19 Magento Security Steps to Secure your website
Securing a Magento website is essential for any e-commerce business looking to protect itself from cyber threats. With online stores becoming prime targets for hackers, it’s more important than ever to safeguard customer data, financial transactions, and your brand’s reputation.
According to recent studies, around 317.59 million incidents of cyberattacks were recorded in 2023 alone, with nearly half all cyberattacks targeted at small businesses. The cost of a data breach can average over £4 million, causing devastating damage to both revenue and customer trust, highlighting the critical need for robust security measures.
Whether you’re an e-commerce owner, developer, or managing an online store, understanding how to secure your Magento website is vital. This guide will provide you with practical steps and industry best practices to fortify your site against potential vulnerabilities, keeping your business safe and compliant with security standards.
Below is a breakdown of the main sections of this guide.
Admin Protection
The Magento admin panel is the control centre of your website allowing you to manage products, customers, and orders. As the heart of your e-commerce store, ensuring that the admin panel is secure is essential to prevent unauthorised access, data breaches, and potential loss of revenue. Cyber attackers often target admin areas because gaining access can compromise your entire website.
As a Magento development agency, we know this and have provided practical steps to protect your Magento admin, helping you fortify this critical part of your website against potential threats.
Contact us on +44 0115 778 6950 or email us at info@autify.co.uk to discuss the security of your Magento website.
1. Change Admin Username
One of the first steps to strengthen the security of your Magento store is to change the default admin username.
The Magento platform often uses easily guessable defaults like “admin” as the username, which makes your admin panel vulnerable to brute-force attacks.
Avoid using easily identifiable names such as your own name, business name, or anything obvious. Instead use a unique, hard-to-guess, and random username, and regularly update your username to reduce the risk of unathorised access. Below is how you change your admin username.
- Log into your Magento admin panel.
- Navigate to Account Setting.
- In the ‘User Name’ field, enter a new, unique username.
- Save the changes to secure your admin credentials.
2. Change Admin URL
Changing the default admin URL is one of the simplest and most effective ways to enhance Magento admin security.
By default, Magento uses predictable URL structures like “/admin” or “/backend”, which can easily be targeted by hackers attempting cyberattacks.
Changing this URL to something unique and challenging-to-guess makes it significantly more difficult for attackers to locate the admin login page.
To update the admin URL, you can either modify the env.php file in the app/etc/ directory or use Magento’s configuration settings. It’s crucial to choose a custom URL that isn’t obvious and bookmark it for future access.
While this measure alone may not guarantee full protection, it adds an additional layer of security by obscuring your admin login page from unathorised users.
3. Use Two-Step Verification for Magento Login
Two-step verification, also known as two-factor authentication (2FA), adds an additional layer of security to your Magento admin login.
By requiring a secondary method of authentication such as a code from a mobile app or a hardware token, even if someone steals your password, they will still be unable to access your admin panel.
Magento offers built-in support for 2FA allowing you to integrate providers like Google Authenticator, Duo, or U2F keys.
Enabling 2FA helps reduce the risk of cyberattacks and other hacking attempts ensuring that only trusted users with the correct credentials can access sensitive data in your store’s backend.
By adding this extra layer of protection, you can greatly enhance your store’s security and minimise vulnerabilities from compromised login details.
4. Use IP Whitelisting
Securing your Magento admin panel with IP whitelisting or browse auth is a highly effective way to prevent unathorised access.
By allowing only specific IP addresses to access the backend, you can greatly reduce the chances of malicious users reaching your admin login page.
This method not only helps block potential attacks but also prevents crawling the development/staging environment by search engines.
Please ensure you keep the list of authorised IP addresses up to date, especially if team members’ IPs change due to remote work – you could even use a VPN with a company IP address to simplify things.
5. Use Strong Passwords
Creating strong passwords is a critical step in safeguarding your Magento store from brute-force attacks and unauthorised access.
A secure password should include a combination of upper- and lower-case letters, numbers, special characters, and ideally be at least 12 characters long.
Avoid using easily guessable information like names, dates, or simple number sequences. Instead, opt for complex, unique passwords that reduce vulnerability.
To manage complex passwords securely, I advise using a password manager such as Bitwarden, which allows you to store and generate strong passwords effortlessly, which is something I have mentioned before in our previous blog post on security essentials for SMEs.
This helps prevent reusing passwords across multiple platforms, further strengthening your security posture.
6. Limit Login Attempts for Admin
Restricting the number of failed login attempts can help stop unapproved users from continuously guessing passwords.
This yet again adds an extra layer of security by locking out accounts after a predefined number of incorrect attempts.
Magento provides built-in settings to configure these limits. To enable this feature in Magento 2.x navigate to Stores > Settings > Configuration, then expand the Advanced > Admin section and adjust the security settings accordingly.
Implementing such limits, along with notifications for repeated login failures can help you stay informed of potential threats and take immediate action to protect your store.
7. Establish User Roles and Permissions
Assigning clear user roles and permissions is crucial for maintaining security and efficiency within your Magento store.
By following the principle of least privilege, you ensure users have only the access required for their tasks, reducing the risk of unauthorised changes or breaches.
For example, create specific roles for activities like order processing or product management without granting full admin privileges.
For everyday tasks such as order delivery or product updates, it’s advisable to use non-admin accounts, leaving full administrative access only for critical tasks. This not only helps in protecting sensitive areas of your website but also streamlines task management.
To configure roles, go to System > Permissions > Roles within Magento, and regularly review these roles to keep your store secure.
8. Implement Action Log
An action log records all significant admin activities, helping you monitor backend changes, identify potential security issues, and rectify errors swiftly.
Each action is logged with details such as the users involved, the type of modification, the time it occurred, and its impact on your store.
For enhanced management, these logs can be viewed in an organised grid format, and you can also set automatic clearance intervals to manage storage.
I recommend using extensions like Magento 2 Admin Action Log by Amasty or Mageplaza for real-time monitoring and automatic notifications to stay informed about critical changes or suspicious activity.
Basic Protection
Now that we’ve covered essential steps to secure the Magento admin panel, it’s time to shift focus to broader protective measures for your entire store. In the following sections, I explore these basic protection measures, which form the foundation of a secure Magento store.
9. Ensure your Store is PCI Compliant
Ensuring PCI compliance is essential for securing your Magento store and safeguarding customer payment data.
The Payment Card Industry Data Security Standard (PCI-DSS) outlines strict guidelines for handling, processing, and storing cardholder information. This compliance helps prevent data breaches and builds customer trust.
To achieve PCI compliance, Magento store owners must meet several security requirements including maintaining a secure network, encrypting cardholder data during transmission, regularly testing systems for vulnerabilities, and implementing access control measures.
It’s also important to use secure payment gateways and ensure that your Magento store is always updated with the latest security patches. Failing to meet PCI standards can lead to heavy fines, penalties, and potential damage to your brand’s reputation.
By following these guidelines, you’ll not only protect customer data but also maintain trust in your ecommerce operations.
10. Install an SSL Certificate
To protect sensitive data on your Magento store, installing an SSL certificate is a fundamental step. SSL (Secure Sockets Layer) or its updated version, TLS (Transport Layer Security), encrypts data transmitted between the user’s browser and your website, such as login credentials and payment information.
This encryption prevents data interception and ensures the secure transfer of sensitive details, boosting customer trust and meeting PCI DSS requirements.
To enable HTTPS on Magento, simply activate “Use Secure URLs” in the system configuration. SSL not only secures transactions but also helps SEO rankings since Google favours sites using HTTPS.
Services like Let’s Encrypt offer free SSL certificates making it easier to implement security and maintain PCI compliance.
This step is critical for safeguarding online transactions and ensuring the overall integrity of your e-commerce store.
11. Regularly Backup Your Data
A solid backup strategy ensures that in the event of a system compromise or crash, you can quickly restore your Magento site and avoid extended downtime or data loss. It’s important to back up not only your database but also your entire file system, including custom configurations and media assets.
Best practices include storing backups offsite to prevent them from being compromised alongside your main system, automating backups to ensure consistency, and maintaining multiple redundant copies for added safety.
Additionally, it’s wise to periodically test your backups to ensure they work properly and consider keeping snapshots from different time periods in case of data infection. By incorporating these strategies, you can mitigate the risk of data loss and ensure the continuity of your ecommerce operations.
12. Secure your Server
A secure server is crucial to safeguarding your Magento store, and this begins with selecting the right hosting provider. Managed hosting and cloud hosting services offer enhanced security and regular updates making them preferable over shared hosting, which can expose your site to vulnerability.
Managed cloud providers such as Sonassi and Akoova not only offer better resources but also provide regular server-level patches to defend against new and emerging threats.
Additionally, regularly updating our server’s operating system is essential, whether you use Linux or Windows servers.
Regular updates ensure that security vulnerabilities are patched, protecting against malware, data breaches, and other potential threats. Make sure to automate these updates or have a hosting provider that does this for you to keep your server secure without manual intervention.
Opt for managed hosting solutions that incorporate firewalls, intrusion detection systems (IDS), SSH key authentication, and SSH login only through a VPN/IP to provide an added layer of protection.
13. Ensure you have the Latest Version of Magento
Each new release of Magento includes important security patches that address vulnerabilities found in previous versions, protecting your Magento store from cyberattacks.
New versions also offer performance improvements, bug fixes and additional features that enhance your site’s stability and functionality.
Upgrading to the latest version of Magento not only improves your site’s security but also ensures compliance with industry standards like PCI DSS. Check out our detailed blog post on Magento upgrade best practices for a more comprehensive guide on safely upgrading Magento and minimising risks during the process.
14. Install Modules from Trusted Sources
When extending your Magento store’s functionality with third-party modules or extensions, it’s crucial to only install them from trusted sources. Poorly developed or insecure modules can introduce vulnerabilities, leaving your site exposed to cyberattacks.
Go with well-reviewed extensions from reputable marketplaces such as the official Magento Marketplace or recognised developers, and ensure they are frequently updated to comply with the latest security standards.
Regularly audit and update all installed modules to avoid potential risks. Deprecated or outdated extensions may have security flaws or compatibility issues that can jeopardise your store. Additionally, check for known vulnerabilities using tools like the Magento Security Scanner or community-driven databases, which help verify the safety of installed modules.
15. Establish File and Directory Permissions
Setting the correct file and directory permissions is another essential for safeguarding your Magento store against unathorised access and tampering. Files should typically have a permission of 644 and directories 755. These settings restrict access to the necessary users while keeping your site secure.
To further enhance security, avoid setting any file or directory permissions to 777 as this can grant excessive access making your site vulnerable to attacks.
Regularly audit and adjust permissions as needed, especially after installing new modules or making customisations. Following Magento’s recommended file permissions ensures your store remains secure and operational.
16. Enable Captcha in Login & Forms
Enabling CAPTCHA in your Magento store is a simple yet effective way to protect login pages and forms from bots and automated attacks. CAPTCHA works by verifying that a human is interacting with the website.
To enable CAPTCHA in Magento 2, go to Stores > Settings > Configuration > Advanced > Admin > Captcha and set it to “Yes.”. You can enable it for login, registration, and contact forms to prevent spam and brute-force attempts.
For a better and balanced user experience, use CAPTCHA only if you notice increased spam activity or carding attacks.
Advanced Protection
Now that I’ve covered the foundational steps for securing your Magento store such as enabling CAPTCHA and managing permissions, it’s time to delve into more advanced protection measures such as web application firewalls, code reviews, and more.
17. Use Automated Deployment
Automated deployment ensures efficient, secure updates to your Magento store by reducing manual intervention and the risk of human error.
By incorporating a Git workflow, you can manage code through version control, allowing you to test and review changes before pushing them live. This structured approach maintains the integrity of your codebase and streamlines deployments.
Tools like DeployHQ or Capistrano help automate the transfer of code from the repository to your server ensuring a consistent process. It’s crucial to control server access by granting only necessary permissions – ideally read-only for sensitive files like logs thus limiting who can make changes to the Magento environment.
18. Use Web Application Firewall
Web Application Firewalls (WAFs) act as a protective barrier between your website and external threats, filtering incoming traffic and blocking malicious requests. This can help safeguard against common web-based attacks like distributed denial-of-service (DDoS) attacks.
By monitoring and filtering traffic, WAFs prevent hackers from exploiting vulnerabilities in your website’s code. They are also instrumental in maintaining website performance during peak traffic periods, enhancing both security and stability.
For Magento store owners unable to immediately update their store, a WAF can virtually patch security flaws, offering temporary protection until official updates are applied.
Implementing a WAF also ensures that your Magento store complies with PCI DSS security standards. Popular solutions like Cloudflare, and Fastly (used in Adobe Commerce) provide robust options for securing your store.
19. Regularly Audit your Security and access log
Web security is a dynamic and ever-evolving industry with new vulnerabilities discovered and exploited regularly.
High severity flaws can arise on a weekly or monthly basis making it crucial to audit your security and access logs regularly to stay ahead of potential threats. The Magento Security Scanner is a great way to do weekly auditing.
I would also recommend regularly reviewing your Magento store’s code base as part of your audit to identify potential vulnerabilities before they can be exploited is also essential.
One valuable tool for this is Magento’s ECG tool, which scans your code for common security risks and coding issues, ensuring it follows Magento’s best practices.
Additionally, online resources like OSV Scanner provide vulnerability checks for open-source packages identifying security flaws in your dependencies. Similarly, tools like Sansec specialise in detecting malware and vulnerabilities in ecommerce platforms, offering robust protection.
Incorporating these scans into your security routine helps maintain a secure environment for your Magento store, catching vulnerabilities early and keeping your system protected.
While your agency or developer manages the website and should be doing everything to protect it, they shouldn’t have sole responsibility for the security of it or the server. Due to the fast-paced nature of security threats, it’s always best to work alongside an external service provider who specialises in web security and vulnerability patching but can also work with the agency.
Talk to Autify about your Magento Website
Securing your Magento store requires a multi-layered approach, from implementing basic measures like enabling CAPTCHA and setting appropriate file permissions to advanced strategies such as automated deployment, regular code reviews, and security audits.
By taking these precautions, you can safeguard your site from the ever-evolving threats in the e-commerce landscape.
If you’re looking for expert guidance on how to secure or improve your Magento website, we can help here at Autify Digital. While we don’t directly offer Magento security services, we have extensive knowledge and can point you in the right direction.
Contact us today by calling +44 0115 778 6950 or emailing us at info@autify.co.uk. You can also check out our Magento web design and development services to enhance your store’s performance and security.