Magento Security Tips - What Can You Do To Protect Your Website?
The eCommerce sector has seen significant year-on-year growth over the last 5 years. With that growth, the world's most popular eCommerce platform, Magento, has seen seen rapid growth too (currently 26% marketshare globally).
With popularity comes a downside - Magento websites are increasingly becoming the target of attacks by criminals .
Over 60% of breached eCommerce websites assisted by our team in 2016 were Magento-based websites.
In our experience, the biggest issues behind these Magento website breaches relate to the way the websites are set up, managed and secured.
So, here's our key Magento security tips to help you protect your website:
1. Update your software
There are multiple reasons to use Magento as a platform; the framework makes the building and maintenance of highly effective, high growth eCommerce businesses far simpler and considerably more scalable than bespoke websites. It arguably offers the greatest amount of supporting extensions for eCommerce websites out of all the platforms.
To ensure your website remains secure as your business grows, it is essential to use up-to-date versions of Magento – and that you update as soon as a patch is issued. Remarkably, huge numbers of websites are hacked daily simply by not using the latest software. Unless you’re using a WAF (Web Application Firewall) to protect your website, you need to update as soon as patches are are released.
2. Create a custom admin path
Attackers often begin utilizing automated techniques that look for standard configurations, then initiate brute force attacks on username/password combinations. By changing your Admin Path from yourwebsite.com/index.php/admin or yourwebsite.com/admin to yourwebsite.com/store/’something-else’, the attackers will need to work much harder to locate your admin page for attack.
We would highly recommend you create a very strong, complex, unique password to access your admin interface. So how are you supposed to remember long, unique and complex passwords? We recommend using a password manager (LastPass, 1Password, KeePass), which will make your password management significantly easier.
Even better than username/password would be to use two factor authentication. This uses your username, something you know (password) and something you have (eg Google Authenticator on your phone). There are a few very good Magento extensions available on the Magento Connect marketplace that could be used to implement two factor authentication on a Magento website.
Malware is a term for various software used for criminal activity (malicious software). Of all the websites we assist following a breach, over 90% had malware introduced into their website to:
- Provide a back door for later access.
- Load up other malicious software.
- Enable stealthy reconnaissance.
- Provide interactive access for the attackers.
- Steal credit card data.
- Steal personal data.
- All of the above…
Some malware is detectable by doing an external scan; however, most malware we’ve encountered is well hidden – evading detection by even some of the most vigilant web admins. We advise daily checks using an advanced malware detection solution.
5. File change monitoring
One of the first signs you’ve been compromised is when files start being introduced, changed or deleted. In the daily management of a busy site, it may be tricky to identify when changes are made by an attacker without the technology to monitor for changes. Monitoring the changes that take place on your website is an essential step in detecting malicious activity and can be done very effectively.
6. Manage your users
If you have multiple users logging into your website – and most websites do – then this applies to you. It’s essential that you:
- Have a unique set of credentials for each user.
- Know each user.
- Assign the appropriate permissions to them for their role within your business. For example: if you grant escalated privileges to a user temporarily, ensure that you reduce their privileges once they’ve completed their work. Do not allow sharing of accounts – make sure you understand exactly who is doing what on your website so that you can correlate users with all log data collected from your website.
7. Disable directory indexing
Disabling directory indexing makes it more challenging for criminals to work out how to access your Magento core files. Similar to the strategy suggested for adding a custom path, if you make it more challenging for criminals to traverse your website looking for the chinks in your armour, they are more likely to move on to easier targets.
8. Disable/secure your admin RSS feeds
One of the features of Magento is the ability to provide RSS feeds. RSS, or Really Simple Syndication, is an XML-based data format that is used to distribute information, so customers can subscribe to feeds to learn of new products and promotions. Magento also provides an RSS feed for site administrators to quickly check on new orders, newly posted product reviews and to check on stock levels. In Magento the administrative RSS feeds are located at:
To prevent unauthorised access to these feeds, Magento employs a simple authentication box requesting a username and password, the same credentials for the Magento administration pages. Once authenticated, Magento will display (for example) details of new orders with a link to the corresponding order which, when clicked, will take the user into the Magento administration area. Magento should again ask the user to enter the same username and password in another login box before taking them to the site.
This system is vulnerable because an attacker can conduct a ‘brute force’ or ‘dictionary’ attack on the initial RSS login box, trying numerous combinations of usernames and password until the correct credentials are guessed. If the username and passwords are complex then this attack can be rendered impractical, but simple usernames and passwords can mean a site is quickly compromised.
Whilst creating a custom Admin Path (as per point 2 above) can make it a lot harder for attackers to identify the Magento admin area, if the RSS pages are compromised, they will provide links to the (hidden) administration area in any case.
On newer versions of Magento this functionality is disabled by default, but in many instances RSS feeds may have been enabled even if not in use, providing a useful surface for attackers.
We would recommend that RSS is disabled if not in use or that, if the administrative feeds are required, access to them is restricted by IP address.
9. Magento extension security
Magento is the world leader in eCommerce platforms and there are a pethora of Magento extensions to do almost anything you want on your website. This provides hugely powerful functionality for online businesses, but it also creates a significantly greater security challenge. Often there are competitive extensions offering very similar functionality – how do you select the more secure option?
The first things to look for are extensions that are actively being developed with regular release cycles. Most extension-related security situations arise when extensions are found to be insecure and can result in the website getting hacked. If you’re using one of these extensions, you need to be sure that the developers are working to fix the security issue so that you can update the extension and carry on with business – without getting hacked. Therefore active development teams are key to the decision on which extensions to use. If an extension has not been updated in a long time, that could be the clue you need to avoid it.
The second tip for extensions is to only download them from legitimate sources – validate the sources before you download the extension. Magento Connect has a huge number of validated extensions available to make your life easier.
Monitoring, reviewing and storing a log of all activity on your website is key to detecting attacks and enabling you to defend yourself. If you handle payment card data (and most Magento sites would fall into this category), you need to be analyzing this data (at least) daily to identify threats. You also need to store at least 12 months of security log data to meet Payment Card Industry Data Security Standard requirements.
Our FGX-Web solution provides log collection, analysis and alerting in accordance with PCI DSS requirements (along with a host of other security controls for your website).
11. Monitor for unprotected credit cardholder data
Most e-commerce domains are set up to handle transaction data securely – often using a secure payment service from a payment service provider. However, considering that payment cardholder data is highly valuable to a criminal, many websites continue to fall victim to payment cardholder data theft.
These attacks, usually involve malware, changes to a website and unusual system behavior. All of which should be picked up with other layers of detection and defense. However, if perpetrators do manage to evade detection and they're able to extract transaction data, usually they’ll store the data in a file somewhere within your site. The file is used to harvest data later, often this card payment information is awaiting extraction unencrypted.
A regular “PAN scan” of file systems and databases for unprotected credit cardholder data will identify these files ready for exfiltration and alert you to the issue.
12. Use an advanced Web Application Firewall (WAF)
Research from the Foregenix Digital Forensic and Incident Response team over the previous 10 years found 95% of all hacked e-Commerce businesses have fallen victim to one of three major threats:
- SQL Injection
- Application Vulnerability Exploits
- Injected code (malware)
A properly configured, managed WAF protects you against these attacks. A WAF will provide a website with “virtual patching” when a zero day vulnerability is released. This protection will buy a web admin time to test the patch and then update the system in their own time, knowing that the site is being protected and monitored.
Our FGX-Web solution provides an advanced WAF for start up websites through to large transactional eCommerce websites. Contact us if you would like to find out how we can help to protect your website.
Unfortunate things happen to us all. Data gets corrupted, data gets lost. Most online businesses who get in touch with us for help do not have a decent back up strategy in place, making the process of getting a hacked website back in business a far greater challenge than it should be.
Back ups should be automated (to avoid people forgetting to do them) and kept offsite. Back ups kept on the webserver could be corrupted and/or hacked themselves/infected with malware. Offsite is best and there are a plethora of back up services offered for Magento websites where this can be done easily via Amazon, Dropbox and so on.
Remember this: having an up-to-date back up can help you get your business back up and running quickly.
14. Test and test again
Your business is growing and changing – attacks are morphing and changing too. The internet is a dynamic, evolving entity and the threats are constantly changing. Regular security testing will help you to keep abreast of those threats, stay current and informed.
There are two recommended approaches for security testing:
- Vulnerability scanning – (generally) a non-intrusive method that involves sending traffic, queries and specific requests to the website to test if vulnerabilities exist. This should be carried out at least once per quarter, it’s cheap and can be automated.
- Penetration testing – more in-depth testing process than vulnerability scanning, carried out by a specialist company who mimics or emulates the behavior of attackers. It’s recommended that penetration testing is carried out at least annually, while it’s more expensive than vulnerability scanning, it’s overall effectiveness makes it well worth the investment, even for small businesses.
Keeping your website secure is a critical foundation for building and growing a successful online business - data breaches are expensive and hugely disruptive and best avoided.
Please use our free Magento Security scan if you’re unsure of the security posture of your website.