Open menu

Order a security audit, make your Magento store leak-proof and avoid fines!

Hire Magento security experts Open menu
Magento 2 Security Guide: An Actionable Checklist (Updated for 2020)

Magento 2 Security Guide: An Actionable Checklist (Updated for 2020)

Magento 2 Security Guide: An Actionable Checklist (Updated for 2020)

We’ve already discussed how you can speed up your Magento 2 store. Now it’s time to make Magento 2 more secure and outline more clearly why cybersecurity is so important.

We have created this guide based on our own experience as a Magento development team and on Magento official security best practices published by the dev team in January 2016.

In this guide, we’ve collected the most common issues that plague Magento stores. We are not nitpicking here, either. Every issue on the list can potentially turn into a huge problem if things go wrong. We urge you to take them seriously and fix ASAP.

We constantly stress that the majority of Magento store owners don’t understand the importance of cybersecurity. Ranked from critical to moderate, all these Magento security issues require your immediate attention.

0. Scan Your Store for Malware

In our experience, a Magento store infected with malware acts in 3 distinct ways:

  • malware will try to intercept customer personal data which can be used for anything from identity theft to spamming or credit card theft,
  • attempt payment diversion fraud,
  • infect customer machines with malware.

The ongoing effect of this activity can be severe. That is why when developing an e-commerce security plan, it is important to know how to detect malware and find out all e-commerce security issues.

Before you build new fortifications around your website, let’s check whether the enemy has already crept in. Step zero for your DIY Magento security audit is to scan all files for malware and eliminate it.

Recommended by Onilab: Magento Security Scan Tool is an official malware scanner for Magento 2 stores. Besides a one-time scan, you can setup the tool to scan daily, weekly, or using any other interval you like.

Using Magento Security Scan Tool should be part of your website security audit checklist. Moreover, it is free and pretty straightforward. Add your web store in Magento Dashboard, verify website ownership, then setup the weekly routine.

We suggest that you choose an interval when your store experiences the lightest load. Bear in mind that the scan duration depends on your store size. Keep a healthy buffer of load-free time to allow for some breathing room.

magento-2-security-scan-weekly

Here’s a step-by-step guide on how to verify your store ownership and schedule your first scan.

1. Make Sure All Payment Processors Are PCI Compliant

Magento store owners can choose from a wide range of payment processors and standalone solutions. The problem is, all of these tools offer a different level of security. And when the leak happens, the store pays up, not the payment processor.

As a business owner, you are responsible to provide your customers with a guaranteed safe checkout. Your merchant account can be investigated, suspended, or even frozen as a result of a data leak. And fines get progressively bigger the more damage your customers suffer. From a few thousands of dollars to hundreds of thousands.

There’s no cap on damages which means these fines from Visa or Mastercard can run your business into the ground. So making payments safe is the cornerstone of all your e-commerce security measures.

Remember, hackers use stolen credit card data within the first 12 hours of the data leak. This means your best option is to prevent the breach of customer payment details in the first place.

PCI-DSS standard was created exactly for that reason. It ensures that a PCI-compliant processor offers adequate protection to all online payments through their tool. But bear in mind that the same processor can offer two or three tools that have a completely different security level.

Take a look at this table:

PCI Compliant E-commerce Payment Systems

Non-PCI Compliant (unsafe!)
Magento Secure Payment Bridge Authorize.net
Authorize.net Direct Post
PayPal Express Checkout PayPal Payment Gateway
PayPal All-In-One
SagePay Saved CC
Ogone
Braintree
Google Checkout
Amazon Payment

Note that a well-known name won’t necessarily shield you from an unsafe implementation. Do your own research before you commit.

We’ve covered quite a bit on PCI compliance in this article on Magento Payments Security. Take a look at it if you want to get an in-depth understanding of e-commerce security.

The rule of thumb is: if the processor offers customers to enter payment details on a completely separate page, it’s probably PCI-compliant. If not, then the gateway is not safe. But if you have time don’t rely on this cheat sheet, please check with the payment processor itself to make sure it follows the important payment security guidelines.

2. Patch Your Magento to the Latest Version

Magento 2 has a weird core extension that displays the M2 version of your store to anyone who wants to see it. When it’s active all you have to do is write store.com/magento_version/ in your browser and it will tell you which version your Magento runs. Just like that.

Magento 2 is an open-source platform. Anyone can see the code, read what bugs and issues have been fixed in the latest release …or use unpatched vulnerabilities to infect Magento stores that are stuck on older versions.

The best advice is to fix your Magento 2 security issues immediately after a new update is released. This way you will be protected against known vulnerabilities. But if you can’t, at least hide your Magento version. To do that, disable or delete the extension (commands valid for Developer mode):

bin/magento module:disable Magento_Version --clear-static-content
bin/magento setup:upgrade

One more thing about installing Magento security patches. Bear in mind that some Magento 2 security patches are harder to install than the others. Always use a separate environment to test-patch your Magento store before you install the patch on your live website. This way you can speed up patch deployment and avoid interruptions to your business.

3. Remove Unnecessary User Permissions

Unsurprisingly, incompetent or malicious users cause more problems than software. For the foreseeable future, human beings will remain the biggest vulnerability factor for the majority of systems. Magento is no exception.

Statistically, Magento 2 Admin Panel is the source of more trouble than anything else. Even limited access to the Admin Panel opens up to the malicious users a sea of possibilities to hack into the store.

The Panel is full of critical issues that can be exploited if the hacker is knowledgeable enough: leaking of credit card details, hijacking of full admin privileges, malware injection, etc.

So let’s take a closer look at the #1 problem with users: excessive permissions.

It’s not uncommon for store admins to forget to block Magento accounts of users who left the company or received one-time access that has never been revoked from them. This situation can get especially bad if you have to give Magento accounts to your suppliers and customers. Magento 2 is not exactly famous for flexible restrictions system.

For example, if you want your content manager to add products to the catalog and write product descriptions, you inevitably need to give them the right to edit and delete products as well. Which is an exceptionally bad idea if they are new to Magento or want to wreak havoc on your store.

There two steps you need to do to deal with this challenge. Take a quick look at your Magento user list. Do you recognize every account there? If you don’t, disable it. Don’t hesitate to do that. If you disable someone important, they will let you know and you can adjust quickly.

Now take a second look at the user list. Does everyone there need all the permissions they have? Take a few minutes to comb through the list and restrict user permissions to what people really need to do their job.

If you want more detailed options than built-in security solutions can offer, shop around for an adequate Magento 2 security extension. A lot of them have flexible configurations that provide very detailed control over your user roles.

4. Add Two-Factor Authentication to Create Another Layer of Security for Your Users

Do you know how you always trade convenience for security and vice versa? Well, the two-factor authentication (2FA) is trading a lot of convenience for a huge security boost. And since the use of two-factor authentication sways the balance so heavily towards security, a lot of people dislike it.

On the one hand, your Magento account password becomes useless for attackers, since they now need two passwords to enter. Which means it’s a great idea to introduce two-factor authentication when you suspect your accounts could be compromised.

On the other hand, if you use your email or your phone to receive codes and suddenly lose access to it, you can become locked out of your store. And if you fail to save backup codes somewhere safe, you are stuck. Not completely stuck, but it still could mean interruptions of the daily business operations.

In spite of all inconveniences, two-factor authentication is a great way to secure your store. Especially if your users hate changing passwords, use “iloveyou123” instead of “1zEbWnp9Z6wvJumoBv0kmMRiI” as their favorite password for at least ten more websites, and don’t understand computers very well.

5. Get Rid of Unused Magento 2 Extensions

We’ve already mentioned the importance of reviewing Magento extensions in our speed guide. Well, this tip is extremely important for Magento 2 e-commerce site security, too.

Unused Magento 2 extensions not only slow you down, but they also present a very real risk to your store: there are potential vulnerabilities in every piece of software you use. Why offer hackers additional ways into your store? Close off this attack vector.

Inspect your extensions list. Are you using everything there? Uninstall the extensions you don’t use. When in doubt, consult the product page of a specific extension to find out its functions.

The removal procedure is pretty straightforward. Make a backup, then use SSH and execute these commands:

bin/magento module:disable Useless_Extension --clear-static-content
bin/magento setup:upgrade
cd app/code/Useless_Extension/
rm -rf Useless_Extension

If you have difficulties with the uninstallation process, find the extension manual. Some extensions require additional steps to be safely removed from your store, so it’s a good idea to double-check the user manual before you delete them. Just like with any other CMS (e.g. see WordPress security), third-party plugins are potential entry points for hackers.

6. Use an Encrypted Connection with an SSL certificate

The most important component of the best Magento 2 security practices is creating a trusted environment for customers to make their transactions as safe as possible. SSL certificates secure your Magento store by connecting it to security keys and establishing an encrypted connection.

Once installed on a web server, the keys activate the HTTPS protocol that protects sensitive information (credit card numbers, login credentials) to ensure the data is transmitted securely.

To get an SSL certificate, you will need:

  • Your server certificate received from the CA for your domain after creating a CSR. 
  • Your intermediate certificate that will allow the devices connecting to your webserver to identify the CA, hereby establishing the trust of your SSL certificate. 
  • Your private key. 

To enable the Magento 2 SSL certificate, take the following steps:

  • Navigate to Stores > Configuration

  • Click on “Web” under General Menu. You will see the setting page is displayed.

  • Unfold the Base URLs section in the right panel. You need to update the Base URL field by replacing “http with “https”. 

  • Select “Yes” for two fields: “Use Secure URLs on Storefront” and “Use Secure URLs in Admin”. By this, all of your storefront pages and admin panel will be opened with secure https.

  • Save changes with the “Save Config” button and clear cache.

7. Build a Solid Backup System

Security is nothing without a good backup system. Your data can get corrupted, your store can become infected with malware, something can break down or malfunction. Backups are your plan B. Don’t cheap out on them.

First things first. Take full advantage of your hoster’s backup system. As a rule, a good hosting provider will backup your static data every 12-24 hours and keep at least 2-3 backups on hand if things go wrong.

For databases, you can expect at least 3-4 archives ready with much closer backup intervals. 1-2 hour intervals will be optimal for a popular and fast-paced store and 3-6 hours for stores with a lighter load and fewer orders.

Regular automated backups have become a standard feature for both VPS and cloud hosting providers. Among the ones best suited for Magento hosting: Amazon Web Services, Sonassi, Nexcess, and Google Cloud. (Read our guide on Magento hosting and learn how to find the best hosting provider for your Magento store).

AWS RDS is one of the most thorough at this. It not only backups your entire database system, but allows you to create DB snapshots and archives without additional charges.

Even though most mainstream hosters provide backups, you should not rely on them 100%. Make your own backups regularly. An optimal backup system consists of at least 3 separate unconnected locations. So let’s say the first one is your hoster’s cloud storage. Create a second one somewhere in the cloud and schedule a third copy to backup files to a hard drive of a dedicated machine.

This way even in the case of an emergency you’ll always be able to restore and operate your website without major setbacks and interruptions.

8. Install SELinux to Improve Server Security

Correct configuration of the server is another step towards a properly locked-down Magento store. Users with servers running on Ubuntu and CentOS can install Security Enhanced Linux (SELinux for short) to manage mandatory access controls (MAC).

In layman’s terms, SELinux will help you keep malicious online content from impacting your vital data. SELinux can differentiate between users and the applications they run. Why is that important? Because it will help you protect your data from bugs in applications.

SELinux offers a finer permissions configuration inside the server. That’s why it’s a great tool to create centralized access policies with extremely detailed instructions. Advanced users will find it empowering that they can write security policies themselves, while most mainstream configs are already available as a part of the community effort.

Please bear in mind that SELinux is not a firewall. It functions as a container for applications within the system offering stricter rules on what applications and users can and can’t do inside the environment.

9. Whitelist Magento Admin IPs to Limit Rogue Connections

IP whitelisting is a seriously overpowered feature you should always use. It can get you out of a lot of bad situations.

A few examples:

  • your administrator credentials get stolen and you don’t have two-factor authentication set up,
  • you want to ensure your employees only access the store from a specific place (like your company office),
  • you need to restrict admin Magento logins to a few select workstations.

Default Magento 2 does not allow users to create IP whitelists. One solution out of this situation is to look for a third-party extension that hopefully solves your problem. But if you want to stick as close to default M2 as possible we’ll have to dig into server configuration once again.

CAPTION: It might look similar enough but Developer Client Restrictions is NOT the option you need!

For nginx, we will need to edit nginx.conf to restrict access for undesired IPs. The code is straightforward:

location ~* ^/(index\.php/admin|admin) {
allow 1.1.1.1;
allow 1.1.1.2;
deny all;
try_files $uri $uri/ /index.php?$args;
location ~* \.php$ { try_files /dummy @proxy; }
}

Obviously, you need to replace 1.1.1.1 and 1.1.1.2 with your desired IPs. Add as many IPs as you need. Use commas to separate them. You can also use IPv6 instead of IPv4. Nginx is smart enough to use both formats without additional configuration.

Please note that IP whitelisting only makes sense when you use a static IP address to interact with the website. If you have a dynamic IP and set up a whitelist filtering you can lock yourself out of the admin panel.

10. Switch to a Custom Admin URL

You can stop a lot of malicious scripts from attacking your Magento store if you just change the default admin URL. This is one of the most underappreciated tip on how to increase Magento 2 admin security since it’s so easy to cut off a whole class of automated malware from your store.

The easiest way to enable a custom admin URL is through the Magento 2 Admin Panel. You need to go to Stores > Configuration > ADVANCED > Admin > Admin Base URL.

We are looking for the underlined option here. Tick off “Use system value” and change it to something you like. Doesn’t matter what, it just has to be different from the default one:

The menu offers two different approaches to hiding your Magento 2 admin panel:

  • “Use Custom Admin URL” as an option is way more secure than “Use Custom Admin Path”. Use it if you want to move your Magento Admin Panel to a different domain like //admin111.store.com.

This is preferable to simply changing the path (“Use Custom Admin Path” option below) since automated scripts won’t be able to find the new subdomain for your Admin Panel but still can find a new //store.com/admin112 link.

  • “Use Custom Admin Path” just changes the link. So, for example, you can change it to “admin_link1” and the new admin panel will be located at //store.com/admin_link1/admin/. Still better than the default Magento path but worse than moving Magento admin to a separate subdomain.

You can also combine both methods. Take a look at how your URL will change if you fill in both fields. Note that the first field contained “//co-admin.magento.local/” and the second field had “onilabadminpath”.

Here’s the result of this fusion:

Pretty cool, right?

And one last thing. Stay clear from extremely obvious “backend”, “login”, or “brandname” words in your URLs. Use your imagination!

11. Set Core Magento 2 Files and Folders to Read Only

Correct file permissions will save your day not once or twice – countless times. Closing off this attack vector will discourage hackers who rely on infecting core Magento 2 files with malware.

After you apply stricter file permissions, you further restrict unauthorized access to your store.

Note that critical files outside of the immediate Magento core (e.g. app/etc/env.php) should be set to read-only as well.

A few key guidelines:

  • A Magento 2 file system owner must have all permissions, which means they need to have the rights to read, write, and execute every folder and file in your Magento installation:

set all Magento directories to Octal=770 (only the owner and their user group can read, write, and execute files, other users can’t even access them).

  • A web server user and a Magento file system owner are two different persons. Always. Segregate these two entities for security reasons. A web server user in the development environment must have write permissions for:

var (equal to octal=770),

app/etc (770),

pub (770).

But in production mode, it’s better to limit this access as shown above.

Something to look out for:

  1. If for technical reasons you can’t use 770 for folders or 660 for files, replace them with 755 and 644 accordingly.
  2. Magento constantly generates new files. Be on the lookout for new files with suboptimal permissions and correct them as needed.
  3. It’s OK to set var, app/etc, and pub to 777 for development purposes. However, it’s not OK to leave them 777 on a live store!

Don’t tolerate sloppy development and administration practices just because it’s convenient and speeds up your work. An important folder set to 777 is a disaster waiting to happen.

12. Setup Automated Activity Reviews

Even though it’s always a good idea to set aside some time for Magento 2 security checkups, more often than not it’s not humanly possible to regularly manually check for suspicious behavior, look through huge server logs for attacks or unauthorized login attempts.

In order to make your life easier, we suggest that you establish an automated log activity analysis system that mines this data for you and only brings to your attention key highlights – leaving everything else to the machine.

Onilab team has tested dozens of solutions in search for The Perfect One. We are somewhat disappointed to state that the quest for the perfect tool is not finished. Meanwhile, we’ve created a small shortlist of our favorite analyzers.

Take a look at OpenWebAnalytics, for example. It’s great for Magento 2 and has most of the features you’ll need to get started. Once you become more acquainted with activity analyzers you can form your own opinion and find the tool that works best for you.

There are a lot of security log analyzer tools that you can use. Our goal is to not sway you towards a specific solution but rather to convince you that you need to use something.

13. Setup a Data Integrity Tool to Get Alerted of Potential Infections Right Away

Even though you might have locked down every file and directory of your Magento store from attackers, it still pays to know what’s going on in your store.

Data integrity tools offer you the ability to check Magento for unauthorized file changes, track recently changed files, and alert you of potential infections in time. This kind of control plays a crucial role in your ability to contain ongoing attacks and mitigate future risks.

While Magento development team recommends using Tripwire, which has grown to become the de-facto solution for threat monitoring, we understand that not every Magento store owner will be ready to invest in such a tool.

For a capable yet lightweight alternative, our recommendations will be to take a closer look at Ossec, AIDE, and Samhain.

14. Enable Google reCAPTCHA in the Admin Panel

Yes, it can be tedious and boring to select all stoplights in the pictures for the hundredth time just to log into your own store. But these same images will stop one of the most popular hacking attacks of all time, password bruteforce.

The humble reCAPTCHA can stop automated bruteforce scripts from attempting to login to your store for days on end. A single script will attack your login page with hundreds of thousands of admin/password combinations mentioning every word in the dictionary and every common passphrase you can imagine.

If you are not concerned about the strength of your password take into consideration that every login attempt puts a small load on your server. Which means slower speeds and longer processing time for legitimate users.

Hope we’ve convinced you that enabling a strong CAPTCHA solution is in your best interests! And you’ll also help Google machine learning AI learn new things. How cool is that!? (Well, not very cool. At some point in time you’ll probably feel like one of Thomas Edison’s visitors whom he tricked into pumping water with his gate).

How do you turn reCAPTCHA on? Go to Stores > Configuration > Security > Google reCAPTCHA. In the menu, you’ll see CAPTCHA is already on. But instead of using the default choice, we recommend you to switch to Invisible reCAPTCHA.

Invisible reCAPTCHA works on the background. It’s more streamlined than the CAPTCHA v2 and will not appear unless the user acts suspiciously or strangely. Invisible reCAPTCHA offers the same level of protection as the normal one so we say give it a try.

15. Learn About Fraud Protection Techniques

Fraud protection is one of the most serious security concerns for e-commerce. And even though it’s a vast topic that could easily take a whole new guide to unravel, we feel the need to briefly explain how to secure your Magento website from fraudulent orders and malicious customers.

As a business, you are most vulnerable to fraud in a few specific cases:

  • if there are too many orders and you don’t have enough time to review each new order by hand,
  • if you don’t pre-screen incoming orders and just accept them all,
  • when you use payment methods that welcome fraud attempts (most payment methods have at least some built-in fraud defense – with a few exceptions),
  • when your products or services are more enticing to scammers than others.

Most of the time recognizing frauds is a matter of experience. Once you get familiar with how your regular customers browse the store, order goods, communicate, and solve occasional disputes with your store, you’ll have enough commonplace online shopping patterns that you can rely on when dealing with scams.

And even though it’s impossible to completely shield yourself from scam orders, here are a few tips on how you can recognize fraudulent orders from legitimate ones and cancel them:

  1. Take note of any shoppers with unusual and strange buying patterns. Even if you only have time to skim through the order list, flag and review unusual orders, and cancel any that look too suspicious. It’s better to lose a potential sale than to get fined with a large chargeback fee.
  2. Set a smaller limit of maximum purchasable amount. Ask buyers who want to purchase above the limit to go through another sales channel, for example through a sales representative first.
  3. Ensure that all payment details make sense. Verify that the address actually exists and is tied up correctly to the zip code / other payment details. Most payment processors already have an automated verification system that checks such things for the human but you should still do your due diligence and make sure the solutions you use have an automated verification system in place.
  4. Require CVV for every payment made with a credit or debit card. Any exception to this rule and there’s a good chance scammers will take advantage of your lack of security.
  5. Use tracking numbers to discourage shipping frauds. Besides offering additional value to your customers, a tracking number gives you a way to prove the package was shipped correctly.

16. Eliminate Unnecessary Software Running on the Server

A clean server environment helps a lot in protecting your store from malware. The general idea here is that the less software you have, the less likely it is that malware can find a vulnerability and infect you.

Keeping things clean also has the bonus of creating less complexity and a lighter load on your server. This means better website performance and better stability along the way.

Work with your hosting provider to find out how you can improve server performance and which parts of the server environment do not contribute to your Magento setup. Most of the time the support team will be happy to help you figure out what is pure ballast and remove it from the servers.

This is another reason why it’s a good idea to host with a dedicated Magento hosting provider. Their tech support is already knowledgeable about what kind of software you can remove from the server without any issues. Thus, you can ensure sufficient Magento shop protection.

17. Deep-Scan Your Magento Store for Hidden Vulnerabilities

Magento Security Scanner offers good insight into your store security. But if you have already fixed the issues it found, you now have the opportunity to dig even deeper. You’ll need a few third-party tools to get a better view of the situation.

MageReport

MageReport compliments the official tool with a few cool features. For example, while the official e-commerce security solution focuses on the system itself, MageReport is a Magento vulnerability checker that can also see loopholes in third-party extensions. It’s a useful tool for Magento stores that take full advantage of Magento Marketplace and sport a lot of popular third-party modules and themes.

Magento Malware Scanner

Magento Malware Scanner is already 2 years into development. Built specifically for Magento 2 security scan purposes, it’s another decent addition to the official Magento Scanning Tool. The scanner specializes in detecting various Magento malware. It even serves as a crowd-sourced malware detection center.

Any Magento user can send a brand new malware they found and it will be added to the knowledge base. Install Magento Malware Scanner and witness the true power of the Magento community in action!

SQLmap

SQLmap is a real hacker’s tool.  It is not only a robust Magento vulnerability scanner that detects loopholes in the database structure,  you can use the tool to simulate a real-life attack on the database.

Over the years the scanner has become really good in automatically finding and exploiting DB vulnerabilities. A must-have for anyone looking for a tool with penetration testing capabilities.

18. Shield You Magento Website From Malicious Bots

Bad bots are self-propagating malware that is programmed to perform certain tasks. 

The ongoing impact malicious bots have on the e-Commerce ecosystem shouldn’t be underestimated. The bots are designed to scan websites for security vulnerabilities and make use of them to perform fraudulent activity or report the information related to the website security issues to the botmaster. The activity committed by bad bots may result in high server costs, as well as the immense load on server infrastructure. Therefore, bot protection must be an integral part of your Magento security checklist. 

Distinguishing bots from humans is a challenging task. The latest fourth generation of bots has human-like interaction characteristics which simulate real visitors’ behavior. 

In order to ensure sufficient Magento store protection against malicious bots, you can apply several techniques:

  • Installing a server firewall. A firewall is basically a set of filters based on user-defined rules intended to block illegitimate traffic. 
  • Setting up firewall rules for NGINX to restrict malicious traffic. These rules will allow your web server to determine which types of packets are allowed to go through the firewall. Once a packet is identified, it will be subjected to the rule configured for the firewall. Thus, if, say, you have noticed that bad bots are coming to your website from IPs belonging to a certain country, you can block all IPs from this country with a firewall rule.  
  • Using a reverse proxy (Cloudflare, for instance). Cloudflare Bot Management is one of the most actionable tools for securing Magento websites. The reverse proxy is placed in front of web servers and forwards client requests to them. Thus, when bots send requests to Cloudflare servers, they are detected by Cloudflare AI-based algorithms and dismissed without impacting the user experience or blocking good index bots.  

19. Shield the Store From Cross-Site Scripting Attacks

Cross-site scripting (XSS) is one of the most frequent types of attack on the store. We’ve decided to look at XSS attacks separately since it needs special attention from Magento store admins.

Finding XSS Vulnerabilities

XSSer is a general purpose scanning tool, or more precisely, a framework that specializes in detecting cross-site Magento 2 security issues in web applications. Built in 2014, the framework has become a useful and mature e-commerce security solution for automatic detection and use of exploits in Magento 2.

Types of vulnerabilities:

  • use of different bypassers,
  • script and cookies injections,
  • referer scripting,
  • data control protocol injections,
  • DOM injections,
  • HTTP response splitting,
  • DOM shadows attack (anchor stealth payloader).

Use “–auto” to apply all default vector attacks in a row to get a comprehensive Magento 2 XSS security testing results or choose a few select vulnerabilities to test against.

20. Prevent MySQL-injections

Protecting your site against MySQL-injections has to be part of your Magento site security checklist. The target of these attacks are vulnerabilities in the database. Hackers exploit loopholes in back-end coding to insert malicious code included in the query and access the information from a database. Once the attack is performed successfully, the malicious query is treated as a valid one and executed. As such, intruders gain control over the database of the infected Magento website. 

MySQL-injections have three rooms to penetrate your database: 

  • Known bugs in Magento. 

In order to eliminate the threat, you need to keep your system updated to the latest M2 version. Magento releases updates for M2 almost every three months. They contain security patches and bug fixes that will help you to keep your customer data safe and sound. 

  • Known bugs in third-party modules.

In order to fix known bugs in Magento 2 modules and correct vulnerabilities in the system, and thus boost your Magento store security, you need to install security patches as soon as they become available

  • Security vulnerabilities in custom code.

Vulnerabilities in custom code may be caused by the work of a bungling developer. Carrying out Magento 2 security checks with automated testing tools can help you to identify and correct these bugs ASAP. In some cases, to perform code scanning and fix these vulnerabilities, you may need to hit up professional Magento consulting services

Be the Change You Want to See

Despite all the advancement in technology, humans remain the biggest risk factor for e-commerce security. So even though you’ve implemented all the tips from our Magento websites Security Guide, it will be useless unless your users change their behavior:

  1. Don’t connect to your store via FTP, use only SSH/SFTP/HTTPS to communicate with the server. Disable FTP completely to discourage users from even trying to use it.
  2. Outlaw sloppy password practices. Use strong passwords and ensure users change them from time to time.
  3. Revoke access from users who don’t need it anymore. Nothing worse than a few dozen “sleeper” accounts in your Magento store that could wreak havoc at any time.
  4. Install extensions to the staging server before you install them to production. This way you can ensure everything works as advertised, you haven’t broken critical stuff on the production server just because you were too lazy to test it a bit first.
  5. Test your backups regularly. Even if you have the best backup system in the world but can’t restore from a backup and continue with your day, that system is bad. Make sure that you both know what to do in an emergency situation and that you can rely on your backups 100%.

Not sure if your store is fully secure? Want to know how to remove malware from your Magento site? Want to review third party extensions or looking for an independent security audit? Reach out to Onilab for Magento development and security services and a no-obligation quote to ensure your business is 100% safe from online attacks.

Related Articles

Magento tips from real projects
Magento tips from real projects
Close
CALL US 24/7:
Australia
& asia
+61 (02) 8005-7494