4 steps you should take to improve your Magento Security
Magento is a platform that is ever increasing in popularity and status, with a market share of 26% of the top 1 million Alexa ranked ecommerce websites being on the Magento Platform (HiveMind, 2015). A negative of such popularity is that, by nature, there are more attempted attacks by malicious users when compared to lesser-known and used ecommerce platforms. As attackers get smarter and seek new methods to disrupt your business, it has become imperative to implement preventive measures and security procedures to help boost your Magento Security.
Recently, it was discovered that there were over 1,000 compromised Magento websites which were stealing customer details and installing malware to mine cryptocurrencies on the user’s machines (Leyden, 2018). Usually, this is a result of missing core security patches provided by Magento. In this article, we provide a few simple implementations that could help you reduce the likelihood of a breach and help you be a responsible eCommerce owner.
Magento Security Scanner tool
Magento are actively providing security patches for both their Magento 1 and Magento 2 platforms. In addition they have provided their own Security Scanner which is available to anyone who has a registered Magento.com account. The tool is completely free and allows you to get an insight into missing patches and information regarding Magento’s security best practice.
To set this up, log into your Magento account at Magento.com and navigate to ‘My Account’ which will provide you with the ‘Security Scan’ option as illustrated below or simply click this link.
Firstly, you will need to verify the ownership of the website that you seek to scan. Magento provides a confirmation code which you can add via your website admin panel (It will look like this <!--34b703e1041fcfe0a732f56df99c6452→). In Magento 1, you can do this by navigating to System > Configuration > General > Design and amending the HTML head or footer. In Magento 2 this depends on your version; for Magento 2.0.x websites you can navigate to Stores > Configuration > General > Design and add to the HTML head or Footer.
For Magento 2.1.x and 2.2.x versions follow Content > Design > Configuration and click “edit” on the relevant theme and then proceed to add the HTML code into your header or footer.
It is likely that you will need to navigate to Cache Management and refresh any invalidated caches for your changes to be reflected. You can check if your tag was added successfully by using Google Chrome and opening a new tab with view-source:https://WEBSITE-NAME-HERE.com/ and then simply using ctrl + F (or cmd + F on Mac) and search for the same html code you added in admin e.g. <!--34b703e1041fcfe0a732f56df99c6452-->.
You can then proceed to verify the site’s status using the Magento Scanner. Using the scanner you can set up a weekly or daily scan to automate a scheduled health check for your Magento website, to make sure you keep on top of Magento’s latest guidelines and practices. After running your first scan you will then be able to download the contents of the report as a PDF for reference or to send to your relevant website developer or agency.
Magento also announced that they will be adding an option to set up a SSH scan, which will give you the ability to scan your website files against known malware signatures.
Sucuri Website Monitoring tool
Sucuri.net is a security provider that gives website owners a unique set of tools which can help identify malware on your Magento store and provide file integrity checking. The difference between the Magento Scanner and the Sucuri Scanner is that Sucuri provides server-side scanning, which means the actual files of your Magento website will be scanned daily for any known malware signatures and will give you Slack, SMS and/or email alerts to advise you of anything considered suspect and requiring human review. It is important to mention that this is a paid service and billing plans can be found here.
Setting up Server-Side scanning is easy, after logging in you can click "Website Monitoring" and proceed to add your domain. To initiate the scanning, you will need server/ftp access to upload an encrypted Sucuri PHP file into your Magento root. Navigate to settings and look for “Server Side Scanner”, from here you can hit “Enable Manually” to download the PHP file required to begin scanning.
After following the Sucuri instructions and verifying your domain you can let this run and you will be emailed if there is anything suspicious going forward.
Magento Patches and third-party updates
Of course, alongside these two additional precautions, we cannot stress enough the importance of regular Magento patches and third-party module updates. At Two Jay we focus our builds to use as much native Magento functionality as possible, however, we understand that bespoke code and third-party modules are sometimes required to fulfil the needs of your website. It’s critical that bespoke code is created with an eye on security and third-party module are updated regularly. An outdated module or poorly written code may provide easier access to a malicious user. Reports suggest that a total of 66% breaches are traced back to a third-party service provider (Patterson, 2017) which is why it’s essential to be vigilant and restrictive of which third-party vendors you trust.
Magento have spent considerable time over the past year cracking down on rogue third-party modules. We strongly advise that you purchase modules through Magento’s verified Marketplace. Modules on the Magento Marketplace undergo strict internal testing by Magento and are likely to be more secure.
Prevent unwanted Admin logins
The Magento Admin can be prone to attack via an array of methods including brute force attacks, which is essentially a trial and error method to guess a user’s password. Although many Magento sites opt to rename their admin path, we strongly recommend that whitelisting is in place to prevent attacks. As an example, a recent article from our Technical Director ‘Is your Magento Admin Panel secure?’ demonstrates that in some cases your admin path can become visible and indexed in search engines, despite a randomized path.
We also advise that you refrain from using common usernames such as “Admin”, “Developer” or a person’s first name as this increases the total time required to guess your username and password during a brute force attack. Using a corporate password manager such as LastPass will allow you to create strong passwords that can be stored safely. Removing the requirement to remember each individual password and therefore allowing users to create complex, secure and unique passwords.
To add another level of protection to the Magento Admin panel, you can now implement 2 Factor Authentication (2FA). 2FA is easily available in Magento 2.1.x and 2.2.x versions, which you can read more about it here. If a Magento Admin username/password were to be cracked, 2FA would
prevent login until it was verified using the correct admin’s mobile phone. For Magento 1, there are modules available (for example from Amasty) which also offer this.
A security breach could cause huge disruption to your business, and in addition to this, new GDPR data protection laws heavily punish irresponsible eCommerce providers. Taking the above steps to help prevent your website from a breach will reduce the risks and provide you with slightly more peace of mind.
If you have concerns or queries regarding your Magento security, please feel free to reach out to one of our Magento certified specialists via email.