How to protect your Magento Store from hackers
Magento 2 is one of the largest and most popular open source e-commerce platforms in the world. It offers a huge range of applications and in the hands of skilled developers, the possibilities are limitless. Unfortunately, this means unprepared Magento store owners are vulnerable to attacks.
Magento is so well-loved because it works well for any size brand, seamlessly scaling from “single-product stores”, to specialized merchant stores, to large, multi-sector ecommerce stores and marketplaces. Everything that a modern ecommerce platform should have in Magento 2 is “out of the box” meaning it’s possible to instantly build out tools that manage warehouses, products, categories, website layout, orders and much more.
With so many working possibilities in Magento 2, there are also more opportunities for malicious hackers to take advantage of them. Just like other popular platforms (e.g. WordPress or OpenCart), it is a very tasty morsel for bad actors on the internet. The more popular a platform is, the more exposed and tempting it can be for hackers.
The good news is that developers who specialize in building Magento 2 web stores have proven ways to mitigate attacks and minimize risk. We’ve described the most important factors in this article, but keep in mind they are just the tip of the iceberg—Magento 2 security development is an ever-changing landscape with many topics to discuss.
Read on to find a few relatively simple steps that will protect your Magento 2 store from attackers.
Use the best server
It’s well known that Magento 2 requires the right server to run. But what is ‘right’ for every store?
First, the server parameters must be tailored to specific business requirements: the number of potential users, orders placed in the hottest moments and many other factors. However, apart from good parameters, we must pay attention to something else – after all, even the best machine will be useless in the event of an attack, if it is not properly maintained and secured.
Choosing a server is a very important matter. This means your server admins or developers need enough experience to manage it themselves. Whichever server type you run, you’ll need the people and talent to take care of the correct configurations, and maintain software updates. As a developer team, we often continue maintaining server support for our clients, but you always have the option of hiring a properly trained server administrator. Either way, the server admin should know exactly what they’re doing, and ensure that the server provider complies with security standards (OWASP). There are literally thousands of server hosting offers online, some cheaper and some more expensive. If you’re not very technical, you’ll want to ask around for a recommendation as there are so many to choose from that will meet your requirements.
Server support is crucial. But don’t be fooled by the common “24/7 phone support” marketing gimmick. In the event of a problem at an unusual time, sometimes you’ll just get a bot message! Dig deeper into the support offering by finding out exactly what their support scenarios look like.
When it comes to server choice, cheaper often means worse. The service provider has to pay for administrators, technical support, hardware maintenance and so on. Higher-quality services require more human resources, additional training, courses for employees and, finally, payment for certification exams. All this generates costs, which in turn translates into server rental prices.
Good hosting should be characterized by high-quality technical support, quickly responding to reported problems and providing the client with a safe software life cycle. Some providers even offer a server configuration specifically fit for Magento 2 which is a good sign. Because of Magento 2 popularity, many server providers offer this configuration free of charge. With this feature, it only takes a few clicks for a server admin to see that everything has been configured properly.
Secure the environment
When choosing a server for a store, remember that it requires some configuration that mitigates risks. These steps below will significantly reduce the number of threats that the server has to face. However, this should not be considered a complete list—server security has endless possibilities.
Here’s how to eliminate as many attack vectors as possible:
- Ensure that only necessary software sits on the server. Each additional application is a potential risk of attack. You never know where gaps occur that allow hackers to bypass security.
- Whether you are using Apache or Nginx, make sure that all files and folders have proper permissions and that path traversal is impossible. Just a small bug (like not setting MAGENTO_ROOT on the / pub folder and too wide permissions) can cause issues.
- Create and apply a list of IP numbers that have access to the Magento 2 admin panel.
- Disable FTP access, this protocol is outdated and dangerous. Use SFTP if necessary.
- Limit access via SSH only to trusted IP addresses that must connect to the server
- Give up passwords for SSH in favor of keys.
- Make sure that only authorized persons have access to terminals with access to the server.
- Use a malware scanner and antivirus on devices with access to the server.
- Automate deployment as much as possible, using only encrypted data transfers. The less often you need to connect directly to the server, the better.
Secure Magento software
A secured server should successfully defend itself against most attacks. However, one of the conditions for a secure server is also secure software that we install on it—and obviously Magento 2 is essentially software!
If you’ve been around with Magento long enough, you might remember the infamous CVE-2019-7139 incident which caused a lot of panic (to put it mildly).
It is crucial to apply all security patches to your store as soon as possible, preferably right when the new software launches. Remember that open source code means that everyone has full access to the code, making it very easy to spot potential security holes. The upside is that more people are looking for these gaps, and the majority are often the good guys.
It’s a good habit to change the default admin path to something less obvious than / admin. In theory, this seems like a triviality that will ultimately not help. It’s a bit different in practice.
Let’s assume that we have a module where ‘vulnerability to attacks from the administration panel’ is detected. A potential attacker knows that our store is based on Magento 2 and sees that we use the module (for example, after the characteristic CSS or JS added by the module on the home page). To run the vulnerability, the attacker just needs to go to / admin / susceptibleodul / index / search? Ajax = true & q = TU_WSTAW_SQL_INJECTION. This is where the nightmare can begin. However, if we changed the path to the admin panel, we can gain some valuable time to apply the appropriate fixes or remove the faulty module before the bug is exploited.
Two-factor authentication should be used unconditionally for all accounts that have access to the administration panel. Thanks to this, even if someone finds out our password, they will still have to enter a one-time code from the application.
All payment gateways used should meet PCI standards. This is not just important for your business’s data, it’s the security of your customers’ data. Some would argue this is even more important from the view of potential lawsuits.
Use only trusted 3rd party modules
On the topic of installing safe software, Magento 2 stores sometimes need help from extensions from 3rd parties. These can include everything from integrations with ERP systems, APIs of external mailing systems, extensive promotion and command systems, or simply modules enhancing the frontend of our store. They allow us to expand the functionality of our store and adapt it to specific requirements.
Add-ons for Magento 2 should be taken only from proven sources, often preceding the purchase and installation with small research on the product we are interested in. You should check how often a given module is updated, whether support is offered in case of problems, how quickly the manufacturer responds to reported bugs, and whether anything is known about existing and unpatched security holes.
Keep the number of installed modules small; just enough to meet all expectations and nothing else. This principle is due to the fact that each additional module is another thing to check for security, update tracking and a possible problem in the absence of further manufacturer support. Unused modules should be removed as soon as possible (of course, with prior checking that the removal of a given module will not affect the functionality of the others).
We should never look for (let alone install) paid modules downloaded for free from unknown sources. Apart from the legal and moral aspect of such an act, it is only asking for trouble. Of course, the module can work properly and meet our expectations, but you can never be sure if there are any backdoors, exploits and other malicious code embedded in the code. In fact, we can be sure that something like this will be there. Let us add that we do not have the manufacturer’s support or free update period at the moment. In retrospect, saving a few thousand dollars in cost seems to be a poor profit compared to the losses that can be caused by malicious code.
Update modules & templates
I mentioned that Magento 2 must always be up to date. The same applies to modules and templates. Each of them should be updated on a regular basis, and in case of security fixes – immediately. Modules, although very useful, may also contain their own errors, independent of Magento 2.
Even with the steps above, a Magneto 2 platform should be monitored for any suspicious activities:
- Monitor the integrity of Magento 2 files on the server. Sometimes even a simple “git status” allows you to detect that someone was messing with the files.
- Periodically check the server logs for unusual activities, IP addresses appearing on black lists, etc.
- Check whether there are any new administrators in Magento 2, which were not added by you or your admins.
- Monitor every login to the server, regardless of the protocol or connection used.
- Think about installing a module that records all performed actions in the administration panel.
- Use Magento Security Scan. It’s a free tool that allows you to detect some vulnerabilities and security problems. All you need to do is set the times at which the scanning should take place, and then just view the reports sent to your email.
Even if your server is a veritable Fort Knox, surrounded by futuristic security cyborgs, there must always, always, be a backup plan when you are faced with the possibility of failure. A good contingency plan assumes that the entire system will simply crash.
- Implement an automatic backup system, including not only server files but also databases.
- Store databases on an external machine / medium independent of the server on which Magento 2 is standing.
- Periodically ensure that the backups can be restored correctly and scan them for malicious code.
- Have more than one backup in more than one location – some attacks are detected after a long time and it is possible that some backups already contain code injected by the attacker.
- If an attack is detected, no matter how small, change ALL access data for administrators, SFTP and SSH accounts, databases, as well as payment gateways.
- Automate the restoration of backups. Most of the time it will not be useful, but in case of problems it will save time, during which our customers can not make a purchase (because the store is lying), and thus reduce losses.
Phew! We could write an entire encyclopedia about securing your e-commerce platform. Every day we deal with new attacks, hacks, forms of extortion and data theft.
The most important thing is that even with the best security and a legion of technicians watching the server, it’s up to you and your ecommerce developers to always keep security in mind.
There is no room for error here. “I don’t feel like it” or “nothing will happen” are famous last words. There are people who are waiting for you to make a mistake and will not hesitate to take advantage of vulnerabilities.
After all, the greatest threat to any system is the human. If you keep your software, server and machines up to date, using the latest security practices, it will pay off in the same way. If you are careless about security (because “why do I need 2FA, I have a strong password!”) then you might as well not turn off the oven overnight after baking a cake, because a fire is unlikely, and you can just wake up and make toast right away!
Jokes aside, it’s always worth considering hiring specialists who will take this burden off your shoulders. Ecommerce developers will do everything in their power to make your store safe.