Magento Security Best Practices
All eCommerce sites are attractive targets to hackers because of the personal and payment information that is required to complete a sale. Even if the system does not directly process credit card transactions, a compromised site might reroute customers to a false page, or alter an order before it is transmitted to the payment processor.
A compromised site can have long-term consequences for both customers and merchants. Customers might suffer financial loss and identify theft, while merchants can face damage to their reputations, loss of merchandise, higher processing fees, revoked privileges with financial institutions, and the threat of lawsuits.
This guide outlines a multifaceted approach to improve the security of your Magento installation. Although there is no single way to eliminate all security risks, there are many things that you can do to make your site a less attractive target. It is crucial for hosting providers, system integrators, and merchants to work together to establish and maintain a secure environment, implement methods for early detection, and determine a plan of action in the event of a breach. To learn more, see Best Practices in the Magento Security Center.
Work with reliable hosting providers and solution integrators. When evaluating their qualifications, ask about their approach to security. Verify that they have a secure software development life cycle in accord with industry standards such as The Open Web Application Security Project (OWASP), and that they test their code for security issues.
If you are starting a new site, consider launching the entire site over HTTPs. Taking the lead on this issue, Google now uses HTTPs as a ranking factor.
For an existing installation, plan to upgrade the entire site to run over to a securely encrypted, HTTPs channel. Although you will need to create redirects from HTTP to HTTPs, the effort will future-proof your site. We recommend that you plan to make this change sooner, rather than later.
Protecting the environment is the most critical aspect of ensuring the security of your store. Keep all software on the server up to date, and apply security patches as recommended. This applies not only to Magento, but to any other software that is installed on the server, including database software and other websites that use the same server. Any system is only as secure as the weakest link.
Make sure that the server operating system is secure. Work with your hosting provider to ensure that there is no unnecessary software running on the server.
Use only secure communications protocol (SSH/SFTP/HTTPS) to manage files, and disable FTP.
.htaccessfiles to protect system files when using the Apache web server. If you use a different web server such as Nginx, make sure that all system files and directories are protected. For an sample Nginx configuration, see: magento-nginx.conf on GitHub.
.htaccessprotection to work correctly, your web server must read
AllowOverride Alldirective in its configuration. To verify, try the following request:
If you get the contents of the
local.xmlfile, you must change the web server settings.
Use only the minimum required permissions for a given task. As an example, do not use the root or administrator account to send mail from Magento. Use only limited privileges for database account.
Use strong, long, and unique passwords, and change them periodically.
Keep the system up to date, and immediately install patches when new security issues are discovered.
Closely monitor any issues that are reported for software components used by your Magento installation, including the operating system, MySQL database, PHP, Redis (if used), Apache or Nginx, Memcached, Solr, and any other components in your specific configuration.
Limit access to
cron.phpfile to only required users. For example, restrict access by IP address. If possible, block access completely and execute the command using the system cron scheduler.
Automate the deployment process, if possible, and use private keys for data transfer.
Limit access to the Magento Admin by updating the whitelist with the IP address of each computer that is authorized to use the Admin and Magento Connect downloader. For examples of how to whitelist IP addresses, see: Secure Your Magento Admin.
Do not install extensions directly on a production server.
To disable the Magento Connect downloader on the production site, either remove or block access to the
/downloaderdirectory. You can also use the same whitelisting methods.
Use two-factor authorization for Admin logins. There are several extensions available that provide additional security by requiring an additional passcode that is generated on your phone, or a token from a special device.
Review your server for “development leftovers.” Make sure there are no accessible log files, publicly visible .git directories, tunnels to execute SQL helper scripts, database dumps, phpinfo files,or any other unprotected files that are not required, and that might be used in an attack.
Limit outgoing connections to only those that are required, such as for a payment integration.
Use a Web Application Firewall to analyze traffic and discover suspicious patterns, such as credit card information being sent to an attacker.
Make sure that all applications running on the server are secure.
Avoid running other software on the same server as Magento, especially if it is accessible from the Internet. Vulnerabilities in blog applications such as Wordpress can expose private information from Magento. Install such software on a separate server or virtual machine.
Keep all software up to date, and apply patches as recommended.
Your effort to protect your Magento installation starts with the initial setup, and continues with the security-related configuration settings, password management, and ongoing maintenance.
Your Magento Installation
Use the latest version of Magento to ensure that your installation includes the most recent security enhancements.
If for any reason you cannot upgrade to the latest version, make sure to install all security patches as recommended by Magento. Although Magento issues security patches to fix major issues, new product releases include additional improvements to help secure the site.
Use a unique, custom Admin URL instead of the default “admin” or the often-used “backend,” Although it will not directly protect your site from a determined attacker, it can reduce exposure to scripts that try to break into every Magento site. (Never leave your valuables in plain sight.)
Check with your hosting provider before implementing a custom Admin URL. Some hosting providers require a standard URL to meet firewall protection rules.
Block access to any development, staging, or testing systems. Use IP whitelisting and .htaccess password protection. When compromised, such systems can produce a data leak or be used to attack the production system.
Use the correct file permissions. Core Magento and directory files should be set to read only, including
Use a strong password for the Magento Admin. To learn more, see: Creating a strong password.
Install extensions only from trusted sources. Never use paid extensions that are published on torrent or other sites. If possible, review extensions for security issues before installing them.
Do not click suspicious links, or open suspicious email.
Do not disclose the password to your server or to the Magento Admin, unless you are required to do so.
Develop a disaster recovery/business continuity plan. Even a basic plan will help you get back on track in the event of a problem.
Ensure that your server and database are automatically backed up to external location. A typical setup requires daily incremental backups, with a full backup on a weekly basis. Make sure to test the backup regularly to verify that it can be restored.
For a large site, simple text file dumps of the database take an unacceptable amount of time to restore. Work with your hosting provider to deploy a professional database backup solution.
If your system is not immediately patched after a major security breach, there is a high probability that your site is already compromised. Complete a security review periodically to check for signs of attack, and also when contacted by customers with security-related concerns.
Check periodically for unauthorized Admin users.
(Magento Enterprise only) Check the Admin Actions Log for suspicious activity.
Use automated log review tools such as Apache Scalp.
Work with your hosting provider to review server logs for suspicious activity, and to implement an Intrusion Detection System (IDS) on your network.
Use a file and data integrity checking tool such as TripWire to receive notification of any potential malware installation.
Monitor all system logins (FTP, SSH) for unexpected activity, uploads, or commands.
In the event of a compromise, work with your internal IT security team if available, or hosting provider, and system integrator to determine the scope of the attack. Taking into consideration the type of compromise and the size of the store. Then, adjust the following recommendations to your business needs.
|1.||Block access to the site, so the attacker cannot remove evidence or steal more information.|
|2.||Backup the current site, which will include evidence of the installed malware or compromised files.|
|3.||Try to determine the scope of the attack. Was credit card information accessed? What information was stolen? How much time has elapsed since the compromise? Was the information encrypted? Typically you can expect the following types of attack:|
Defacing of Site
Site access is compromised, but often the payments information is not. User accounts might be compromised.
Your site becomes part of a botnet that sends spam email. Although data is probably not compromised, your server is blacklisted by spam filters which prevents email that you send to customers from being delivered.
Direct Attack on Server
Data is compromised, backdoors and malware are installed, and the site no longer works. Payment information—provided that it is not stored on the server— is probably safe.
Silent Card Capture
In this most disastrous attack, intruders install hidden malware or card capture software, or possibly modify the checkout process to collect and send out credit card data. Such attacks can go unnoticed for extended periods of time, and result in major compromise of customer accounts and financial information.
|4.||Try to find the attack vector to determine how the site was compromised, and when. Review server log files and file changes. Note that sometimes there are multiple different attacks on the same system.|
|5.||If possible, wipe and reinstall everything. In case of virtual hosting, create a new instance. Malware might be hidden in an unsuspected location, just waiting to restore itself. Remove all unnecessary files. Then, reinstall all required files from a known, clean source such as files from your own version control system, or the original distribution files from magento.com.|
|6.||Apply all the latest security patches necessary.|
|7.||Reset all credentials, including the database, file access, payment and shipping integrations, web services, and Admin login.|
|8.||If payment information was compromised, it might be necessary to inform your payment processor.|
|9.||Inform your customers about the attack and the type of information affected. If payment information was compromised, they should look for unauthorized transactions. If personal information, including email addresses was compromised, they might be targeted with phishing attacks or spam.|
Parts of this article were inspired by real-world solutions that were shared by community members. The resulting article incorporates content from the community, with input from our team. We’d like to thank the following people for contributing to this article:
- Bryan (BJ) Hoffpauir for sharing his insight on the Magento forum, and for contributing recommendations in the Attack Response Plan section of this article. See the original post by beejhuff for more information.
- Anna Völkl (@rescueann), Magento developer at LimeSoda.
- Robert Mangiafico (@robfico) CTO at LexiConn.
- @dracony_gimp for his security presentation, Being Hacked is Not Fun.
- Willem de Groot for providing a sample Nginx configuration.