Security Best Practices in Magento Development

If you’re running an e-commerce site, you’re definitely going to be an attractive target for hackers. This is because all e-commerce sites collect personal and payment information to process a sale.

Further, even if you don’t directly process credit card transactions, a simple compromise can enable hackers to reroute your customers to a fake page and even alter the orders before they’re transferred to a payment processor. As a result, it’s vital that you take security seriously right from the planning stages.

When it comes to e-commerce platforms, Magento is very popular. In fact, 22% of the top 100,000 online stores were built using Magento and Magento Enterprise. Its popularity can be attributed to the high-level customizability, functionality, and overall robustness.

But like with any other major development platform, security concerns will always be there. New vulnerabilities are not only being discovered, they’re also being exploited all the time.

The consequences of a compromised site can be far-reaching and long-term for both the merchants (significant damage to brand image, lawsuits, revoked privileges, and higher processing fees)  and the customers (identity theft and financial loss).

So what can you do to keep your customer data private and safe? 

2. Get it right from the beginning

When it comes to development platforms, Magento is the least attractive to hackers. But that doesn’t mean that a breach is unheard of. To help make an online store impenetrable, it requires a multifaceted approach.

There’s no single way to eliminate all the risk, but it’s important to note that 43% Magento vulnerabilities come from remote code execution. Further, it’s imperative that merchants, hosting providers, and system integrators work together to enable a secure environment (make sure that you always work with reliable system integrators and hosting providers).

It’s also a good idea to find out if they’re following industry standards and testing their code for vulnerabilities. Right from the start, it’s also a good idea to implement methods for early detection and have a plan of action in place to respond to a breach.

If you’re building a new website, it might also make sense to launch the entire website over HTTPS as Google now uses it as a ranking factor. But if it’s an existing installation, plan to upgrade and run it over an encrypted and secure HTTPS channel (you can simply redirect your traffic from HTTP to HTTPS).

2. Maintain a secure environment

It’s vital that you continuously protect your online store to maintain enhanced security. There are some simple steps you can take to maintain a robust and secure environment:

This means that even if you have other websites or database software on the server, the same rules apply.

Server Environment

To ensure that the server operating system is secure, work with your hosting provider to make sure that there are no unnecessary programs running on the same server. To manage files, disable FTP and only use secure communications protocols like HTTPS, SFTP, or SSH.

When using an Apache web server, use .htaccess file (to protect system files). If you’re using an alternate server like Nginx, ensure that all directories and system files are protected by checking out a sample configuration at GitHub.

Further, for .htaccess protection to work as intended, the web server must read .htaccess through the AllowOverride All directive in its configuration. You should also make sure that you do the following:

Are you looking to hire a team of professional Magento developers or get on-demand Magento consultants for your current project?
Send us your request!

Some Advanced Techniques to Consider

3. Protect your Magento installation

Protecting your Magento installation begins when you initialize the setup, continue with security-related configuration setting, continuous maintenance, and password management.

When you install Magento, make sure that it’s the latest version with the most up to date security enhancements. Further, use backend or a custom Admin URL instead of the default setting.

This will help reduce the risk of exposure to malicious scripts but check with your hosting provider to see if they will allow a custom Admin URL. You can also take advantage of security-related settings like CAPTCHA. Further, make sure that Core Magento and directory files (including app/etc/local.xml files) are set to read only.

4. Always be alert and prepared for a breach

Although it goes without saying, developers should remember to only install extensions from sources that are highly trusted. If it was a torrent or a paid extension that was published, never install it.

Being alert also extends to not opening suspicious emails or clicking suspicious links. But the reality is that it does happen every now and again, so be ready with a business continuity and disaster recovery plan.

Being prepared for the worst also includes the following:

5. Develop, implement, and follow your Disaster Recovery Plan

Responding to a security breach is a collective effort, so work with your internal team, hosting provider, and system integrator to ascertain the scope of the attack. By figuring out what exactly happened, you can choose how to respond to it.

You can respond to a security breach by doing all or some of the following:

Keeping all the important data secure will be an ongoing battle, so you really can’t afford to take your foot off the grass at any given time. But by planning and being proactive, you can significantly reduce the risk of an attack.

Has your online store ever been breached? What steps did you take to respond to the situation? 

Andrew is our IT storyteller and copywriter. His current undertaking is big data analytics and CSS as well as digital design and branding. He is a contributor to various publications with a focus on new technology and marketing.

Leave a comment