Schogini - Amazon AWS, Magento and Mobile Developers
 

Magento Security Checklist to Secure Your Magento 1.x Store

Importance of security for Magento stores

Security is paramount for any shop. But in the case of online stores, its even more important. Why? Because online stores deals with customer information, business data & payment details on a day-to-day basis and without proper security, these highly sensitive informations are at risk. As the popularity of the online shop increases, the possibility of site hacking & data breaches also increases. And there are multiple points and openings where an online shop can be vulnerable to attacks. Even small stores can find themselves at a heightened risk if they leave gaps in their shop’s security. As in the case of any online store, this is true for online Magento stores as well.

Mistakes that can affect your Magento Store Security

Magento is an open source and highly secure eCommerce platform. Magento store security can be affected by a lot of things including the hosting environment and its security, SSL installation, Unsecure module installation, chargeback fraud etc. But there are some simple mistakes that may affect your Magento store security adversely like folder/file permissions, default admin url, default database password etc.

Magento Basic Security Checklist

Here are some simple, yet effective things that you should check for, In order to ensure your Magento store safety.

  1. Is your shop’s Magento version up-to-date?
  2. Are all the security patches applied on your Magento shop?
  3. Are your file and folder permissions correct?
  4. Is your development folder protected?
  5. Are you using the standard/default location for admin?
  6. Is your admin password strong?
  7. Are you using the standard/default location for downloader?
  8. Is your version control protected?
  9. Is your Magento cache protected?
  10. Whether a valid SSL certificate is installed or not?
  11. Is your skin folder protected?
  12. Is your applied patches list file secure?
  13. Are you verifying orders before shipping?
  14. Are you monitoring your site regularly?

1. Is your shop’s Magento version up-to-date?

Magento releases new versions almost every 6 months. Each new version will contain security improvements and vulnerability fixes from the previous versions. So it is advised to always keep your shop’s Magento version up-to-date.

2. Are all the security patches applied on your Magento shop?

Magento regularly releases patches to counter vulnerabilities and security threads introduced by any version of Magento software. It is advised to apply these patches to your Magento shop at the earliest to avoid exploitation of those vulnerabilities by hackers. It is best if you can apply the security patches that are marked as critical by Magento as and when it is released (the same day the better).

3. Are your file and folder permissions correct?

Before going live with your Magento shop, you must ensure that the file and folder permissions are correct as advised by Magento to ensure maximum security. For example, a full write permission to your /app folder will be catastrophic.

4. Is your development folder protected?

Generally, Magento sites will have its development files in the /dev directory. This is a common practice and is therefore a security risk. If this directory is not protected, then your shop’s development files will be easily hackable, which may contain shop passwords, security details etc. Either you rename the folder for production system or change the permission of the folder so that its not open to the world.

5. Are you using the standard/default location for admin?

The standard/default admin location for a Magento shop is /admin. So if your shop is using this as its admin location/url, then it will make your online shop more prone to attacks. So it is advised to change this default name to something else to increase your site security.

6. Is your admin password strong?

As in the case of every password, the stronger the password is, the better it will be for security. So ensure that your Magento shop’s admin password is strong and secure. Try using combinations of letters, special characters and numbers along with its length to reduce risk.

7. Are you using the standard/default location for downloader?

Magento uses the standard/default location of /downloader for installation of extensions without SSH access. By default, this location will point to the admin interface to install modules using the Magento backend (the Magento Connect Manager section). But keeping this default folder name is another security threat. So the best plan of action is to rename this folder to something different so that it can’t be easily guessed by attackers.

8. Is your version control protected?

The version control systems such as Git, Subversion(SVN) or Mercurial store their metadata in hidden folders with a common name. When these folders are open via the web, it is a severe security issue as they may contain sensitive informations like passwords. So it is better to rename these hidden folders to a non-generic name to reduce the attack threat.

9. Is your Magento cache protected?

In Magento, apart from changing the permission of your cache folder, you should also secure access to your cache files. This is because in Magento, internal cache files are stored in the public space and these filenames can be predicted. These cache files will contain details like your database password. The solution for this issue will mainly depend on your webserver. The easiest way to avoid this issue is to ensure that .htaccess controls are enabled on your server.

10. Whether a valid SSL certificate is installed or not?

SSL is a web encryption technology that encrypts webserver and web browser(client) connections. This protects your data as it travels across the Internet. Installing SSL on your server will increase the security of your shop. Also ensure that the SSL certificate installed is valid periodically.

11. Is your skin folder protected?

Magento frontend skins are stored in the folder /skin/frontend. You have to ensure that this folder is not browseable directly from the web browser.

12. Is your applied patches list file secure?

Magento stores the information regarding all the patches applied to your system on a file named applied.patches.list inside the /app/etc/ folder. You have to ensure that this file is not open to the public mainly because, if this file is open to the public, then the attackers can check and know your system vulnerabilities due to non application of any particular patch.

13. Are you verifying orders before shipping?

A major hurdle that you face while doing business online is the chargeback fraud. The best way to reduce this is to monitor all transactions/orders by verifying the IP address, enable Address Verification System(AVS), email address verification & require Card Verification Value(CVV) for credit card transactions.

14. Are you monitoring your site regularly?

Finally, always monitor your Magento shop to ensure that your customers always get the best and secure services. Setup alerts and automated monitoring systems for your store to ensure that your shop is always Up. Also perform regular maintenance with the help of automated maintenance scripts for site & database backup, deletion of old and obsolete backup files etc.

These are some of the Magento security tips, that can help you secure your Magento store. These vulnerabilities if you can check & ensure that those are fixed, then you are on the right track to securing your Magento shop.

Author

Abhijith VG - COO/Cloud & DevOps Architect
Abhi is a very experienced mobile app expert, specialized in native IOS & Android. He looks after the mobility department at Schogini. He has 6+ years of experience in managing and developing highly complex applications for mobile devices in IOS & Android platforms. His expertise ranges from mobile enterprise business application development & multi platform custom app development to 2D game development. He is also the author of variety of books on IOS application development with Objective-C & Swift. He is a well established trainer on both IOS and Android application development. Along with these, he is also an Amazon AWS Developer & Magento Developer Plus certified professional.
Know more about the author.
 
 
 

CONTACT US

We love to talk to you, all enquires are replied to in under 4 hours.