Magento security tips

8 Security Tips to Keep Your Magento Store Safe From Hackers

The largest data breach compromised all 3 billion Yahoo user accounts in 2013.

In just the first half of 2019, data breaches exposed 4.1 billion consumer records- up from 445 million in 2018.

Cyber attacks are a growing problem both in America and worldwide.

Data breaches are also becoming more expensive to deal with, too. The average cost of a data breach is about $3.86 million. Obviously, the cost of a breach at your store won’t be that high, but it’s still important to do everything you can to protect the data of your customers, and your reputation.

Wondering how?

Here are 8 useful Magneto security tips that you can use to help protect your store from hackers, data breaches, and other malicious cyber attacks. Read on, and make sure you’re protecting your store and your customers!

1. Migrate To Magento 2 (If You Haven’t Already)

If you haven’t done so already, you need to make a plan to migrate to Magento 2. Magento 1 is sunsetting and Support ended for Magento 1 on June 30, 2020. Security patches are no longer being provided, leaving your site vulnerable to hackers. If you are still using Magento 1, you’re putting your store and your customers’ data at risk.

Magento 1 stores worldwide were hacked in a massive automated campaign back in September of this year. It was the largest automated hack of its kind which affected more than 10,000 customers and left their personal information vulnerable. This was a Magecart attack that injected malicious code to intercept and steal payment information. Hackers are increasingly using more sophisticated techniques to gain access to private information as seen in the wide scope of this particular breach. And stores that have never been breached before are now being targeted. The importance of upgrading the security of your store cannot be overstated.

In addition, as mentioned in one of our past blog posts, Magento 2 comes out-of-the-box with a ton of great security improvements and performance improvements, with additional security features including:

  • Support for SHA-256 cryptographic password hashing.
  • End-to-end AES-256 encryption for credit cards and personal data.
  • Clickjacking prevention.
  • XSS protection.
  • Session and cookie validation.

With Magento 2, you’ll be able to easily comply with PCI security requirements, and you’ll protect your store with all of the above features and more. If you’re not already on Magento 2, start thinking about your migration strategy today.

2. Keep Your Magento Version Up-To-Date

Even if you’re on Magento 2, it’s always important to keep your Magento installation updated.

Magento 2.3, for example, introduced two-factor authentication for additional protection of your administrative accounts, and added support for the Google reCAPTCHA service, which will help prevent brute force attacks from botnets.

Every release of Magento also includes plenty of bug fixes, patches and security updates intended to help protect your store.

3. Secure Your Store With Two-Factor Authentication

Two Factor Authentication, or 2FA, is an extra layer of protection used to ensure the security of your Magento, even if a hacker gets a hold of your username and password.

You can easily install two-factor authentication support on your store in a few minutes by following this guide from Magento. It supports four different two-factor authentication methods, including:

  1. Google Authenticator
  2. Authy
  3. U2F (Universal 2nd Factor) keys
  4. Duo Security

4. Set a Custom Admin Path to Discourage Brute Force Attacks

By default, your Magneto store’s admin path – the URL you use to log in as the administrator – will look like this:

  • Default base URLhttp://yourstore.com/magento
  • Default admin URL http://yourstore.com/magento/admin

As you may have already guessed, this makes it easy for hackers to figure out which URL to use to try to access your store – and they may use a brute force attack, which consists of algorithms and computers trying to guess your password and break into your Magento store.

Using 2-factor authentication will stop this, but another good security best practice is to set a custom admin path. You can easily change your admin login URL by following this guide from Magento.

5. Use HTTPS/SSL

It’s easy to set up your website to use HTTPS/SSL with Magento 2, which is a critical part of PCI compliance, and ensures that your customer’s web traffic is encrypted, and secured from those who may be trying to snoop on their connection.

To set it up, log into your Magento 2 backend, then perform the following steps:

  1. Choose Stores > Settings > Configuration
  2. Select “Web” under the “General” section on the left menu
  3. Expand the section marked “Base URLs (Secure)
  4. In the Base URL field, change “HTTP” to “https”
  5. Set the “Use Secure URLs” setting on Storefront to “Yes”
  6. Set the “Use Secure URLs” setting on the Admin menu to “Yes”
  7. Click the “Save Config” button to make your changes

6. Turn On Session Expiration

Your website isn’t just vulnerable to cyber attacks – but also to unauthorized people gaining access to your Magento admin panel after stealing your computer, or otherwise gaining access to your computer and your website.

A simple way to secure your website and make sure that you’re protected from this is to turn on session expiration and set a low time limit. Session expiration will log you out of your Magento admin panel after a set amount of inactivity – say, 5 minutes.

To configure and adjust, here’s what you’ll need to do:

  1. Log into the Magento admin panel
  2. Click Stores > Settings > Configuration from the left sidebar
  3. Select Advanced > Admin
  4. Under Security, look for the text box marked “Admin Session Lifetime (seconds). This indicates the length of time you’ll stay logged in, in seconds. A value of 1800, for example, will set your timeout at 30 minutes.
  5. Enter your desired time here. We recommend between 5-10 minutes, but you can experiment and see what works for you
  6. Click “Save Config” to save your changes

Once you log out and log back into your Magento account, your new timeout interval will be active.

7. Don’t Cheap Out On Web Hosting – Choose A Secure, Private Server

We don’t typically recommend cheap, shared web hosting plans for Magento stores, because a shared server can open you up to a few different security vulnerabilities:

  • If any single site on the shared server is compromised, the attacker may be able to access other websites hosted on the same, shared server.
  • A malicious attacker could buy hosting on a shared server, and then use their site to try to attack other sites on the same server.
  • When using a shared server, you do not have the same level of administrative access or ability to harden your own server against attacks.

A recent security flaw in cPanel, which is used by web hosting giants like Bluegator Godaddy, Siteground and more show the risks of a shared server. This flaw allowed any person using a shared server to view the activity of every other website on the server.

Using a dedicated, private server will not guarantee that you’re immune to hacks and cyber attacks – but it’s a good way to eliminate many common vulnerabilities.

8. Consider Investing in a Magento Security Assessment

If you’re not a cybersecurity expert, and you’re wondering what flaws or issues may be exposing your website to vulnerabilities, it may be time to turn to the experts.

Hiring a security consultant for a quick review of your Magento store is not expensive, and can provide you with some great, actionable goals that you can pursue to secure your website, and keep your customer’s information safe.

Follow These Tips to Lock Down Your Magento Store!

While it’s impossible to guarantee that your store won’t be targeted by a cyber attack, there are a lot of steps you can take to lock down your store, and protect it against the most common attack vectors and security flaws. Take another look at these tips and think about how you can use them to keep your Magento store safe.

If you need help assessing the security of your website, please contact us. We’d be happy to perform an initial assessment to gauge your store’s security level and uncover any vulnerabilities.