Magento Commerce, 1.14.x

Security Best Practices

All eCommerce sites are attractive targets to hackers because of the personal and payment information that is required to complete a sale. Even if the system does not directly process credit card transactions, a compromised site might reroute customers to a false page, or alter an order before it is transmitted to the payment processor.

A compromised site can have long-term consequences for both customers and merchants. Customers might suffer financial loss and identify theft, while merchants can face damage to their reputations, loss of merchandise, higher processing fees, revoked privileges with financial institutions, and the threat of lawsuits.

This guide outlines a multifaceted approach to improve the security of your Magento installation. Although there is no single way to eliminate all security risks, there are many things that you can do to make your site a less attractive target. It is crucial for hosting providers, system integrators, and merchants to work together to establish and maintain a secure environment, implement methods for early detection, and determine a plan of action in the event of a breach.

Acknowledgments

Parts of this article were inspired by real-world solutions that were shared by community members. The resulting article incorporates content from the community, with input from our team.

  • Bryan (BJ) Hoffpauir for sharing his insight on the Magento forum, and for contributing recommendations in the Attack Response Plan section of this article. See the original post by beejhuff for more information.
  • Anna Völkl (@rescueann), Magento developer at LimeSoda.
  • Robert Mangiafico (@robfico) CTO at LexiConn.
  • @dracony_gimp for his security presentation, Being Hacked is Not Fun.
  • Willem de Groot for providing a sample Nginx configuration.