A Merchant’s Guide To Protecting Magento StoreFronts

“There’s no such thing as unhackable” – says Sahil Chug, MageHost CEO at #MM20IN

This post, inspired by the informative session by Sahil Chug at Meet Magento India 2020, is a merchant’s guide to protecting Magento storefronts which can also be referred by anyone responsible for Magento store security.

Why is Magento Store Security Important?

When the store customers witness data breaches, and that too in high-profile online brands, their trust in E-commerce is lost. Even if the online stores effectively resolves the issue in no time, it doesn’t matter to the customers because they believe that the store didn’t implement enough security system in the first place!

Once the confidence and trust are lost in the business, the merchant faces serious repercussions which are much more than the monetary loss.

Additionally, there is a constant possibility of a blacklist warning from Google and other search engines. Apart from harming the SEO results, your host can also suspend your store with a suspect of malicious activity.

Therefore, it is quite difficult for the store owners to recover from a security breach than to prevent it. It is even harder for small online businesses.

How is Magento Store Security Compromised?

Check the below reasons and see if any one of them is applicable to your Magento or Magento 2 store:

• Magento security patches not applied
• Bad extensions
• Web server exploits
• PHP exploits
• SQL exploits
• Insecure URLs

If you suspect a breach, you can confirm it by comparing the code in git or in local files with the live files, and the additional code in the live files would be the data hack.

Common Magento Malware Endangering Store Security:

• Magecart
• Cloud Harvester
• Shoplift Malware
• Magento Killer
• GuruInc Malware
• Visbot Malware
• MagentoCore

Steps to Protecting Magento StoreFronts From Hacks:

via GIPHY

If your store is vulnerable to a security breach, here are some of the actions you can implement to offer a secure online shopping destination for your customers:

• Install Magento security patches
• Avoid using bad extensions that are developed without following Magento coding standards.
• Fix responsibility
• Choose the Magento hosting partner who has technical knowledge about Magento and can be helpful when a breach happens.
• Block Magento related sensitive URLs
• Harden PHP & webserver
• Set custom Magento admin URL
• Brute force protection for admin URL and IP restrictions, i.e, provide the admin URL access to the specific IP users only.
• Enable 2FA
• The media folder has 777 permission by default. So it is advisable not to add PHP code files in media folders and scan media folders for the files with PHP code
• Block Magescan, Magereport. Sahil recommends blocking them because these sites get information about breaches while scanning, which can be used to hack the data.
• Practice configuring strong passwords and keep changing them regularly.
• No keys in codes, only in setting files
• Don’t put test files in live server
• DB backup files – Don’t put the database back up files in live server
• Don’t have an attitude of giving 777 file permissions in the case when something goes wrong.
• Ensure backups and DR plan. Make sure that the backups should be useful when things break down.
• Get PCI compliant. Check https://www.pcisecuritystandards.org/

You can keep this as a checklist and implement each of them to ensure 100% store security!

Risking security of the Magento store is risking the business. Investing time and money in precautions and security of the store is only a wise thing to do!

It is very important that each reader shares the post with Magento store owners via their social media profiles and contributes to making the internet a better place for shopping!

Have I missed any point that may add to protecting Magento storefronts? Please mention them in the Comments section below.

Thank you.