Security is one of, if not the most important, concern for your eCommerce website. Businesses spend considerable time, money and resource creating a site to be proud of only for it to be negatively impacted by hacking attempts. A recent study conducted by GOV.UK found that 32% of businesses identified cybersecurity attacks within the last 12 months, with 48% of these companies identifying at least one breach every month. Usually, these attacks include activities such as spamming, phishing and stealing customer data.
In July 2019, it was reported that British Airways are
facing a record fine of £183m due to a website security breach causing 500,000
customer details to be harvested. Dixons Carphone, owner of Currys PC World and
Carphone Warehouse, also experienced a similar issue in 2017 with a potential 10
million customers affected. Security breaches such as these can cause
irreparable damage to your website, your reputation and customer loyalty, not
to mention the cost and resource behind fixing them.
Unlike many other platforms where security is often an add-on, Magento provides you with out-of-the-box security built into the very core of your eCommerce website. Combine these capabilities with our following top tips to help keep your Magento store safe and secure.
Use the latest version of Magento
Some businesses believe that upgrading
to the latest version of their web platform may not be as secure as the longer-standing
version. However, developers work hard to fix previous security issues before
releasing new versions. We advise businesses to stay informed regarding updates
and available versions to ensure your website includes the most recent security
enhancements. Once a new, stable version is released, testing should be done
before changes are implemented or before your site is
Protect your environment
Your Magento eCommerce store will
run smoothly when operated in a secure environment so it makes sense to protect
this environment to ensure your security. Keeping server software up to date,
deleting unnecessary software and applying security patches as recommended will
help with this. Additionally, you should limit outgoing connections to only
what is needed and use secure communication protocol like SSH, SFTP or HTTPS to
When sending confidential data such as login details, a secure connection is needed to prevent it being intercepted. In Magento, you can get a secure URL by checking the tab “Use Secure URLs” in the system configuration menu. Adhering to these recommendations will help protect your environment against hacking attempts. As a bonus, they also help make your website PCI compliant too.
Browse your own store
An effective way of keeping your eCommerce website secure is to regularly use it from your user’s point of view. By putting yourself in the shoes of your customers, you will be more likely to notice real-time issues at each point of the purchasing journey.
Only use trusted sources
Your eCommerce store will naturally
warrant a number of extensions to create the best shopping experience possible
for your users, but sometimes these extensions can compromise your store’s
security, making it easier for attackers to enter your site. As such, you
should give substantial consideration before installing any third-party
extensions. Do your research, investigate the reputation, quality and customer
reviews of extensions and only select from a reliable source where they will be
maintained and updated regularly.
Obfuscate your admin URL
Something as simple as your admin URL essentially being ‘non-guessable’ can go a long way in providing your system with an added layer of protection. Rather than having a generic and common URL such as “/admin/”, Magento 2 automatically generates a complex, unique URL during installation such as “/admin_3ds78fd/”. Anyone trying to gain access to your admin will first have to get your URL correct, a tough task for even the most determined.
Magento Security Only Patch 2.3.2-p1
Magento developers have been working hard to ensure Magento 2 is more secure by reducing their security issue backlog by over 93%. September 2019 will see the release of 2.3.2-p1, a new security-only patch for Magento Commerce and Open Source 2.3.2. This new patch gives merchants the ability to implement the necessary security fixes ahead of peak, but delays the less-time sensitive changes such as quality and performance.
The new flexible scheme provides a continuous path to functional and security fixes as well as giving you the option to take up a lighter 6-month security-only patch rather than the full release when required.
Be PCI compliant
Being PCI compliant is a necessity for any business, no matter how big or small, if you want to process card payments. It’s an important standard to adhere to otherwise your customers could be vulnerable and your business could be held liable if their data is breached. It also gives your online store another level of reputable security making it more trustworthy in the eyes of your users.
Use payment gateways
A payment gateway is a
communication between your eCommerce website and the bank that processes,
verifies and authorises or declines a customer’s card payment, they also play
an important role in your online store. Using an offsite payment gateway can
help to lessen the frequency and severity of credit card fraud by ensuring
there is no attack vector on your site and that your customer’s data is
encrypted and secure.
Audit your admin users
Your admin users should be audited regularly, and access should be removed for any users who no longer need use of the system. Additionally, names and passwords should be changed regularly to make it less likely for external people to log-in to the system. You can take your login security one step further with Magento’s two-factor authentication extension. Using this feature, admin users will need to pass another level of security in order to access the Magento Admin UI from any device. Finally, to secure your login process, protect the devices that are used to access your Magento system.
Backup your Magento store and create a recovery plan
Although implementing these top security tips will help prevent attacks, it’s equally important to have a functioning recovery plan. Even a basic plan will help you get back on track in case disaster hits. As Benjamin Franklin once said, “By failing to prepare, you are preparing to fail”. The same applies to your website.
Making backups of your site’s files
and databases will stand you in good stead, reducing the impact if an attack
does occur. In unfortunate cases like these, you will at least have the most
recent, undamaged backups to quickly restore information. You can back up your
files through your Magento account by downloading them with an FTP client and
the database can also be exported when necessary. Make sure you test the backup
regularly to ensure it can be restored if needed.
Customers prefer a secure website to shop on and with cyber-attacks regularly occurring across the eCommerce community, it’s even more important to instil trust in your users through a safe online store. Using these top tips and Magento’s out-of-the-box security features helps to reduce the chances of anything happening to your website. Always be sure to monitor for attacks and investigate any issues as soon as they happen. If you want to chat more about your website’s security, feel free to reach out to the team today.