4 Steps to Improve Your Magento Store Security

Foregenix is a cyber security specialist, with a strong focus on eCommerce security.  Over the years we have assisted a great number of websites to recover from being hacked by criminals intent on stealing their customer payment data - credit card data with PII is very valuable and drives a large part of the global fraud carried out by the criminal underworld.

Our mission is to make cyber space safer for everyone.

Magento and Hackers

The most targeted eCommerce platform over the last few years has been Magento - both Magento 1 and 2. (See the latest eCommerce ThreatScape Report for more info)

Why?

Magento is the platform of choice for successful online businesses that are growing, requiring a more complex set of functionality and capability.  

However, if not managed well, Magento can be an easy target for criminals. 

Think about it…. High volume of transactions, vulnerable website = little effort to break in, high reward for criminals.

How to secure a Magento website?

There are 4 key steps that we recommend to all of our Magento clients - here they are:

1. Update your software - this applies to your Magento store as well as the various connected services/plugins/widgets that you may use on your site.  Security updates are frequent and very important to deploy quickly.  When Adobe/Magento release an update, it is usually because there is a serious issue that needs fixing - if you want to avoid becoming a victim of the same issue, upgrade quickly.  One way to provide additional security while you're figuring out your upgrade (we understand that upgrades can sometimes be complex and time-consuming) is to use a well-configured Web Application Firewall to protect your website.

2. Create a custom admin path - Attackers often begin their attack by utilizing automated reconnaissance techniques that look for websites using Magento and then look at the configuration of the site.  If the site was set up with standard - out of the box - configurations, the Admin login page is usually in the default location of www.yoursite.com/admin - this makes a brute force attack on username/password combinations simple to automate and crack into the website. In fact, automating this whole process is easy.  By changing your Admin Path from yourwebsite.com/index.php/admin or yourwebsite.com/admin to yourwebsite.com/store/’something-else’, the attackers will need to work much harder to locate your admin page for attack.   In fact, you are automatically no longer in the "low hanging fruit" or easy target category and far less likely to become a target.

3. User Management, Passwords and 2 Factor Authentication

   First of all, a regular review of users with Admin privileges is a key part of good cyber hygiene practices.  Anyone not needing Admin should have those access privileges removed.
   
   Secondly, every user should have their own username and strong, unique, complex password. No sharing of accounts, please!  This way, if one of the accounts does get compromised, it is easy to identify the malicious changes made by a criminal (obviously this is easy only if you are tracking changes, which you should be doing anyway for PCI DSS Compliance).   Use a password manager to store your passwords and help generate complex, unique passwords.
   
   Thirdly, using 2 Factor Authentication makes your login process SIGNIFICANTLY more secure and robust. 2 Factor Autentication is simple to activate on Magento and is HIGHLY recommended.  Getting this implemented is a major win for your Magento store security and risk posture.

4. Proactive Website Malware Detection - Malware is a term for software used by criminals to conduct their PII and payment card theft (malicious software). Of all the websites we assist following a breach, over 90% had website malware introduced into their website to:

   - Provide a back door for later access.

   - Load up other malicious software.

   - Enable stealthy reconnaissance.

   - Provide interactive access for the attackers.

   - Skim credit card data.

   - Steal personal data.

   - All of the above…

   
   How do you monitor your site for Malware?
   Well, Adobe provides a security scan, which is reasonably good.  We'd recommend using this, particularly as it is free and provided by the software vendor.  
   
   We also recommend using our free Magento Malware Scanner - ThreatView. 
   
   ThreatView has all of the latest malware from our forensic and threat intelligence groups - a high proportion of the malware we encounter through our forensic practice has not been seen before (and therefore is not in the normal industry security scanners yet). 
   
   We take the new malware identified in our forensic practice, fingerprint it and add it to ThreatView, so that we are able to protect our clients and enable the industry to detect it using our free service.
   
   You can check your site security status now here: 
   
   
   Can anyone use our ThreatView scanner - YES.  However, as we provide sensitive security information to the recipient of the scan, we require an email address so that we can validate who is requesting the scan (we do this by checking the company and person) - we don't want to be sending this sensitive info out to criminals to make their job easier!
   
   If you're looking for ongoing threat monitoring of your website, you can sign up for our ThreatView Community tier - again this is free - and you will have access to the latest threat detection capabilities.

Getting the fundamentals right for your Magento Store Security is critical in running a successful online business using Magento.  These are the 4 keys steps you can take to secure your Magento website:

1. Update your software
2. Create a custom Admin Path
3. User Management, Passwords and 2 Factor Authentication
4. Website Malware Detection - Use a Magento Security Scanner to monitor your website security.

Let's dive in to each of these 4 key steps.