If you have a successful Magento eCommerce store, an attack could completely cripple your business, but even if you are still relatively small you don't want your life thrown up in the air by malicious hackers.
Even if you do back your store up regularly, and I'm really hoping you do, there will be sensitive data and it's your duty to protect it. So you need to keep it safe not just for yourself, but for your users so someone can't get their hands on it.
Even if an attack isn't personal and doesn't crush your business it will still waste hours or days of your life, so let's look at some Magento security vulnerabilities to guarantee your safety.
1 - Get The Basics Nailed First
If you thought someone capable of running a successful eCommerce business would be smart enough to handle the basics, I'm afraid to say you'd be sadly mistaken. You won't make any of these mistakes, but just in case you've overlooked one we'll quickly touch on them anyway.
• Choose A Complicated Username And Password: Check common password lists, if your password is on, you are out of luck (Look at some examples people use and it will make you laugh).
• Don't Use The Same Details Twice: If your username and password is the same on another website, guess who has access to your store?
• Use Password Management Software: You will need access to your login details on your computer, and the only way to protect them is with software like LastPass.
2 - Change Your Current Admin Path
Hackers now have ways to hit your website so hard with a brute force attack, they'll be able to come up with millions of potential login combinations in a matter of seconds.
So your not hit by generic bots you will want your want your admin URL path not to be running on the default like storename.com/admin, rather you should change it to random dribble storename.com/sdajs23sad901/.
Hackers won't be able to even attempt a bot based brute force attack, as the url just won't exist. You can contact customer support for help doing this if you're not tech savvy, but inside your local.xml file you'll find something that looks like '' and it's the 'admin' part you can change.
3 - Keep Everything Up-To-Date
If Magento releases an update, it could be because they were worried about a potential security risk or they discovered a zero-day threat. If you don't bother to keep your store updated you'll be vulnerable to an attack. Also, hackers will have deployed bots looking for sites with the vulnerability and if/when they find yours you'll be cooked.
Furthermore, this also includes all the Magento extensions too and they're probably more of a security risk. Therefore, only use an extension from someone you trust, which is easy to find out thanks to the other people using it and leaving reviews.
This doesn't have anything to do with Magento security specifically, but keep your computer safe from malware and viruses too. You only need someone to install a keylogger or malware on your system and they'll be able to obtain all your details.
4 - You Need A Trusted SSL Certificate
Just like anything else in this world, SSL certificates are not all created equal. You'll need one when you own an eCommerce store and accept card payments or take customer details, but you must pick up your SSL certificate from a trusted source.
As you may or may not know, when you have SSL (https://) protected pages on your site it will be so you can keep the sensitive information your customers are typing in absolute encrypted safety. This is perhaps the most crucial Magento security tip you should listen to, because if someone steals your customers information it won't only hurt them. It will leave your brand in ruins. SSL Certificates are to prevent Man in the Middle attacks.
5 - Be Careful About The Access You Give Employees
If you are running a successful store with a number of different employees they'll all need access to the backend. They certainly don't need administrative access to all things and each person should only get access to the items they need and no more. All employees should have their own logins and the logs should be kept which can't be accessed, by anyone accept the key trusted staff.
Think of your store like a CIA building where everyone will have their own keycard. Every employee will only be able to enter certain areas of the building and with your store they'll all only be allowed access to certain areas of your admin panel.
If you're working with developers and any other contractors, you should ideally create new access credentials just for them. These need to be deleted or suspend as soon as the task is finished. Also make a quick manual backup before they start. If you can't give them separate access change the passwords before and after the do the work. After all these are the keys to the kingdom and you never know how things will go.
Note: Remember most theft is from internal sources!
6 - Spend Money On The Right Website Hosting
Do you know anyone who wants to build a million-dollar business yet they expect to use the cheapest hosting available? If you don't have secure website hosting it's an easy way for someone to get inside your store, but luckily you don't need to worry.
Solid web hosting is a hundred times cheaper than it was a decade ago, so now there is no excuse for anyone not to invest in their future by getting the right website hosting. As well as extra Magento security, you'll also get much more benefits along with it.
Budget out dated OS, Firewalls or poor staff support is a recipe for disaster. Do your research before committing and don't assume because a website says its the best it is. Marketing spin doesn't mean fact.
7 - Two-Factor Authentication Should Be Mandatory
You'll find all the biggest sites in the world offer you two-factor authentication, and there is a reason why. It's certainly not to make your life more difficult, even though it will feel that way when you need to enter an extra code before you can log into your store.
But once you realize your livelihood is at stake, it becomes a lot easier to accept. The code you'll receive on your phone will change every 30 seconds, so if you have this set up nobody is getting into the backend of your store unless you want them there.
8 - Use A Completely Separate Email Address
Do you know how long it would take a dedicated hacker to find your business email address? It won't take long considering you will have it on display everywhere, and once they've hacked their way into your email address they'll get into your store.
Note: Get good email!! Crappy hotmail, gmail accounts aren't suitable.
An easy way to stop this from happening is to use a completely separate email address for the one you use for your admin login. Don't tell anyone this password, because its sole purpose is only to stop people from gaining access to your Magento store.
You'll be able to use a personal company email address without worrying about anything going wrong.
Put All Of These Into Action Straight Away
The best hackers in the world can break into any website, as the government and some big tech companies have found out, but you're lucky because they will never target you on a personal level. Put all of these Magento security tips into action straight away and you can be sure your business will always be safe.
If you suspect any vulnerabilities in your Magento software you can email us straight away and we'll sort it out for you.
Brendan Monahan. (2014, December 10). 22 Ways To Bulletproof Your Magento Security [LinkedIn Post]. Retrieved from https://www.linkedin.com/pulse/20141210024646-1143212-22-ways-to-bulletproof-your-magento-security
Keir Desailly, Sucuri. (2015, June 16). 10 Tips To Improve Your Website Security [Blog Post]. Retrieved from https://blog.sucuri.net/2015/06/10-tips-to-improve-your-website-security.html
Finjan. (2016, May 20). Zero-Day Threats [Blog Post]. Retrieved from http://blog.finjan.com/zero-day-threats/
Magento. (n.d.). Reporting A Magento Security Issue [Webpage]. Retrieved from https://magento.com/security/reporting-magento-security-issue