If Magento is kept up to date, and your server is secure, the platform offers excellent stability and security. Because it’s open source, Magento has attracted a thriving community of independent developers, consultants and security experts who dedicate a lot of their time to learning the ins and outs of the software. This dramatically increases the chances of major and minor security flaws being flagged up and resolved before they can be exploited. Magento do also carry out a lot of security work in-house; regularly releasing patches and updates that are designed to address specific vulnerabilities.
This is doubly true for Magento Commerce, which benefits from additional, hands-on support and a suite of built-in diagnostics that make it very easy for developers to spot potential hazards.
That said, Magento is now one of the largest eCommerce platforms on the market, and that can cause some security problems in its own right. According to statistics released in 2017, 28% of all eCommerce stores are now powered by Magento, and that makes its codebase a very tempting target for hackers looking to scrape credit card data, steal personal data or do widespread damage to a variety of businesses.
Hacks, attacks and exploits are rare, but they do happen. Just last year, a vulnerability with certain editions of Magento community edition allowed hackers to execute code remotely, prompting worries about potential vulnerabilities. Ultimately a patch was rolled out and the issue was resolved in a matter of weeks, but there was a small window within which unsecured sites might have been open to attack of some kind.
In our opinion, the security concerns are never enough of an issue to factor into any decision about whether or not to build on Magento; all platforms can be exploited, and there is always going to be some small risk when running an eCommerce store.
There is still a real benefit to knowing how a Magento site can be secured though; particularly if you want to safeguard against potential exploits. Even small changes like the implementation of better password policies can make a huge amount of difference, and good practice will help to mitigate the risk of damage or data loss as hackers become ever-more advanced
We’ve put together this guide to help you secure your magento store using current best practices and our own in-house security processes. Read on for a series of actionable steps that you can discuss with your development agency, as follows:
Check that the latest patches & security updates are installed
Making sure that you are up to date with the latest security patches & updates should always be your number one priority. Whenever Magento are made aware of a potential vulnerability, they pull together an update that seeks to prevent the exploit in the most efficient manner possible
(At the time of writing (March 6th 2018) Magento had just pushed their 2.2.3, 2.1.12 and 2.018 security update: the second patch to be released in 2018. This update was designed to correct an issue with a cross-site scripting error that could have allowed an attacker to inject malicious code into a Magento eCommerce store remotely.)
Failing to install the latest patch means that you’ll be vulnerable to whatever exploit it’s designed to fix. Once a patch has been announced, the risk does increase as well; the supporting documentation does often outline the vulnerability that the patch is designed to address, and attackers can use this information to go out and begin very targeted attacks on sites that haven’t installed the relevant update.
To stay abreast of the latest patches, you can always check Magento’s patch resource (visable here) which features a chronological list of the newest patches.
When it comes to installing the latest patch, your dev agency should always be more than willing to help you get the latest updates installed as soon as they possibly can. The time that it actually takes to install a patch can vary hugely, depending on the way that your site is structured, the extensions your using and the specific bits of code that the patch changes, but it’s always worth making installation a priority anyway. Failure to do so can leave you open to attack, and nullify a lot of the advantage gained by working through the rest of the steps that we’ve outlined below.
Scan for vulnerabilities and weaknesses
To be doubly sure that you haven’t overlooked a potential flaw, you can also run your domain through Magento’s own site security scan tool. This powerful application automatically scans for a variety of common issues, and then provides you with a full, step by step breakdown of the types of attack that your store might be vulnerable to.
It does also provide some basic action points to help you secure your store as quickly as possible.
your dev team should be more than happy to talk through the results of this test with you. Nine times out of ten, simply implementing Magento’s recommendations will immediately correct the vulnerability. Where more work is required, Magento do also publish a lot of their own research and documentation around the various safeguarding measures that you can implement, and we’d recommend working through their recommendations with your dev agency as quickly as possible.
Magento’s site security scan tool is relatively new, but from what we’ve seen so far it is very accurate, and the information that it provides is clear. Signing up is relatively arduous process that’s similar to the registration process for Google Search Console(you have to create an account and verify ownership of your site before you can begin), but once you’re registered, you simply drop your URL into the field provided and let it go to work.
The search tool isn’t completely foolproof – it can only identify issues that Magento are already aware of, but it does at least allow you to ensure that a good foundation is in place for any further security work.
Lock down access to your admin panel
The majority of data breaches (malicious or otherwise) occur when people gain unauthorised access to your admin panel. As with all eCommerce platforms, Magento’s admin panel acts as a gateway to a wealth of sensitive information, including order details, customer details and sensitive data around business trends. This makes ensuring that people cannot phish, reverse engineer or brute force your password an absolute priority.
There are two key ways of doing this. Firstly, you can look at locking down the admin panel so that it can only be accessed via a specific IP address. This is done at a server level (agan, your dev agency can help)and ensures that unknown third parties are blocked from even entering login details which makes it a very safe choice. The only downside is that you have to manually whitelist every IP address that you want to have access, which is fine if everyone works from a single office, but can quickly become a headache if you are split across multiple locations and/or want to work from home.
The other option available to you is to set up some sort of two-factor authentication on the admin page. This involves installing an extension and/or purchasing a cloud-based solution that will push a randomised code to a preselected phone or tablet when you try to log in. You’ll then need to add this code alongside your regular password to gain access to your site, stopping attackers who don’t have access to the selected device from brute forcing their way into your store’s backend. This is probably a more costly solution, but it is slightly more flexible and allows you to avoid making repeat whitelisting requests to your hosting company.
Introduce a robust password policy
Beyond locking down the admin and installing patches, it’s also worth considering the simple things that can be done to make hacking your site more difficult. Introducing a company-wide password policy, where you specify minimum length, ask people to include a capital letter, and force people to recycle their passwords every 3 months can really help to cut down on the chances of an unwanted user gaining access to your store.
Asking people not to give out their password, and reminding them that it’s important not to write it down and/or save it on the computer that they are using to access your site can also really help.
Ensure that you are using HTTPS
Switching from HTTP to HTTPS is another important step. Doing so encrypts all of the data that flows between you, your site and your users
This ensures that sensitive information can’t be logged by malware, and used to attack your site later on. Switching to HTTPS does also prevent credit card information from being skimmed while it’s in transit and there’s even some evidence to show that it provides a small boost to your organic search rankings (more on that here).
Unfortunately switching to HTTPS will involve a reasonable amount of work – every single HTTP link will need to be redirected to prevent 404 errors, and you’ll also need to obtain a valid SSL certificate from a licensed vendor, but we think it’s a very worthwhile process.
Ultimately, investing in secure, end-to-end encryption ensures that your customers are safe, and guarantees that your site can be trusted. Anecdotally, our UX consultancy and user testing work has previously revealed that people do value the trust signals that HTTPS sends as well.
In particular, a lot of savvy online shoppers refuse to engage with sites that lack the ubiquitous green padlock icon that appears to the left of site URLs on the address bar.
Audit New Code
Every time your developers push new code to your live site, there’s a risk that they’ll accidently introduce a new vulnerability, or break something that stops a security feature from working properly. As your site ages, and the amount of new code piles up, the chances of this happening get higher, and you start to see a lot of unexpected results,
This is one of the few instances in which Magento’s complexity can act as both asset and weakness, and the unfortunate truth is that it’s often very difficult to anticipate the way that a piece of code will act on your site unless someone takes the time to explore any unforeseen interactions or potential pitfalls.
That’s why we’d always recommend testing and/or auditing new code before it is pushed to live; irrespective of the size of change that you’re making. The time that it takes in the short-term will be offset by the amount of time, money and energy that you’ll save in the long-run, even if there’s only a bug .1% of the time.
Again, your Magento agency should be able to help with this.
Still have a Magento security question?
If you’re still worried that your site might be vulnerable, or want more advice on locking down your store, just use the contact form on our site to send us an enquiry.
We’ve helped plenty of brands to secure their eCommerce platform from unwanted intruders and we’ve also helped companies to recover from attacks too so we’re confident that we’ll be able to help.