of Magento software. It is advised to apply these patches to your Magento shop at the earliest to avoid exploitation of those vulnerabilities by hackers. It is best if you can apply the security patches that are marked as critical by Magento as and when it is released (the same day the better).
Before going live with your Magento shop, you must ensure that the file and folder permissions are correct as advised by Magento to ensure maximum security. For example, a full write permission to your /app folder will be catastrophic.
Generally, Magento sites will have its development files in the /dev directory. This is a common practice and is therefore a security risk. If this directory is not protected, then your shop’s development files will be easily hackable, which may contain shop passwords, security details etc. Either you rename the folder for production system or change the permission of the folder so that its not open to the world.
The standard/default admin location for a Magento shop is /admin. So if your shop is using this as its admin location/url, then it will make your online shop more prone to attacks. So it is advised to change this default name to something else to increase your site security.
As in the case of every password, the stronger the password is, the better it will be for security. So ensure that your Magento shop’s admin password is strong and secure. Try using combinations of letters, special characters and numbers along with its length to reduce risk.
Magento uses the standard/default location of /downloader for installation of extensions without SSH access. By default, this location will point to the admin interface to install modules using the Magento backend (the Magento Connect Manager section). But keeping this default folder name is another security threat. So the best plan of action is to rename this folder to something different so that it can’t be easily guessed by attackers.
The version control systems such as Git, Subversion(SVN) or Mercurial store their metadata in hidden folders with a common name. When these folders are open via the web, it is a severe security issue as they may contain sensitive informations like passwords. So it is better to rename these hidden folders to a non-generic name to reduce the attack threat.
In Magento, apart from changing the permission of your cache folder, you should also secure access to your cache files. This is because in Magento, internal cache files are stored in the public space and these filenames can be predicted. These cache files will contain details like your database password. The solution for this issue will mainly depend on your webserver. The easiest way to avoid this issue is to ensure that .htaccess controls are enabled on your server.
SSL is a web encryption technology that encrypts webserver and web browser(client) connections. This protects your data as it travels across the Internet. Installing SSL on your server will increase the security of your shop. Also ensure that the SSL certificate installed is valid periodically.
Magento frontend skins are stored in the folder /skin/frontend. You have to ensure that this folder is not browseable directly from the web browser.
Magento stores the information regarding all the patches applied to your system on a file named applied.patches.list inside the /app/etc/ folder. You have to ensure that this file is not open to the public mainly because, if this file is open to the public, then the attackers can check and know your system vulnerabilities due to non application of any particular patch.
A major hurdle that you face while doing business online is the chargeback fraud. The best way to reduce this is to monitor all transactions/orders by verifying the IP address, enable Address Verification System(AVS), email address verification & require Card Verification Value(CVV) for credit card transactions.
Finally, always monitor your Magento shop to ensure that your customers always get the best and secure services. Setup alerts and automated monitoring systems for your store to ensure that your shop is always Up. Also perform regular maintenance with the help of automated maintenance scripts for site & database backup, deletion of old and obsolete backup files etc.
These are some of the Magento security tips, that can help you secure your Magento store. These vulnerabilities if you can check & ensure that those are fixed, then you are on the right track to securing your Magento shop.