Web production manager, Neil Paterson, offers up his advice to e-commerce managers on how to prevent your Magento website from being hacked, with five actions to take to help secure your site.

More than 250,000 merchants, including some of the world’s largest e-retailers and leading brands, use a Magento platform for their websites. However, as the world’s number one e-commerce platform, its greatness can sometimes make it vulnerable. By taking the right steps to protect your site, you can prevent your online store from being hacked.

Make sure you follow these five tips to prevent your Magento site from being hacked. These principles generally apply to both Magento 1 and 2.

  1. Keep the Magento core up to date. Always apply core patches as soon as possible. Never change the Magento core in the first place, always test first on a staging environment, and be aware that any theme or extension files overriding core files may need to be manually updated.
  1. Don’t use /admin for your admin! Don’t use a URL such as brand.com/admin for your admin area – make sure to change this to something unique. Then, restrict key areas such as your admin URL and /downloader to a whitelist of IP addresses. This will mean that potentially vulnerable areas will only be able to be accessed from certain locations, which can be an inconvenience, but it is worth it to ensure your site security. Also, regularly check your list of admin users. If you see a name you don’t recognise then chances are your admin panel has been breached. Finally, make effective use of roles. Only give users access to the areas they need and nothing more.
  1. Restrict file permissions. Keep these to the minimum you can. Only provide execute permissions where absolutely necessary and avoid 777 like the plague! For more on /var and /media permissions, see the Magento Q&A site.
  1. Use strong usernames and passwords. OK, this is basic stuff but it needs a mention – Password123 is not going to keep a hacker out. Take the time to create complicated passwords and usernames that are not easily guessable.
  1. Use reputable extension vendors and programmers. You’ve invested a lot of time and effort into creating your Magento site, don’t cut corners when customising to your needs. When adding new functionality, use trusted extension vendors and programmers that make use of observers or interceptors rather than class rewrites.

This is just a starting point. When it comes to keeping your website safe, there are many other factors to take into consideration. Consider your general website security and keep your technology stack up to date, including your operating system, webserver and in Magento’s case, PHP. Also, use SSL for the whole site, not just the admin area. And always use a reputable hosting company – one who provides a hardware firewall.

Finally, if you have any security concerns, use magereport.com to get a quick security status report on your online store.

Magento is a fantastic platform to work with, and is trusted by the world’s leading brands. Follow these steps to secure your e-commerce website. If you do have any security concerns, contact a trusted web development agency, such as ClickThrough, to keep your site safe and secure.

Find out about our Website Support services and how we can help maintain and evolve your online presence or download your FREE eBook – How to Brief a Web Design Agency

Did you find this page useful?

Comments

About the author:

Neil is ClickThrough's Web Applications Manager. He is usually found fiercely interrogating an API or forcibly manipulating data into ways you never thought possible. Ouch!