• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Running an eCommerce website is challenging, and one should consider doing all it takes to secure from cyber attacks.

    The latest forecasts say that global e-commerce growth would be by double-digit through 2020.

    Electronic commerce is growing dramatically, thousands of individual servers work day and night, and private information (including, of course, financial data) is a significant temptation for hackers.

    E-commerce sites are very attractive targets to malefactors because of the personal and payment data that is needed to make a sale.

    Magento has more than 7% market share in the e-Commerce platform, and the latest finding by Astra reveals that 62% of a store has at least one vulnerability.

    In this article, I will consider the most important and well-timed security advice for Magneto.

    Ordinarily, attacker cracks e-commerce websites:

    • to utilize it for electronic spam;
    • to use it for phishing (the attempt to receive sensitive information such as passwords or credit cards details);
    • to deface or harm your website:
    • to steal information that they can utilize to their advantage.

    In the first place, you have to defend your Magento shop for the reason that you should protect the client’s information.

    It goes without saying that hackers may want to obtain your information for some reason (for instance, in the framework of industrial espionage), but the first thing is that you shouldn’t give them customers’ private information, including credit card details.

    If this data is stolen in consequence of the hacker attack, it can severely injure your reputation as well as damage your clients.

    Welcome to apply these Magento security rules to your shop.

    Two-Factor Authorization

    Even the most secure password is worthless if it can be stolen. To increase the level of security for your store, it is highly recommended to utilize any second authorization factor, such as allow the backend only from a particular IP, implementing two-faction authentication.

    To limit backend access, add these lines to the VirtualHost section of Apache webserver configuration (please be careful – if you add the following lines to .htaccess file it will cause an error):

    Order Deny,Allow
    Deny from All
    Allow from #don't forget to update this with your IP

    Feel free to check the Amasty extension, if you’re looking for a Magento two-factor authentication solution.

    Update Software in Time

    Software updates give you not only new features but also error fixes and removal of vulnerable points. That’s why it is exceptionally important to utilize the latest software versions available at this time.

    To upgrade your system, apply the following laconic commands:

    RHEL / CentOS

    yum update

    Debian / Ubuntu

    apt-get update

    Backup Regularly

    No one can be secured from hackers’ attacks, but there’s some way to feel safer: periodic backups can save you from many problems that may become critical for your business.

    You should save regularly backup copies, don’t try to keep them on the original web site’s server and from time to time restore your backup on a sandbox to check if they’re working correctly.

    Keeping your backup on the server with your website is dangerous not only for the reason that your copy should be safe in case if your server breaks down, but also because if a hacker gets to your server, he’ll also get access to the backup copies, which is, of course, very unwanted.

    Use Complex Password

    According to SplashData, 123456 was one of the most common passwords in 2013 (and, of course, one of the most insecure).

    The admin password is the keystone of your Magento shop security. And it should be strong enough! Easy paroles can be easily cracked, so apply more than ten characters, with lower and upper case, and also special characters like ^$#%*, in this way your password won’t be forced since even with newest programs it will take years to crack.

    You can use the LastPass password generator.

    Use Firewall

    There are two types of firewall you can use to protect your Magento store.

    WAF (Web Application Firewall) – protect your online store from web security vulnerabilities like SQLi, XSS, Brute-force attacks, Bot, spam, malware, DD0S, etc.

    You can consider using cloud-based WAF to protect from layer 7.

    System/Network Firewall – ban public access to everything except your web server. If you don’t possess a permanent IP address to give access to it through the firewall, apply VPN or Port Knocking technology.

    In RHEL/CentOS you can find the firewall settings in /etc/sysconfig/iptables; when it comes to Debian/Ubuntu, apply iptables-persistent (/etc/iptables-persistent/rules.v4).

    You may also consider using SUCURI for continuous security monitoring & protection to your Magento online store.

    Don’t Re-use Password on Other Site

    This Magento security issue works with all password-protected information that you own. As reported by passwordresearch.com, more than 15% of users apply the same password for many services.

    Not many people know that applying identical passwords for several logins, indeed, contains the risk of losing all of your accounts right away.

    One more time: all passwords must be unique, no other way. Be careful, set aside this article for a while and change them if they aren’t. Otherwise, you risk getting injured because of your imprudence.

    Change Password Periodically                 

    Your passwords shouldn’t be constant. We highly recommend changing passwords leastways every six months.

    Even if a password has been stolen (and even if the hacker hasn’t applied it), constant changeovers will make the earlier leaked information worthless. Make sure also that passwords are changed for all the clients that are using the website.

    Don’t Store Password On Your PC

    A big part of the Trojan software steals your saved passwords. You should be cautious with browsers and FTP clients since passwords are stolen through these applications more often.

    You should never save passwords applying this software without using the master password (a password that enciphers the rest of the passwords while keeping access details). Neglecting this advice can easily lead to data leaks.

    You may try a password manager as listed here.

    Pay Attention to Error or Suspicious Activity

    Do a security review regularly to check for signs of attack, and also when contacted by clients with security concerns. You may want to apply Admin Actions Log Magento extension for this aim, and it has been updated with the next features critical for web security:

    • You can set up an announcement for a successful login attempt from an unusual country compared to previous logins.
    • You can set up an announcement for a lot of unsuccessful login attempts over the past hour, which can indicate a break-in attempt.
    • “403 Forbidden” status returned by failed login page in the backend, that facilitates the integration with server security tools.

    Moreover, you can use a web security scanner to analyze your eCommerce website for vulnerability automatically and periodically.

    Change Backend URL

    This approach is more about security by obscurity, but it can be useful as an additional method of fighting against bots and brute force attacks. To change backend URL, you can edit app/etc/local.xml (admin / routers / adminhtml section).


    We don’t advise you to change the default admin URL using the native interface of the Magento admin panel. You have to make sure that the new URL address ‘s hard enough to guess. Moreover, you might want to clear a cache after this.

    Then you should check your new URL and make sure the old URL returns the 404 error page.


    If you use a public hotspot (for example, in a mall) to access the backend, you’re risking to get injured from the MitM attack. Having an online store accessible over HTTPS provide security to the shopper as all the transaction data is encrypted from the user to your server over SSL/TLS protocol.

    You can either use a FREE SSL certificate or buy.

    Forget FTP

    FTP protocol was introduced when the Internet was an infant, and security wasn’t the problem at times. Nowadays FTP protocol usage is very unwanted since authorization is performed with plain text and can be intercepted without difficulties.

    Utilize SFTP protocol, as it will also relieve you from problems with IP streaming (NAT), for not everyone has a public IP for Internet usage. Follow this guide to configure SFTP for Magento.

    Set Minimum Access Permissions

    You should always limit access permissions for web server activities. You need records in Magento in app/etc., media and var only, plus includes/ in case you use compilation. Extended rights may be required only for Magento Connect usage.

    The best combination for the security will be as follows: you let the website source code belong to the first user (for example, admin), and the webserver will run the code with the second user (for example, Apache). Let’s see an example of access settings for this combination:

    chown -R admin:apache /path/to/your/magento
    find /path/to/your/magento -type f -print0 | xargs -r0 chmod 640
    find /path/to/your/magento -type d -print0 | xargs -r0 chmod 750
    chmod -R g+w /path/to/your/magento/{app/etc,media,var}

    # Only if compilation is used

    chmod -R g+w /path/to/your/magento/includes

    Block All Unwanted Countries

    If you don’t ship worldwide, block other countries.

    There’s a great tool called GeoIP Legacy Apache Module which helps to allow, redirect or block users according to the country.

    For example, if you send your goods to the USA only, in this way you can protect yourself from any attacks – as is known, a great deal of malicious traffic comes from China, and by blocking it, you avoid any break-in attempts from this country.

    We’re sure that our Magento security advice will help you to keep your information safe and sound. Do you have any questions or want to share your experience of Magento shop protection? Moreover, for more complicated Magento security issues, check the Magento Security Suite from Amasty.

    Article by Sergei Prakapovich