10 steps to maximize Magento security

Published in

creativestyle

5 min readJan 8, 2019

Open Source Software is great because it’s free and the source code is available for everybody. This gives you a lot of flexibility, fast time to market and low cost of ownership. But like with every software you need to keep it up to date and adjust the configuration to retain it as secure as possible.

Magento is the leader for eCommerce platforms among all Open Source solutions according to Gartner. It was also the most contributed PHP repository on GitHub in 2017.

The more popular a solution is, the more attention you should pay to security.

The bare Magento 2 (without third-party extensions) is on a very good security level by default. However, there are some recommendations on how to enhance security even more.

In the following document, we’d like to show you 10 steps how to secure your Magento webshop to a maximum.

#1 Keep Magento and server software up to date

You probably update your iOS or Android frequently to have access to the newest features and increase the security of your smartphone. You should do this with every software, especially your e-commerce software containing business and personal data. Keep in mind that by the GDPR regulation you’re obligated to protect personal data and apply security patches as fast as possible.

If you are not sure about the status of your Magento version and the applied patches, we’ll recommend the free Magento security report by magereport.com

Updating Magento itself is very important but it’s only a piece of the puzzle. The infrastructure consists of much more software and it also needs to be kept up to date. Preferably use a stable, Long Term Support release of your server operating system and apply upgrades regularly. Do not forget about software that did not come from the official operating system repositories if you use any.

#2 Magento Security Scan Tool

Since Magento 2 you have access to an official security scan tool by Magento. It will monitor your Magento sites for security risks, update malware patches, and detect unauthorized access.

You’ll find the tool and an overview of all patches here: https://magento.com/security

We recommend doing the security scans at least once a week.

#3 Default Admin URL

Every admin panel of Magento is accessible through the default URL slug /admin

It’s easy for bots and brute force tools to get access to your admin login screen and try to submit all kind of login and password combinations.

Therefore it’s highly recommended, to change the URL of your admin panel in the Magento settings to something unique like /admin_secure42. This way you keep away all the hack bots from your admin login form.

#4 reCAPTCHA

But what in case somebody figured out your custom admin panel URL? You can keep away robots with Googles developed reCAPTCHA, which is recognizing if the user is a human.

To install reCAPTCHA for your Magento site we recommend the following package from GitHub: https://github.com/magespecialist/m2-MSP_ReCaptcha

#5 2FA

Two-factor authentication (2FA) is a method of confirming users’ identities by using a combination of two different factors like your password and a one-time token. It is recommended to use 2FA for every platform which supports it like Social Media, Communicators and Online Banking.

You should also install 2FA for Magento. Just follow the steps in the official Magento documentation.

#6 IP Restriction

In case you implemented the previous points your admin panel is pretty much secure from unauthorized access. Well done. To maximize the security of your Magento admin panel there is still one more step you can go. Restrict access on your admin URL by only trusted IPs like your office or home.

There are a couple ways how to restrict access for specific IPs. One way is to install the IP Restriction package from the MSP Security Suite for Magento 2.

#7 Trusted Extensions

Magento has the biggest developer community among all e-commerce platforms. It accelerates the development of Magento core features but also gives access to thousands of extensions developed by third-party developers. This is great but you should keep in mind, that not every developer consider performance and security as the highest priority. Be careful about evaluating which extensions and vendor you allow in your Magento shop.

We recommend making a code audit and security scan of each extension you are considering to install.

Keep also in mind to update your extensions frequently — same as you should do with Magento and your server architecture. The more extensions you use the more effort you will have for maintaining your extensions. Don’t overuse extensions, otherwise, you will struggle with keeping your environment up to date.

#8 HTTPS

Secure connection is a must nowadays, however, there’s more to it than meets the eye. Make sure you drop support deprecated TLS protocol versions, weak ciphersuites and features that have known vulnerabilities. Use a modern configuration suggested by industry experts.

A good starting point is Mozilla SSL Configuration Generator and Qualys SSL Labs Server Test for checking your setup.

#9 Server access restriction (Firewall)

Automated server attacks are the norm and are happening all the time. Having strong authentication is not enough as software can be exploited in many ways — new ones are discovered every day. A default firewall setup which blocks all server access by default except for whitelisted IP addresses is highly recommended.

#10 Web Application Firewall

Magento developers are working hard to make sure it’s secure and free of bugs, however, it’s impossible to find or predict all issues at this level of complexity. Using a Web Application Firewall, which detects and blocks suspicious usage patterns, will shield you from many of the yet undiscovered vulnerabilities.

Whether you’re using Apache HTTP Server or nginx you will want to look at Modsecurity as it’s the most popular solution with biggest community support. Always start in permissive mode and examine the logs for any false positives to avoid breaking functionality of your application.

By following the aforementioned steps you maximized the security of your Magento installation and brought it up to the enterprise level. Make sure your development team or agency took care of the mentioned actions and define a budget for them to maintain security constantly.

For further Magento 2 enhancements, we invite you to check out our Magento 2 Suite on GitHub: https://github.com/magesuite