The truth is that no Content Management system is a 100% secure. Despite of continuous improvements in the core software and related extensions/plugins, there is always a slight possibility of your website or web application’s security being compromised. There are a number of ways to hack into a system: remote access, brute force, SQL injections, DDoS etc.
Magento being one of the popular eCommerce platforms in the world, powering roughly 29% of the eCommerce stores in the world followed by WooCommerce and Shopify, is no stranger to such attacks as well. Although the security team at Magento is continuously towards making Magento as secure as possible, evident from the launch of Magento 2 that has lead to tremendous improvements from a security point of view. These include 20 potential vulnerabilities, including remote code execution, information disclosure / leakage, cross-site scripting, etc.
Here is are some recommendations that our team of Magento developers have put together that might be useful for Magento store owners,
- Use HTTPs instead of HTTP- This can be done by simply getting an SSL certificate for your website. What this essentially means is that your users will always be connected to the server via a secure (encrypted) connection. If you have an existing eCommerce store then it is best you talk to your eCommerce developer in order to undertake this change as you will require some amount of technical information in order to make the switch.
- Update the Environment Regularly- This includes upgrading the Magento core software, installing any latest security patches, upgrading extensions and upgrading the server.
- Protect the Admin Panel- Admin Panels are always susceptible to Brute Force attacks and there are plenty of steps that can be taken to reduce the likelihood of such attacks taking place. Some of these include;
- Changing the Admin URL
- Using Two-Factor Authentication
- Restricting Access to the Admin Panel by IP Whitelisting
- Using Strong Passwords and Changing them Regularly
- Use a SFTP to transfer files to and from the server- FTP password interceptions can be another technique used by hackers to gain access to a system. SFTP, which stands for SSH File Transfer Protocol, or Secure File Transfer Protocol, is a separate protocol packaged with SSH that works in a similar way over a secure connection. The advantage is the ability to use a secure connection to transfer files and traverse the file-system on both the local and remote servers.
- Take Backups Regularly- If things do go wrong backups can be your saving grace. It is important that you take backups of the entire setup including the database on a daily basis. Some hosting companies provide this as a part of the hosting plan but you can always use a extension to complete a backup. Backup Guard Lite and MagePlace Backup Extension are two options you can look at.
- Use a Magento Security Extension- There are plenty of extensions available for Magento that provide protection against commonly known attacks. Some of these include;
- MageFence
- Sucuri
- TotalSecurity
Hope you find this information useful!