How To Keep Your Magento Website Secure


SecurityPatchFeb10-1080x675Website security is a lot like flossing: we know that we should do something about it, but it’s difficult to see how it helps before it gets too late.

For the small and medium business owners, security plan comes down to believing that they are too small or insignificant to be attacked by hackers. But in reality, they are the perfect targets.

In fact, if you are not actively involved in the security of your website, it is just the matter of time before you get hacked.

E-commerce websites are especially lucrative for cyber criminals since they handle money and sensitive information.

The most popular e-commerce platform, Magento, is robust and secure, provided that you take all the necessary precautions.

Security of your Magento store requires proactive approach. Think of it as owning a store in a good neighborhood; that still doesn’t mean you should leave your doors wide open.

Thousands of Magento Stores are at a risk of being Exploited

Websites that run an older version of Magento can easily be hacked. Some of the biggest security threats are malware, SQL injections, XSS and brute force attacks.

Malware is a serious threat to websites. This term is used to describe any type of malicious software including viruses, trojans, worms, spyware.

A malware attack infects your site so that it becomes a security threat infecting visitors’ computers, sending out spam – all without your knowledge.

Close to 10,000 websites are blacklisted by Google EVERY DAY due to a malware infection.

Some malware can go unnoticed for a long time and the only way to spot them is to check your code and your files regularly.

SQL injection is exploiting vulnerability by injecting SQL commands to manipulate database and expose or abuse sensitive information.

At the beginning of 2015, a critical vulnerability called “Shoplift bug” came out, a flaw that allowed hackers to insert a new admin user into the database and obtain control over a store and customers’ personal information.

Besides making sure to install all the latest security patches, these attacks can be mitigated by checking your database for suspicious admin users periodically.

However, this can be difficult for a user that lacks advanced technical skills.

XSS (Cross-site scripting) is embedding lines of malicious code into web pages. Attackers use vulnerable websites as a vehicle to deliver a malicious script.

Discovering XSS attack is only possible by looking through the code, and even then, you have to know what you are looking for.

Brute Force Attacks refer to automated process of trying different combinations of usernames and passwords, over and over again, in order to break into Magento backend.

As a protection against these attacks, it is recommended to choose a unique username and a strong password, as well as to change the default Admin Panel URL to a custom one.

Why you need a Security Plugin for Magento

Today most attacks aren’t obvious, and require you to hire a developer or acquire a paid scanning service. That is why it might be a good idea to get a security plugin for Magento that can do all the security work.

One of the few security extensions currently available is MageFence –
Magento security plugin by Extensions Mall. MageFence offers a great number of features that help you protect your system, and implement the best security measures.

Scanning Feature:

-Scans Magento website for all known malware

-Scans on regular basis (frequency of the scan can be set) for any changes in files so you can spot the changes that are potentially result of a security breach

-Detects unauthorized admin users injected in database

Protection against Brute Force Attacks:

-Easily changes Admin Panel URL to a custom one, just by entering it in the appropriate field

-Change Magento Connect Manager URL (often neglected point of entry for brute force attacks) to a custom one, and keep the functionality

-Set the allowed number of login failures and lock out anyone who exceeds this number

-Immediately lock out anyone who tries to log in using the wrong user name

Monitoring your Magento:

-You can optionally receive an email notification every time an admin user logs in.

-“Admin Activity Log” that allows you to see all the changes made by users with admin privileges

Security Patch Check:

-Checks if all security patches have been applied to your system and warns you about the missing ones

-MageFence scans the system from backend, so it verifies proper installation of patches with 100% certainty.

Have in mind that no website is 100% secure, but by implementing all the necessary security measures you can make your online store a safe place for your business and your customers.