A Definitive Guide to Magento Security

In line with this week’s theme, we take a solid look at Magento Security. This guide was originally published by M.Anwaar Haq through Tut’s Plus in March 2015. Image courtesy David Goehring, via flickr.

Although the security of all websites is important, M Although Magento is considered the safest and most secure eCommerce CMS, there are still some additional security steps advised to make its security foolproof. In this article I’ve explored some easy to implement steps to make your Magento store even more secure and robust.

1. Making the Admin Name & Password Secure

One of the first steps towards securing your Magento site is using a secure username and password. The rule of thumb for creating a secure password is to always use a password which is not easily guessable, for instance strings like ‘123’ or ‘abc’, or your phone number, date of birth, etc. It is always a best practice to keep a password longer than eight characters, and that should be a combination of letters (a, b, c, etc.), numbers (1, 2, 3, etc.) and special characters (@, &, #, etc.).

Besides having a secure password, it is also very important to create a username which is not easily predictable. Most hacking attempts succeed because hackers only have to guess the password, as usernames are mostly set to easy-to-guess names like ‘admin’, ‘administrator’, etc.

Therefore I strongly advise you to create non-generic usernames like your nickname, last name, company name, etc. There is an option to create a username at the time of installing Magento, but even after installation, you can change your Magento username and password by going to System > My Account.

2. Creating a Custom Path for the Admin Panel

By default the admin panel path for Magento looks like this:http://myexamplestore.com/admin. As it is a fairly well-known path for everyone, it is prone to many security risks. If we change the admin path to a unique and unpredictable path like http://myexamplestore.com/secureadmin, we can nip most hacking attempts in the bud. This small step can heavily contribute to making your Magento installation much more secure, and can be the best defense against Broken Authentication and Session Management Attacks.

To improve magento security, change the admin path in Magento, go to the app/etc/local.xml file, find the line with this code: <![CDATA[admin]]>, and change the string admin to the required admin string. For instance, if you want to change the admin panel URL to http://myexamplestore.com/securedadmin, change the CDATA code to <![CDATA[securedadmin]]>

3. Adding Two-Factor Authentication for Admin

A common technique for increasing any system’s security is to add another security layer to it using two-factor authentication, where the system demands two separate authentications to give access.

A simple example of this is ATM card authentication. You not only have to enter your card, as one factor of the authentication, but also your PIN code, which is another factor of authentication, hence two-factor authentication.

There are some excellent extensions available which enable two-factor authentication in Magento, and make it much more secure.

One such Magento extension is Rubon. It allows you to add trusted smartphone devices, through which you can access the Magento admin panel. Another isExtendware, which adds two-factor authentication to your system through Google Authenticator. Both of them are very good extensions, and worth a try.

4. Using an Encrypted (SSL/HTTPS) Connection

Another quite easy-to-implement Magento security step is to enable HTTPS/SSL secure URLs.

Whenever data is communicated between you and your server, there is a risk of that data being intercepted by third parties. As that data can contain vital information like login details, database information, etc., that data falling into the wrong hands can cause significant trouble.

It is therefore always a good idea to use secure encrypted connection for transmission of data. Making your site HTTPS/SSL encrypted will also make it PCI-compliant, and more trustworthy in the eyes of your customers.

You can do that in Magento by simply going to System > Configuration > General > Web. In Base URL, change ‘http’ to ‘https’, and enable Use secure URLs in Frontend and Use secure URLs in Admin.

5. Using Secure FTP for File Upload

While it is important to encrypt and secure the data transfer between your browser and your server, it is also pertinent to secure the data communication to your server via FTP. One of the common ways of hacking internet sites is through FTP password interceptions. This security problem can be effectively checked by using SFTP (SSH File Protocols). This protocol provides additional encryption of user credentials by using a private key file for authentication. You should also ensure that your file permissions are not set to 777, as this will make them writable by anyone, and cause a security risk.

6. Restricting Admin Access to Only Pre-Approved IP Addresses can improve Magento security

There is an option in Magento by which we can pre-define IP addresses which can access the Magento admin panel. This step can add a great security layer to your Magento store, thus improving Magento security. You can create a list of IP addresses of your and your coworkers’ computers and add them in the list of IP addresses which can access your Magento site’s admin panel. All other IP address users will not be able to access your Magento admin panel.

To enable this IP address restriction, first of all you need to edit your .htaccess file to enter the IP addresses you want to allow. For that, enter the following code in the .htaccess file:

AuthName "Protected Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 192.168.112.11
allow from 168.121
</Limit>

Here the IP address ‘192.168.112.11’ will be allowed, and secondly, all the IP addresses starting with ‘168.121’ will be allowed. You can allow as many IP addresses as you want, following this format. All other IP addresses not mentioned there will be denied access.

The next step is to create a new folder ‘admin’ in your Magento root directory. Copy your Magento’s index.php file into that folder, and change the relative paths toconfig.php and Mage.php file by changing these two lines:

$compilerConfig = '../includes/config.php';
$mageFilename = '../app/Mage.php';

Notice, we have only added ../ in these file paths.

Now we have to direct the users coming to our admin paths to this directory. To do that, enter these lines into your .htaccess file:

Redirect permanent /index.php/{admin_path} /admin/index.php/{admin_path}
Redirect 301 /index.php/{admin_path} /admin/index.php/{admin_path}

Here {admin_path} indicates the new admin path we manually changed in step 2. For instance it can be securedadmin, as we defined in the step 2 example.

Please note that you should only implement this security step if your ISP provides you a static IP address. Some ISPs assign dynamic IP addresses to users each time they connect to the internet. In such cases, as your IP address keeps on changing, you shouldn’t implement this security step.

7. Disabling of Malicious PHP Functions

Some PHP functions are more prone for virus injections and are security risks. It is best to disable these malicious PHP functions in the first place. If your code relies on any such functions, the best way is to use some alternative, more secure function with similar functionality. To disable such malicious functions, open your php.ini file and add the following code in it:

disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”

If you already have some code disable functions in your php.ini file, then simply append the functions given in the above code. If any of the above-mentioned functions are really important to your theme/module files, and you are unable to find an alternative, you can omit them from this list.

Disabling Directory Indexing

Directory listing is another loophole in many servers, that can affect Magento security. Through directory listing, anyone can enter your website’s URL and see the directory structure and files location of all your website (like the screenshot below). This can make your website very vulnerable to security attacks.

Magento Directory Indexing — Image Credit: Red Leopard

This loophole can be effectively plugged by disabling directory indexing. For this, add the following line of code in your .htaccess file:

Options -Indexes

9. Lowering the Risk of MySQL Injections

Like any other eCommerce system, Magento websites have many form fields where users can enter data, like order fields, profile fields, customer review fields, etc. Sometimes hackers use these fields to inject a MySQL statement, which can resultantly disclose back-end technology information, or can enable access to restricted areas of the website. Although Magento does a good job of outmaneuvering any such attacks, it is still advisable to use web application firewalls to ensure that your website remains safe from any such attacks.

There are many more ways to make your Magento installation even more secure, but I’m sure that if you implement all the above steps, you’ll have a very robust and secure Magento site, which will be able to sustain most hacking attempts.

Besides the above-mentioned steps, one obvious way to make your Magento site more secure is by always keeping your Magento installation updated. The Magento team does an excellent job of fixing possible security vulnerabilities, so the latest Magento version is usually better and more secure. You should also keep your Magento associated email address secure, because anyone who can access that email address can access your Magento store, effectively destroying any efforts you make to improve magento security.

Do mention in the comments your thoughts and feedback about this article, and don’t forget to share it with your friends if you like it.