(This is a guest post from our friends over at JetRails, a Magento hosting provider offering customer configurations on dedicated servers in the AWS Cloud.)
Your Magento storefront is a high-value target for hackers and requires stringent security measures to minimize its vulnerabilities. As a dedicated Magento hosting provider, JetRails is often called in as emergency responders to combat malicious attacks. We have first-hand experience with the catastrophic impact a security breach can have on your business.
Following security best practices and protocols is the best defense in safeguarding your Magento storefront. Use this checklist as a guide for safety measures from the most common threats including malicious code injection, malware, brute force attacks and the dreaded DDoS.
Magento Security Best Practices
See our checklist of Magento security best practices to ensure you’re protected against the most common online threats.
Secure Default Locations
Each Magento installation has several back-end folders used for administrative purposes. These entry points are by default located at /admin, /downloader, /var and various /rss endpoints. Since these folders are set at specific and known locations, they can be an entryway for malicious attacks on your site. Brute force attacks to your admin paths can put tremendous strain on your resources – limiting visitor capacity, impacting speed and eroding stability. This is a problem most closely associated with Magento 1.x installations versus Magento 2.x installations (which automatically require this safety protocol). Blocking access, customizing and securing admin paths makes it much more difficult for hackers to exploit this vulnerability.
Two-factor authentication also known as 2FA adds a second level of protection to authenticate login credentials for admin users and is a critical component for Magento security. With a stock Magento installation, a user is only given one method of authentication which has security limitations. Adding two-factor authentication has become an industry-wide best practice and is vital to securing your website. Magento 2FA plugins can be found on the Magento Marketplace including the Magento Two-Factor Authentication by JetRails.
Web Application Firewall
Utilizing a Web Application Firewall (WAF) such as Cloudflare’s, will allow you to deter security vulnerabilities by blocking malicious traffic before it actually reaches your server. A WAF can filter, monitor and block incoming traffic based on specific rules that you configure. For example, Geoblocking allows you to limit bot and/or human access from specific global regions. Another benefit of a Cloudflare WAF is Collective Intelligence, which allows you to block not only traffic that you have identified as malicious but any traffic deemed malicious by the entire Cloudflare community. Additionally, a WAF can offer some protection against unapplied Magento patches. However, it is very important to always have the latest Magento security patches installed vs relying exclusively on (even a very sophisticated) firewall.
Updating Magento Patches
Magento’s open source software offers ecommerce communities tremendous flexibility to customize their sites and meet their customers’ needs. However, the responsibility for following security protocols, updating security patches and deterring vulnerabilities requires action on the part of the storefront owners and development team.
When a security vulnerability is discovered, Magento developers make minor changes to a specific line of code. This tweak in the code is sent out by Magento as a security patch to be self-installed. Hackers are aware of these vulnerabilities as well, which means security patches should be installed as soon as they are released. A great resource to use is MageReport, which will check your site to determine if there are any Magento patch installations required. Patch security updates can also be found at the Magento Security Center. Your technology partners should be alerting you as patches become available.
Third-party plugins for Magento can create endless options for improving your storefront and customer experience. However, the addition of features can also cause unexpected vulnerabilities. To ensure that security is maintained after installing third-party plugins, your developer will need to manually check all of the vendors and applications for updates. Third-party plugins must be carefully monitored and patched as vulnerabilities are exposed. The Magento Marketplace has become much stricter in vetting plugins for Magento 2 but the same principle applies for both Magento 1 and Magento 2.
Just like your Magento installation, your server operating system must be kept up-to-date with the newest kernel and security patches. Failing to do so can result in major security gaps such as the Meltdown and Spectre vulnerabilities exposed in early 2018, which allowed malicious code to read kernel memory.
This is also true for PHP, which reads and executes the Magento source code. Every new iteration of PHP secures vulnerabilities that were exposed in subsequent versions. Additionally, older PHP versions will not pass PCI Compliance scans.
It is vitally important to work with a managed service provider who will be responsible for maintaining the entire software stack, including the kernel and related services.
The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. Since most Magento storefronts deal with customer accounts, it is prudent to meet PCI compliance standards. If your company intends to accept card payment and process customer cardholder data, you need to host your data securely with a PCI compliant hosting provider as well. Running a PCI scan through an approved vendor such as Trustwave can uncover security challenges that may hinder your ability to gain PCI Compliance.
Least Privilege Access
Another important design consideration in securing your Magento website from malicious behavior is the concept of Least Privilege Access. This principle requires users to be granted access only to the minimal subset of functions which are needed to perform a specific task. For instance, employees in the shipping department should only have access to shipping functionality; likewise, those in billing should only have the ability to impact billing. By using a combination of read-only permissions and separating departments, the security of your sensitive customer data will be enhanced.
Passwords should be changed regularly and should not be shared. Practicing good password protocols is essential to security. Do not send passwords in clear text emails, SMS, IM, support tickets or in any other unencrypted method. For system access, it is usually not a good idea to allow password authentication for shell or SFTP users. Whenever possible, use SSH Keys instead of passwords.
A great resource to store passwords securely is LastPass, a free management system which works on every browser and mobile device. It can also generate secure passwords and offers the strongest encryption standards currently available.
Protect Your Dev Environment
It is very important to limit all access to your development environment from anyone other than your developers. Remember, your dev environment is a mirror of your production (live) site with equally valuable information. Often, developers will reuse passwords and SSH keys in both dev and prod, so it’s crucial to maintain the same stringent security protocols in both environments.
Surround Yourself with A Great Team
Each of these steps provides a different layer of protection and can be incorporated into a security strategy to help you mitigate risks and eliminate threats to your Magento storefront. Working with a good hosting company and a solid development team is fundamental in achieving a solid security plan. At the end of the day, securing your ecommerce site is about protecting your assets, your clients and your reputation.
About the Author: Davida Wexler, Director of Marketing for JetRails
Davida Wexler is the Director of Marketing for JetRails, a Magento hosting provider offering custom configurations on dedicated servers and in the AWS Cloud. With offices in Chicago, JetRails’ focuses on security, acceleration and performance for ecommerce platforms. The company is passionate about helping their customers grow and drive Magento success. At the end of the day, they believe ecommerce is about people not servers. *Davida is not an employee of nChannel. She is a guest blogger.