How to Keep Your Magento eCommerce Store Secure

Security is one of, if not the most important, concern for your eCommerce website. Businesses spend considerable time, money and resource creating a site to be proud of only for it to be negatively impacted by hacking attempts. A recent study conducted by GOV.UK found that 32% of businesses identified cybersecurity attacks within the last 12 months, with 48% of these companies identifying at least one breach every month. Usually, these attacks include activities such as spamming, phishing and stealing customer data.

In July 2019, it was reported that British Airways are facing a record fine of £183m due to a website security breach causing 500,000 customer details to be harvested. Dixons Carphone, owner of Currys PC World and Carphone Warehouse, also experienced a similar issue in 2017 with a potential 10 million customers affected. Security breaches such as these can cause irreparable damage to your website, your reputation and customer loyalty, not to mention the cost and resource behind fixing them.

Unlike many other platforms where security is often an add-on, Magento provides you with out-of-the-box security built into the very core of your eCommerce website. Combine these capabilities with our following top tips to help keep your Magento store safe and secure.

Use the latest version of Magento

Some businesses believe that upgrading to the latest version of their web platform may not be as secure as the longer-standing version. However, developers work hard to fix previous security issues before releasing new versions. We advise businesses to stay informed regarding updates and available versions to ensure your website includes the most recent security enhancements. Once a new, stable version is released, testing should be done before changes are implemented or before your site is migrated.

Protect your environment

Your Magento eCommerce store will run smoothly when operated in a secure environment so it makes sense to protect this environment to ensure your security. Keeping server software up to date, deleting unnecessary software and applying security patches as recommended will help with this. Additionally, you should limit outgoing connections to only what is needed and use secure communication protocol like SSH, SFTP or HTTPS to manage files.

When sending confidential data such as login details, a secure connection is needed to prevent it being intercepted. In Magento, you can get a secure URL by checking the tab “Use Secure URLs” in the system configuration menu. Adhering to these recommendations will help protect your environment against hacking attempts. As a bonus, they also help make your website PCI compliant too.

Browse your own store

An effective way of keeping your eCommerce website secure is to regularly use it from your user’s point of view. By putting yourself in the shoes of your customers, you will be more likely to notice real-time issues at each point of the purchasing journey.

Only use trusted sources

Your eCommerce store will naturally warrant a number of extensions to create the best shopping experience possible for your users, but sometimes these extensions can compromise your store’s security, making it easier for attackers to enter your site. As such, you should give substantial consideration before installing any third-party extensions. Do your research, investigate the reputation, quality and customer reviews of extensions and only select from a reliable source where they will be maintained and updated regularly.

Obfuscate your admin URL

Something as simple as your admin URL essentially being ‘non-guessable’ can go a long way in providing your system with an added layer of protection. Rather than having a generic and common URL such as “/admin/”, Magento 2 automatically generates a complex, unique URL during installation such as “/admin_3ds78fd/”. Anyone trying to gain access to your admin will first have to get your URL correct, a tough task for even the most determined.

Magento Security Only Patch 2.3.2-p1

Magento developers have been working hard to ensure Magento 2 is more secure by reducing their security issue backlog by over 93%. September 2019 will see the release of 2.3.2-p1, a new security-only patch for Magento Commerce and Open Source 2.3.2. This new patch gives merchants the ability to implement the necessary security fixes ahead of peak, but delays the less-time sensitive changes such as quality and performance.
The new flexible scheme provides a continuous path to functional and security fixes as well as giving you the option to take up a lighter 6-month security-only patch rather than the full release when required.

Be PCI compliant

Being PCI compliant is a necessity for any business, no matter how big or small, if you want to process card payments. It’s an important standard to adhere to otherwise your customers could be vulnerable and your business could be held liable if their data is breached. It also gives your online store another level of reputable security making it more trustworthy in the eyes of your users.

Use payment gateways

A payment gateway is a communication between your eCommerce website and the bank that processes, verifies and authorises or declines a customer’s card payment, they also play an important role in your online store. Using an offsite payment gateway can help to lessen the frequency and severity of credit card fraud by ensuring there is no attack vector on your site and that your customer’s data is encrypted and secure.

Audit your admin users

Your admin users should be audited regularly, and access should be removed for any users who no longer need use of the system. Additionally, names and passwords should be changed regularly to make it less likely for external people to log-in to the system. You can take your login security one step further with Magento’s two-factor authentication extension. Using this feature, admin users will need to pass another level of security in order to access the Magento Admin UI from any device. Finally, to secure your login process, protect the devices that are used to access your Magento system.

Backup your Magento store and create a recovery plan

Although implementing these top security tips will help prevent attacks, it’s equally important to have a functioning recovery plan. Even a basic plan will help you get back on track in case disaster hits. As Benjamin Franklin once said, “By failing to prepare, you are preparing to fail”. The same applies to your website.

Making backups of your site’s files and databases will stand you in good stead, reducing the impact if an attack does occur. In unfortunate cases like these, you will at least have the most recent, undamaged backups to quickly restore information. You can back up your files through your Magento account by downloading them with an FTP client and the database can also be exported when necessary. Make sure you test the backup regularly to ensure it can be restored if needed.

Customers prefer a secure website to shop on and with cyber-attacks regularly occurring across the eCommerce community, it’s even more important to instil trust in your users through a safe online store. Using these top tips and Magento’s out-of-the-box security features helps to reduce the chances of anything happening to your website. Always be sure to monitor for attacks and investigate any issues as soon as they happen. If you want to chat more about your website’s security, feel free to reach out to the team today.