Magento Security Tips: How to Keep your Store Safe from Hackers

Even as one of the most robust eCommerce platforms worldwide, Magento is still vulnerable to being compromised. Web scan results conducted by cybersecurity company Foregenix show that 28% of Magento 2 websites are significantly vulnerable to cybercriminals.

As a business owner, you are responsible for the security of your customer’s information. Relying on Magento’s out-of-the-box security alone isn’t enough. Here are some simple measures every Magento store owner can take to keep their store’s safe from hackers.

Magento security tips

1. Update Magento version

Updating to the latest version of Magento might seem obvious to some, but many store owners find it hard to follow. As a matter of fact, over 99% of stores running versions Magento 1.x are vulnerable to hacks. Magento developers not only find and fix known security issues with each update but also introduce new security features to make the platform more robust.

Updating your store to the latest version of Magento severely diminishes the odds of your store being compromised. Since Magento version 2.3.3, Adobe has started releasing security-only patches for all Magento releases. These security-only patches allow store owners to receive timely security fixes without having to completely upgrade their store until they’re ready.

2. Secure your server

When building a server, it is strongly recommended to choose the latest stable operating system to maximize security and the duration of support. Keeping the operating system up to date will help ensure any security-related patches are applied as soon as vulnerabilities are discovered.

Using strong and unique passwords for users and all software components like MySQL, Redis, PHP, and Apache or Nginx is essential. A mix of upper and lower-case alphabets, numbers, and special characters further increases the difficulty of guessing a password.

3. Use secure file permissions

File system security is a complicated topic, but it’s crucial to restricting access from unauthorized users. Using loose file system permissions is the equivalent of handing over your house keys to a thief while you’re on vacation. For example, setting 777 permissions to all files and folders gives everyone complete access to read, write, and execute files and folders on a server.

Magento DevDocs provide clear instructions and commands that every store owner can copy and paste to set the appropriate file system permissions for their Magento installation based on their configuration.

4. Take regular backups

Taking Magento backups from within the admin panel is disabled by default for security reasons. Adobe has deprecated the in-built backup functionality as of Magento version 2.3.0 and they recommend using other technologies and binary tools like Percona XtraBackup.

Alternatively, you can configure cron jobs on your server to back up the database or file system at specific times and even upload them to remote servers as an additional security measure. Remote backups are a great way to ensure you always have a working version of the website to fall back on if things go wrong.

5. Use HTTPS/SSL

Encrypting your data using SSL and transferring it over HTTPS helps protect sensitive information transmitted to and from a server. You can download a free SSL certificate from Let’s Encrypt or buy one from an SSL provider like Comodo.

Once you’ve installed the certificate on your server, you can set your Magento store to use HTTPS from the admin panel by going to Stores > Configuration > General > Web and updating the entry for Base URLs (secure) to ‘https://’. After this, set ‘Use Secure URLs in Storefront’ and ‘Use Secure URLs on Admin’ to Yes and save the configuration.

6. Use a web application firewall

Using a web application firewall or a WAF adds an additional layer of security to a website. It analyzes web traffic for suspicious patterns and blocks malicious traffic before it reaches your server. WAFs can also be updated in real-time to block any newly discovered threats, and they’re able to work with iptables to fortify a website’s defenses.

Adding a WAF to your website can protect it from a сross-site scripting attack and even more complex SQL injection attacks. Some WAFs can monitor outgoing data to identify suspicious patterns, making it easier for you to identify if and when your website security is compromised.

7. Use Magento’s security scan

Every Magento store owner should take advantage of Magento’s free security scan tool. You can access it by logging in to your Magento account and configuring it to run a scan on a daily, weekly, or manual schedule. All you need to do is set up a confirmation code on your website to verify ownership, and the scan will run based on your settings and email you the scan results after every successful run.

Magento’s security scan provides insight into your store’s security status by running over 17,000 security tests. It gives suggestions that are based on best practices to help you resolve any issues detected.

8. Change the store encryption key regularly

Magento uses industry-standard AES-256 algorithms to encrypt sensitive data like passwords and payment information. During Magento installation, you will be prompted to either enter a key manually or let Magento automatically generate one for you. Regularly updating this encryption key will mitigate the risk of it being decrypted or stolen by a hacker.

To change the encryption key, you need to ensure your app/etc/env.php file is writable. After that, inside the Magento admin panel, go to System > Other Settings > Manage Encryption Key and either set ‘Auto-generate a Key’ to ‘Yes’ or paste your key into the ‘New Key’ field and click ‘Change Encryption Key’.

9. Use two-factor authentication

If a hacker gains access to your store admin panel, it can give them complete access to your store data. Even if you are using a secure password, if your device is compromised by a keylogger, a hacker can gain access to your store without your knowledge.

Using two-factor authentication will add a layer of security to the admin login process. Even if your password is compromised, a hacker would require access to your authentication device to access your Magento admin. Magento versions 2.4.x come with two-factor authentication enabled by default. If you’re using versions 2.3.x, you can enable it from Stores > Settings > Configuration > Security > 2FA in the admin panel.

10. Set user roles and permissions

Employees need access to the admin panel to manage and process orders. But with every employee that has access to the Magento admin panel, there’s potentially one more way from which a hacker can gain unauthorized access to your website. Fortunately, you can get around this by setting up user roles and permissions to restrict which parts an employee can access.

You should customize access to parts of the admin panel based on each employee or department’s scope of duties. So, suppose Warren from the warehouse needs access to the admin panel. In that case, you can provide limited access for order management and restrict access to other parts like the catalog, content, sales, marketing, and system settings.

11. Use trusted extensions

Let’s first find out what a Magento extension is. An extension is a package of code responsible for achieving a specific functionality in your store. You should only install extensions and themes from trusted sources or those recommended by a reliable Magento agency. More importantly, never download paid extensions from torrent sites or other websites offering them for free, as they’re likely to be full of malware and viruses.

When you need an extension, the official Magento Marketplace is a great place to start. Magento developers manually review every extension on their marketplace before listing. They also check all extension updates rolled out by plugin developers to ensure the code is free of bugs, malware, and up to their standards.

12. Get a security audit

Maintaining a website isn’t a one-off task. It requires regular work and periodic auditing to ensure any existing or potential issues are identified and fixed before they become a liability. Finding a loophole or backdoor before a hacker does can save business hundreds of thousands of dollars in the long run.

It may not always be feasible for a business owner to perform frequent pen-testing or in-depth security audits. A better option would be to outsource those tasks to an agency offering Magento maintenance and support services to ensure your business operations can run unimpeded. An experienced agency will also be well-versed with the latest information surrounding Magento security and vulnerabilities.

Magento security requires a multifaceted approach

Securing your Magento store requires a multifaceted approach. There is no one-size-fits-all solution that can protect your website from hackers. While Magento developers continue to increase its security, as a store owner, it is your responsibility to ensure that you take the steps necessary to secure your website.

Online threats and vulnerabilities are constantly evolving, and securing your store from hackers is a continuous effort. Following the best practices enlisted in this article will help you secure your website from common attack vectors. However, in the event your store is compromised, you must also have a contingency plan in place to tackle the situation and protect the interests of your customers and your business.

Subscribe to weekly updates

You’ll also receive some of our best posts today