Magento security recommendations
Nowadays, as more and more sales are made in the cyberspace, and online stores become a mandatory business element, they are increasingly becoming hackers’ targets. Usually hackers seek to capture credit card data, private customer information, or e-shop sales database, which is later demanded by ransom.
Who is taking care of security?
First and foremost, the security of the system needs to be taken care of by the programmers, because it is the quality of the code they write that depends on how to secure the system is. This is not only the opinion of the company’s director or project manager but also of the programmers themselves. This state of affairs is perfectly reflected from The state of PHP in 2017 data, whereas many as 48% of the interviewed programmers argued that they should take care first and foremost.
On the other hand, the larger and more complex the system, the more likely it is that there may be gaps in vulnerability and security vulnerabilities. What’s more, programmers are also people, so only those who don’t work are completely mistaken. In order to reduce the number of errors and security gaps, it is recommended to always use only the latest versions of the systems and their modules. New features are added to each update, known bugs are fixed, performance speeds are improved, and known security vulnerabilities are eliminated. Magento security is not an exception. Magento is one of the most functional and flexible free e-commerce platforms. Its modular architecture enables it to be adapted to a wide range of customer needs. However, system flexibility increases its complexity and security vulnerabilities. For this reason, it is recommended that you install the updates as soon as possible after they are released.
Are updates resolving all issues?
What’s more, hacking can be done not only by exploiting the security vulnerabilities of your system, other programs, or server operating systems but also by virus-infected computers or even social engineering.
Ask what then if nobody is 100% safe? Well, there must be a plan B, i.e. be ready to restore system performance as soon as possible and with minimal data loss. A full backup of the system can be a great help for this. Ideally, multiple backups of different periods are permanently stored (e.g 4hrs, 24hrs, 7days, 14days, 30days).
It should also be noted that hackers do not always seek to disrupt the system as soon as possible after hacking. On the contrary, they usually seek to remain unnoticed and use your system as long as possible. So I would recommend some useful Magento modules that can help you protect yourself from hackers or minimize damage.
Magento 1 Platform Modules
- EW_NativePasswords – provides the ability to change the password encryption algorithm to protect them from decryption (in case of database theft).
- MageHackDay_TwoFactorAuth – adds two Factor Authentication functionality using the Google Authenticator mobile app.
- BranchLabs_AdminPasswordStrength – allows you to set a minimum password length limit for administrator passwords. This allows you to at least partially protect yourself from creating short passwords (the shorter, the easier it is to guess).
- Shoplie_PasswordStrength – similar to the BranchLabs_AdminPasswordStrength module (allows you to set a minimum password length limit for administrator passwords), you can only set the password to contain uppercase and lowercase letters and special characters.
- Ikonoshirt_Pbkdf2 – provides the ability to change the password encryption algorithm.
- Ikonoshirt_StrictTransportSecurity – allows Magento to respond only to secure queries that are executed by HTTPS. ET_IpSecurityProvides the ability to limit Magento availability to IP addresses or make the system unavailable until system upgrade work is performed.
- FireGento_AdminMonitoring – provides the ability to capture administrator actions (such as who edited or removed products, etc.).
- Nexcessnet_Alarmbell – a module that captures and notifies you by email if an administrator account is created/deleted or a password is changed.
- Mhauri_Slack/Moogento_SlackCommerce – this module gives the Magento platform the ability to send daily and weekly reports and sales and security reports directly to the Slack channels.
Magento 2 Platform Modules
- Cream_SecurePasswords – provides the ability to change the password encryption algorithm.
- Git Status Security Report – this Module notifies you by email if it detect modified files. It uses the GIT version control system. It allows the module to detect modified files that have not been upgraded to the GIT system.
- MSP Security Suite – this is a complete package of various security tools such as: Anti Virus, Malicious Users Detector, Intrusion Detection Prevention, Admin Two Factor Authentication, reCaptcha, Admin IP restriction.
The article is based on the information received at the Meet Magento PL 2017 conference. Read about the impressions of this conference here.
Interested? Let's discuss your project
Call us or write us an email and we will arrange a meeting, during which we will discuss your project and our ideas for you.