6 Ways To Improve The Security Of Your Magento eCommerce Shop

Tom Popomaronis | August 3, 2015

All open-source eCommerce content management systems inevitably have vulnerabilities in them, creating opportunities for web criminals to expose them.

Magento is no different.

At the beginning of the year, analysts at Sucuri Security reported about the incidents involving hackers trying to exploit unpatched Magento-hosted applications. Adversaries aimed at creating fake admin accounts in the database and then use it to take over an eCommerce store later.

This is just one example of security vulnerabilities in the Magento CMS, which is why you need to take steps to safeguard your Magento-hosted online store from cyber vulnerabilities. This post highlights 6 measures you can take to make your eCommerce site more robust and secure.

1. Create a unique path for the admin panel

The admin panel path in Magento, by default, appears like: http://yourstore.com/admin. Like the WordPress admin panel path, this is fairly well-known and makes your website less secure. If you modify the URL of the admin path and change it to something like http://yourstore.com/adminwebsecurity, it can stop most hacking attacks in their tracks. This measure is a great defense against Session Management attacks.

To change the admin path, head to app/etc/local.xml file, and see for the line with the following code: ![CDATA[admin]]. Next, you just need to replace the [admin] string with your preferred admin string, while leaving rest of the characters as the same. That’s all you need to do.

2. Modify file permissions

The Magento eCommerce store owner has to ensure the files and folders of their store are not writable by anyone else except them. This requires you to make changes to the folders to 755 and file permissions to 644.

Any discovery of 666 or 777 should be fixed immediately. In SSH, you can use the following snippet to fix the issue: find . -type d -exec chmod 775 {} ; find . -type f -exec chmod 664 {} . The var folders and the media should remain 775.

3. Secure your password

When choosing the password for the admin panel use a good mix of small and capital alphabets along with some number and symbols to create a strong password. Another thing you should do is change your FTP password before and after working with Magento developers. Also, don’t make the mistake of keeping the password on your laptop/mobile – if these devices get hacked or stolen your security gates become wide open.

Another thing you can do is enable two-factor authentication, and assign only trusted devices to access your backend. So you get to use your unique username and password as well as a security code. Two-factor extensions are available in the Magento Connect marketplace.

4. Disable directory indexing and unsafe PHP functions

Directory listing is one aspect of a server that can affect your security measures. This is because anyone can use it to enter the URL of the website and see the files location and directory structure of your online store, which makes it vulnerable to cyber threats. You can fix this vulnerability by adding this code to your .htaccess file: Options – Indexes.

Also, you need to disable any PHP functions by adding the following code to your php.ini file:

disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg,escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog,passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”

This will prevent hackers from exploiting unsafe PHP scripts to attack your website.

5. Don’t wait to install security patches

www.magento.com has some patches for Magento EE and CE versions. To install the patch, create an account on the website, head over to the Magento Enterprise/Community Edition Patches, find the patch and use the ‘Download’ button for installation.

Magento users are also recommended to analyze their web server document root directory; this is where unfamiliar files may reside. When you see an unknown file, you should download SUPEE or SUPCE patch from the support portal to address the vulnerability.

6. Use secure FTP protocol & restrict Admin access

FTP shouldn’t be used because its authorization involves plain text which is easy to exploit. Instead, secure FTP protocol should be used. It involves private file submission as well as a special key for user authentication. SFTP (SHH File protocols) frees Magento eCommerce stores from IP streaming issues.

Another thing you should do is allow only known IP addresses to access your Magento store. This feature can be enabled through an IP blocking Magento extension.

Final thoughts

Besides these measures, you can improve security by keeping your Magento package updated. The latest version of applications and CMS are more secure and usually better. These actions combined will greatly reduce the risks of an attack destroying your efforts to run a sustainable eCommerce business.

What measures have you taken to keep your Magento store secure? Feel free to leave comments.

Tom Popomaronis
EVP, Innovation
Tom is a serial entrepreneur, product development expert, and content management strategist. Every hour of every day (perhaps too many hours) he focuses on strategies for our Executive Leadership Branding clients to build a powerful and credible online reputation.