If you’re running an e-commerce site, you’re definitely going to be an attractive target for hackers. This is because all e-commerce sites collect personal and payment information to process a sale.
Further, even if you don’t directly process credit card transactions, a simple compromise can enable hackers to reroute your customers to a fake page and even alter the orders before they’re transferred to a payment processor. As a result, it’s vital that you take security seriously right from the planning stages.
When it comes to e-commerce platforms, Magento is very popular. In fact, 22% of the top 100,000 online stores were built using Magento and Magento Enterprise. Its popularity can be attributed to the high-level customizability, functionality, and overall robustness.
But like with any other major development platform, security concerns will always be there. New vulnerabilities are not only being discovered, they’re also being exploited all the time.
The consequences of a compromised site can be far-reaching and long-term for both the merchants (significant damage to brand image, lawsuits, revoked privileges, and higher processing fees) and the customers (identity theft and financial loss).
So what can you do to keep your customer data private and safe?
2. Get it right from the beginning
When it comes to development platforms, Magento is the least attractive to hackers. But that doesn’t mean that a breach is unheard of. To help make an online store impenetrable, it requires a multifaceted approach.
There’s no single way to eliminate all the risk, but it’s important to note that 43% Magento vulnerabilities come from remote code execution. Further, it’s imperative that merchants, hosting providers, and system integrators work together to enable a secure environment (make sure that you always work with reliable system integrators and hosting providers).
It’s also a good idea to find out if they’re following industry standards and testing their code for vulnerabilities. Right from the start, it’s also a good idea to implement methods for early detection and have a plan of action in place to respond to a breach.
If you’re building a new website, it might also make sense to launch the entire website over HTTPS as Google now uses it as a ranking factor. But if it’s an existing installation, plan to upgrade and run it over an encrypted and secure HTTPS channel (you can simply redirect your traffic from HTTP to HTTPS).
2. Maintain a secure environment
It’s vital that you continuously protect your online store to maintain enhanced security. There are some simple steps you can take to maintain a robust and secure environment:
- Ensure that all the software on the server is up to date
- Ensure that all security patches have been applied
This means that even if you have other websites or database software on the server, the same rules apply.
To ensure that the server operating system is secure, work with your hosting provider to make sure that there are no unnecessary programs running on the same server. To manage files, disable FTP and only use secure communications protocols like HTTPS, SFTP, or SSH.
When using an Apache web server, use .htaccess file (to protect system files). If you’re using an alternate server like Nginx, ensure that all directories and system files are protected by checking out a sample configuration at GitHub.
Further, for .htaccess protection to work as intended, the web server must read .htaccess through the AllowOverride All directive in its configuration. You should also make sure that you do the following:
- Immediately install patches when security issues have been identified to keep the system up to date
- Always use unique and strong passwords (and change them often)
- Magento uses many software components (OS, PHP, Redis, and MySQL database), so make sure that you closely monitor any reported issues
- Restrict access via an IP address and limit access to cron.php file
- Avoid using an administrator or root account to send emails
- Enable limited privileges for the database account
Some Advanced Techniques to Consider
- Enable data transfers by using private keys and automate the deployment process
- Update the whitelist with IP addresses for each authorized computer and limit access to Magento Admin and Magento Connect downloader
- Avoid installing extensions directly on the production server
- Use two-factor authorizations for Admin logins
- Make sure that you don’t have any publicly visible and accessible log files in .git directories. Further, check if there are database dumps, phpinfo files, tunnels to execute SQL helper scripts or any other unprotected files that can leave you vulnerable to an attack
- Limit outgoing connections
- Utilize a Web Application Firewall to identify suspicious patterns through traffic analysis (check out how we used OWASP ZAP for security testing)
- Ensure that antivirus software is up to date
- Delete server access accounts of former contractors and employees
3. Protect your Magento installation
Protecting your Magento installation begins when you initialize the setup, continue with security-related configuration setting, continuous maintenance, and password management.
When you install Magento, make sure that it’s the latest version with the most up to date security enhancements. Further, use backend or a custom Admin URL instead of the default setting.
This will help reduce the risk of exposure to malicious scripts but check with your hosting provider to see if they will allow a custom Admin URL. You can also take advantage of security-related settings like CAPTCHA. Further, make sure that Core Magento and directory files (including app/etc/local.xml files) are set to read only.
4. Always be alert and prepared for a breach
Although it goes without saying, developers should remember to only install extensions from sources that are highly trusted. If it was a torrent or a paid extension that was published, never install it.
Being alert also extends to not opening suspicious emails or clicking suspicious links. But the reality is that it does happen every now and again, so be ready with a business continuity and disaster recovery plan.
Being prepared for the worst also includes the following:
- Make sure that the database and server are automatically backed up to an external location (test regularly and verify that it’s stored)
- Implement a professional database backup solution
- Engage in complete security reviews often to check signs of attacks (like unauthorized Admin users)
- Utilize automated tools like Apache Scalp for log reviews
- Implement an IDS or Intrusion Detection System (you’ll have to work with your hosting provider)
- Use tools like TripWire to check data and file integrity
- Monitor all system logins to identify suspicious or unexpected activities
5. Develop, implement, and follow your Disaster Recovery Plan
Responding to a security breach is a collective effort, so work with your internal team, hosting provider, and system integrator to ascertain the scope of the attack. By figuring out what exactly happened, you can choose how to respond to it.
You can respond to a security breach by doing all or some of the following:
- Block access to the website immediately to restrict the removal of evidence or the loss of more data
- Back up the current website with the compromised files or malware
- Check if your website has become part of a botnet
- Review server log files to try and identify how the site was compromised and when exactly it happened
- Whenever possible, wipe it clean and reinstall everything from known (and clean) sources
- Reset credentials and (re)apply all the latest security patches
- Inform the payment processor and customers immediately if payment data was compromised
Keeping all the important data secure will be an ongoing battle, so you really can’t afford to take your foot off the grass at any given time. But by planning and being proactive, you can significantly reduce the risk of an attack.