Introduction to Magento Security

Introduction

Steps to properly secure your Magento site from hackers.


Recent statistics show that Magento is the third most popular ecommerce platform. The unfortunate reality is that data breaches and attacks against ecommerce sites are on the rise, and a large number of Magento sites are not PCI compliant. Many vulnerable Magento websites are targeted by cybercriminals who seek to steal sensitive customer data and credit card information.

This guide intends to educate administrators on basic Magento security techniques and actionable steps showing how to secure Magento websites and how to maintain compliance while reducing the risk of a website compromise.

1

Ensure your Magento Site is PCI Compliant

All ecommerce websites must follow the requirements outlined by the Payment Card Industry Data Security Standards (PCI-DSS) — even if they don’t process any payments themselves. If an attacker compromises a site that uses PayPal, for example, they can modify the site and redirect customers to a malicious payment gateway, resulting in lost sales and fraud.

The major credit card companies govern the PCI requirements to ensure the secure handling, transmission, and storage of cardholder information.

If a merchant is found to be noncompliant, they may incur considerable penalties, including suspension or cancelation of credit card payment processing. Noncompliant sites may also see an impact to brand reputation and receive heavy fines from payment industry regulators.

Did you know?

The average cost of a data breach (including fines, insurance, incident response, and other factors) rose to 4.24 million in 2021, according to the yearly report from Ponemon institute.

You can sign up for our free PCI Compliance email course to learn more about the requirements and protect your store.

The latest version of PCI DSS is version 4.0 which includes 12 requirements distributed between six core domains.

The PCI-DSS Requirements

 

Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain network security controls

Requirement 2: Apply secure configurations to all system components

 

Protect Account Data

Requirement 3: Protect stored account data

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

 

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems and networks from malicious software

Requirement 6: Develop and maintain secure systems and software

 

Implement Strong Access Control Measures

Requirement 7: Restrict access to system components and cardholder data by business need to know

Requirement 8: Identify users and authenticate access to system components

Requirement 9: Restrict physical access to cardholder data

 

Regularly Monitor and Test Networks

Requirement 10: Log and monitor all access to system components and cardholder data

Requirement 11: Test security of systems and networks regularly

 

Maintain an Information Security Policy

Requirement 12: Support information security with organizational policies and programs

1.1 - Integrated Payment Gateways

Magento offers integrated payment gateways which allow merchants to securely transmit credit card data.

These solutions use an API or payment form hosted by an external payment processor. With this option, information is sent directly to the payment gateway without sensitive data being stored on the Magento application server—making it easier for site owners to meet PCI requirements.

Learn more about the official Magento Approach to PCI Compliance.

1.2 - TLS & HTTPS

TLS (previously known as SSL) is a cryptographic protocol used to encrypt data as it travels between computers and servers over the internet.

If you are starting with a new installation, consider launching the entire site over HTTPS. While it doesn’t keep your website safe, it does securely transfer user credentials and protect your visitor’s data when it is transmitted.

Without TLS, data transferred using the unsecured HTTP protocol can be intercepted – including sensitive information like passwords and credit cards.

Magento website administrators should add TLS certificates to all ecommerce websites to protect visitors and securely transmit cardholder data.

TLS allows the use of HTTP/2, a major revision of the HTTP network protocol, which can significantly improve a website’s performance.

HTTPS can also impact your SEO ranking and PCI compliance; Google uses HTTPS as a ranking factor, and this protocol can help you meet the fourth requirement outlined in the PCI-DSS: Encrypt transmission of cardholder data across open, public networks.

You can chat with us to learn how we can help you activate TLS/HTTPS via our cloud-based WAF.

Did you know?

In July 2018, Google released a Not Secure label for Chrome users to indicate if a website handling credit cards or passwords was not using HTTPS.

These labels can significantly impact traffic and brand reputation for your website.

2

Protect Magento Against Software Vulnerabilities

Based on our 2021 Hacked Website Research Report, 85.2% of Magento websites were found using out of date versions of Magento core files at the point of infection. This may be because ecommerce site owners wish to avoid breaking functionality and losing money, or simply don’t have enough resources or technical expertise to patch their installations.

One of the most important things you can do to protect your site is maintain up-to-date software. A large number of webmasters continue to use Magento 1 which reached its end-of-life support on June 30th, 2020 and is no longer patched and maintained against known vulnerabilities.

To effectively protect their e-commerce websites, we strongly encourage Magento 1 users to migrate to Magento 2 to enjoy regular patches and updates, security enhancements, speed and SEO improvements, and support for the latest PHP versions.

Did you know?

Magento has documented all of the steps you need to migrate to Magento 2. Their comprehensive documentation includes steps to perform a dry run in a test environment to troubleshoot and identify any potential issues.

2.1 - How Secure is Magento?

The Magento team diligently provides patches and security updates to protect websites against known threats and vulnerabilities. The use of third-party extensions and integrations also exposes websites to additional security threats.

In this section, we’ll discuss best practices to prevent software vulnerabilities and describe how you can keep your Magento installation secure and up to date.

Did you know?

 

Magento has an official Security Alert Registry. Enroll to receive notifications whenever there is a new security release for your store.

A remote scanner will check the site externally using different user-agents, but some issues do not present themselves in a browser. Hidden infections (i.e., backdoors, phishing pages, and hidden scripts) can be found using a server-side scanner. Learn more about how remote scanners work.

2.2 - Security Patches

Statistically, your best defense is to promptly install the latest Magento security patches as soon as they become available. These patches significantly mitigate the risk of a compromise and ensure that your website possesses all of the latest bug fixes needed to protect your store and customers.

Magento often includes feature upgrades that have been bundled with their security patches. Your best option is to give yourself the extra time to test your site properly and rely on a web application firewall to virtually patch any known Magento vulnerabilities in the interim.

Virtual patching should be seen as a temporary solution until you are able to update your site with the latest security fixes. However, a properly configured WAF is always a good defensive tool to run on your eCommerce site.

There are a few items you should consider prior to patching:

 

  • Check the version release notes to see what changes have been made and assess the impact to your website.
  • Ensure that you have a recent backup of your files and database.
  • Enable exception logging to diagnose any errors that may occur during the update.
  • Test the new version on a staging environment before releasing it live on your production website.
  • Identify the best time to update your website. Periods with the lowest anticipated amount of site traffic are ideal, as your storefront could be temporarily unavailable and customers will not be able to complete a transaction.

To apply Magento patches:

  • Make sure you have a recent backup of your site.
  • Download the patches specific to your Magento version from the Magento Downloads page.
  • Upload the .sh or .patch files to your Magento root directory.
  • If your Magento store is compiled, disable the compiler under System > Tools > Compilation.
  • Connect to your site via SSH and run one of the following matching commands for the patch file extension:
				
					$ sh example_patch_name_12345.sh
				
			
				
					$ patch --p0 example_patch_name_12345.patch
				
			
				
					$ unzip -o example_patch_name_12345.zip
				
			
				
					$ tar -zxf example_patch_name_12345.tar.gz
				
			
  • Test the Magento store to confirm functionality.
  • Run the compiler if you disabled it in Step 4.


Magento also has a built-in caching system which should be reset once the website is patched.

To reset the cached version of your Magento website:

  1. Make sure you have a recent backup of your site.
  2. Log into your Magento admin panel.
  3. Click System on the menu item and under Tools, select Cache Management.
  4. Click Flush Magento Cache (and Flush Cache Storage on Magento 1.x).

2.3 - Updating Modules and Extensions

As seen in our recent analysis of hacked websites, a large majority of threats to ecommerce websites stem from missing security patches and vulnerabilities introduced by add-on modules, plugins, templates, and extensions.

If you are using third-party components like modules or extensions on your Magento site, keep them updated with the latest patches to mitigate threats. The Magento community maintains a free tool to check for a list of vulnerable modules that may have been installed on your store: https://github.com/gwillem/magevulndb. In addition to the Magento security scanner, this tool ensures that all your code is using secure up to date versions.

Did you know?

 

You can check your Magento website for known vulnerabilities by using the free Mage Report tool.

2.4 - Auditing Modules, Templates, and Extensions

To protect your Magento website and customers, we recommend auditing your modules, extensions, and templates on a regular basis. These components can become deprecated, obsolete, or include bugs that pose serious security risks to your website.

Pro Tip

 

Have your developer review any new components that you are considering adding to your store. Some components may inadvertently reveal your admin URL path to the store developers.

Magento website protection you can depend on.

Round-the-clock website protection from hackers and Magecart malware. Our pros are here to help.

Assess Your Component’s Security

You can assess the security of third-party components by reviewing the following indicators:

  • Does the extension or template have a large install base?
  • Was your module obtained from a reputable website or store?
  • How recently was the plugin last updated?

If the module or extension doesn’t meet any of these requirements, you may want to look for a more secure solution.

We also encourage Magento site owners to carefully read the Terms of Service for each third-party component they consider using on their website. The terms may reveal unwanted features that the authors didn’t advertise on the product page.

Remove Unused Components

When it comes to unused components, less is more.

Storing unwanted modules, extensions, or templates in your Magento installation increases the chance of a compromise — even if they are disabled and not actively being used in your installation.

Security Recommendation

 

Not using that Magento module or extension? Remove it from your installation.

3

Implement Strong Access Control Measures

Implementing strong access control measures is extremely important for the security of any website, however, it’s especially imperative for ecommerce stores — and happens to be the focus for PCI requirements 7, 8, and 9.

You can help maintain PCI compliance and reduce the exploitation of access control mechanisms by using strong, unique passwords on your system and components, restricting privileges through assigned roles, enabling two-step or multi-factor authentication, and limiting access to the admin area exclusively to authorized IP’s.

3.1 - User Roles

Certain administrative resources are assigned to user roles by default, but these default configurations are insufficient for the proper security of a Magento site and should be reviewed.

Roles & the Principle of Least Privilege

The principle of least privilege is composed of two very simple steps:

  • Use the minimal set of privileges on a system in order to perform an action.
  • Grant privileges only for the exact duration that an action is necessary.
     

You can create custom roles at the lowest level of permission to reduce your security risk.

To create a new custom role in Magento 1 or 2:

  1. Log into the Magento backend as an Administrator.
  2. From the Admin menu, select System > Permissions > Roles.
  3. Select the Add New Role button.
  4. Enter a name to describe your new Role.
  5. From the left hand panel, select Role Resources.
  6. Select the admin resource checkboxes that you want to grant for this role.

Once you have created a new custom role, simply create a new user or assign the role to an existing user.

To create a new user in Magento 1 or 2:

  1. Log into the Magento backend as an Administrator.
  2. From the Admin menu, select System > Permissions > All Users.
  3. Select the Add New User button.
  4. Enter a User Name for the account.
  5. Enter a First Name, Last Name, and Email Address.
  6. Assign a Password for the account and repeat it to confirm.


Magento administrators should only grant temporary permissions on a temporary basis, and revoke access when they are no longer needed. Accounts that are no longer in use should be deleted to restrict access in the event of a compromise.

Did you know?

 

  • During the Magento installation process, an administrator account is created with full access which allows you to access the admin panel and modify configuration settings.
  • As a best practice, you should create a second user account with full Admin permissions. Use one of the accounts for everyday administrative activity and reserve the second one for a “Super Admin” in the event that credentials are forgotten or compromised.

3.2 - Password Requirements

Strong passwords will help prevent brute force attacks and ensure the integrity of your Magento installation and admin panels.

Strong passwords should meet the following criteria:

  • At least 1 uppercase character
  • At least 1 lowercase character
  • At least 1 digit
  • At least 1 special character
  • At least 10 characters, with no more than two identical characters in a row

As a security best practice, we encourage all webmasters to use a password manager like KeePass to generate and securely store their passwords.

We also encourage you to remind admin users to maintain unique unhacked passwords, which can be accomplished using the Have I Been Pwned Magento module. This service checks your admin users’ passwords against a database of compromised passwords online.

3.3 - 2FA / MFA

If you can implement additional layers of authentication after entering your password, this will go a long way in reducing brute force password-guessing attacks.

Magento 2: 2FA

Magento offers two-factor authentication as a core module and is configured by default during the initial installation process. When enabled, Admin users must complete a second step to verify their account before accessing the Admin features. This feature is not extended to customer accounts.

To add 2FA to any page using Google Authenticator:

  • Download and install Google Authenticator on your iPhone or Android.
  • Log into the Magento Dashboard and navigate to Stores > Settings > Configuration.
  • Select Security, then 2FA.
  • Expand the General section and set Enable Two Factor Auth to Yes.
  • Navigate to Google Authenticator and set Enable this provider to Yes.
  • Select Save Config.
  • Using Google Authenticator, scan the QR code with your mobile device to complete the setup.

You will also need to configure your authenticator settings by selecting one of the following options:

  • Set required authenticators per user account: Supports multiple types of authenticators and allows you to define different authenticators by user account.
  • Force global authenticator for all accounts: Requires all Magento Admin users to use a specific type of authenticator.

To force a global authenticator for all users:

  • Navigate to Stores > Settings > Configuration.
  • From the Security sidebar, select 2FA.
  • Navigate to the General section and ensure that the option Use system value is unchecked.
  • Select one or more authentication types from the menu.
  • Click Save config to complete the setup.

Sucuri Firewall: 2FA

The Sucuri Firewall includes a feature that helps you easily implement 2FA or password protection on any page of your website.

To force a global authenticator for all users:

  1. Download and install Google Authenticator on your iPhone or Android.
  2. Log into the Sucuri Dashboard and navigate to Website Firewall.
    Click on the website you would like to protect.
  3. Select Access Control from the top navigation.
  4. Enter the page name that you would like to protect (ie. /admin), then select 2FA with Google Auth from the drop-down menu.
  5. Click Protect Page.
  6. Using Google Authenticator, scan the QR code with your mobile device to complete the setup.

CAPTCHA

Magento comes with a CAPTCHA feature which you can use to verify that a human is interacting with the website.

We encourage Admin users to add CAPTCHA to the Admin Login page.

To Set Up CAPTCHA for Admin:

  1. Log into the Magento backend as an Administrator.
  2. From the Admin menu, select Stores > Settings > Configuration.
  3. On the left panel under Advanced, select Admin followed by CAPTCHA.
  4. Set Enable CAPTCHA in Admin to YES.
  5. Click to expand the section and select Yes next to Enable CAPTCHA in Admin.

Did you know?

Sucuri offers its customers an affordable system for secure website backups.

3.4 - Restrict Access

We recommend that Magento owners consider restricting access to development and staging environments, as they can leak sensitive data or be used to attack the production environment.

Magento 2: Admin IP Address Restriction

You can deny access for unauthorized IPs to the Magento backend with the MSP AdminRestriction module.

To install the module, enter the following commands:

				
					$ composer require msp/adminrestriction
				
			
				
					$ php bin/magento setup:upgrade
				
			

IP Allowlisting

You can also use IP allowlisting and .htaccess password protection to reduce the attack surface on your Magento installation.

The Sucuri Firewall offers a protected page feature that allows you to add IP allowlisting, passwords, 2FA, or CAPTCHAs to any area of your site.

4

Hardening Recommendations

Caution

 

The following recommendations are for server administrators with a working knowledge of these files. If you do not feel comfortable with the suggestions provided below, we recommend using a website firewall that includes virtual hardening instead.

4.1 - Basic .htaccess Configurations

When using an Apache web server, Magento employs a critical .htaccess configuration file to protect the system. This file is what most vendors modify when they say they are hardening your environment.

Note

 

If you use NGINX for your webserver, you’ll need to make sure that all of your directories and system files are protected.

Security consultant and Magereport founder Willem de Groot has a sample NGINX configuration available on GitHub: magento-nginx.conf

To verify that .htaccess protection is working correctly, try the following request. Remember to replace example.com with your own domain name: https://www.example.com/app/etc/local.xml

If the contents of the local.xml file are returned, you’ll need to change your web server settings. This file contains the database connection details to your store, as well as the encryption key used to secure data.

/.HTACCESS

Rule Explanation

				
					# Restrict Access for Admin Login

RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx

RewriteRule ^(index.php/)?admin/ – [L,R=403]
				
			

Restrict Admin Logins to IP Range:

To protect your admin panel from unknown IP addresses, you can redirect requests to the main page by adding the following rule in root .htaccess, inside <IfModule mod_rewrite.c>.

Replace xx.xx.xx.xx with the IP address(es) you want to allowlist for the admin panel.

				
					# Restrict Access for RSS Feed

RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx

RewriteRule ^(index.php/?)?rss/ – [L,R=403]
				
			

Restrict RSS Feed to IP Range:

You can also redirect unknown IP addresses from your RSS feed by adding the following rule to your root .htaccess file, inside <IfModule mod_rewrite.c>.

				
					# Block Access for RSS Feed

RewriteRule ^(index.php/?)?rss/ – [L,R=403]
				
			

Block Access for RSS Feed:

If you don’t intend on using the RSS feed, you can block access to it by adding this rule to your root .htaccess file, inside <IfModule mod_rewrite.c>.

				
					# Allowlist IP for Downloader App

order deny,allow

deny from all

allow from xx.xx.xx.xx
				
			

Allowlist IP for Downloader Application:

Allowlist IP addresses for the downloader application by adding this rule to your ./downloader/.htaccess file.

				
					# Block Access for Downloader App

deny from all
				
			

Block Access for Downloader Application:

If you don’t intend on using the downloader, you can block access to it by adding this rule to your ./downloader/.htaccess file.

				
					# Protect .htaccess

<files ~ “^.*\.([Hh][Tt][Aa])”>

order allow, deny

deny from all

satisfy all

</files>
				
			

Protect .htaccess:

Prevent attackers from accessing any of your .htaccess files by protecting files that start with “hta”.

				
					# Prevent directory browsings

Options All -Indexes
				
			

Prevent Directory Browsing:

Prevent attackers from viewing the folder contents of your website and restrict the information they have available for exploitation.

				
					# Prevent image hotlinking

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} \

!^http://(www\.)example.com/.*$ [NC]

RewriteRule \.(gif|jpg|jpeg|bmp|png)$ – [NC,F,L]
				
			

Prevent Image Hotlinking:

Prevent other websites from using images hosted on your website. Hotlinking won’t get your site hacked, but it can result in exploitation of your server resources.

Note:

Change example.com to your website.

4.2 - Admin Panel Security

There are a number of approaches you can take to improve the security of your Magento admin panel.

Magento 1.x: Use a Custom Admin URL

You can reduce the exposure to automated attacks by changing the default admin URL.

In a standard Magento installation, the Admin URL and path is one directory below root:

				
					https://<example>.com/magento/admin
				
			

To change the Magento Admin URL from the server:

  • Open app/etc/local.xml in a text editor.
  • Look for the <adminhtml> argument in the <admin> section:
				
					# <frontName><![CDATA[admin]]&gt;</frontName>
				
			
  • Change the name of the [admin] path. Make sure to use only lowercase characters.
  • Save the file.
  • Navigate to the var/cache folder and delete the contents to clear the Magento cache.


This feature is already included in Magento 2 installations and defaults to a randomized Admin URL to increase security. We don’t recommend that administrators revert this setting to a simple URL.

Important

 

Check with your hosting provider prior to implementation. Some firewall protection rules may require a specific URL format.

Admin Security Configurations

The Admin security configuration offers some features you can use to mitigate threats to your installation.

Features include: the ability to add a secret key to URLs, limit Admin session durations, define password lifetimes, limit login attempts, and designate password requirements.

To access and configure Admin Security:

  1. Log into the Magento backend as an Administrator.
  2. Navigate to the sidebar and click Stores.
  3. Under Settings, choose Configuration.
  4. Navigate to the panel on the left under Advanced and select Admin.
  5. Expand the Security section and modify your preferences.

Options from the Admin Security section include:

  • Set Admin Account Sharing to No to prevent Administrators from logging into the same account on different devices.
  • Set Password Reset Protection Type to one of the following:
    • By IP & Email: Reset the password online after a verification email.
    • By IP: No additional confirmation is required to reset the password.
    • By Email: Reset the password by responding to a confirmation email.
    • None: Password can only be reset by a store admin.
  • Set Recovery Link Expiration Period (hours) to the number of hours a password recovery link should remain active.
  • Set Max Number of Password Reset Requests to determine the number of password reset requests available to a user within an hour.
  • Set Min Time Between Password Reset Requests to the minimum number of minutes that need to pass between password reset requests.
  • Set Add Secret Key to URLs to Yes to append a secret key to the Admin URL. This is enabled by default.
  • Set Login is Case Sensitive to Yes to require users to use upper and lowercase characters in their login credentials.
  • Set Admin Session Lifetime (seconds) to any value greater than 60 to determine the length of an Admin session before it times out.
  • Set Maximum Login Failures to Lockout Account to the maximum number of times a user can attempt an Admin login before the account is locked. The default is 6.
  • Set Lockout Time (minutes) to the number of minutes an account is locked.
  • Set Password Lifetime (days) to the number of days that a password remains valid for. You can leave the field blank for unlimited password lifetimes.
  • Set Password Change to:
    • Forced: Requires passwords to be changed after account setup.
    • Recommended: Recommends users change passwords after account setup.

5

Proactive Magento Security

In this section, we’ve listed a number of solutions you can employ on your website to provide an effective proactive security strategy. By layering defensive controls, you’ll be able to identify and mitigate attacks against your website.

5.1 - Hosting Services

There are four main hosting environments that can be used for your Magento installation. Each of them have different features and things you should consider:

  • Shared Hosting Environments
  • Virtual Private Server (VPS) Environments
  • Managed Hosting Environments
  • Dedicated Servers


Environments that remove the most dependency from the user usually offer the most security. If you have the time and skill to secure your own environment, you’ll have more options and more control — but also more responsibility.

You should select the type of hosting environment that best meets your needs and level of expertise:

  • If you have little understanding of how websites work or what they require, you should go with a managed environment.
  • If you’re an organization with your own network operations center (NOC), information security operations center (SOC), or dedicated sysadmins, a VPS or dedicated server will provide better environment isolation—assuming it’s properly configured.

Pro Tip

 

We encourage every website owner to isolate their hosting accounts to mitigate the risk of cross-site contamination, one of the leading causes of website reinfections.

It is highly recommended that you research reliable hosting providers for your Magento website. You can initiate a conversation with potential hosting providers to ask them about their approach to security.

Here are some key points to address:

  • What security precautions are they taking to protect your website (not just their servers)?
  • How often do they search for malware in their environments?
  • What actions will they take if they detect malware on your website?
  • Do they offer remediation and incident response, or will you need a third-party solution in the event of a compromise?

There are a number of hosting providers that offer security for additional fees, but unless you’ve purchased a security product from them, it’s unlikely that they’ll resolve a hacked website for you.

5.2 - SFTP/SSH Connections

Secure file transfer to and from your server is an important component of website security. These encrypted connections ensure that transmitted data is protected from attackers who may be sniffing your network traffic.

We recommend using one of the following methods to connect to your server:

SSH: Secure Socket Shell is a secure network protocol and the most common way of safely administering remote servers. With Secure Socket Shell, any kind of authentication, including password authentication and file transfers, is completely encrypted.

SFTP: SSH File Transfer Protocol is an extension of SSH and allows authentication over a secure channel. If you are using FileZilla or some other FTP client, you can often select SFTP instead. The default port for SFTP in most FTP services is 22.

You can also log into the Magento Admin panel using HTTPS, which provides the same type of security as SSH and SFTP.

Pro Tip

 

You should monitor all SFTP/SSH logins for unauthorized activity, commands, or uploads. Also consider using a custom SSH port and key authentication, rather than passwords.

5.3 - Web Application Firewall

Using a Web Application Firewall (WAF) can help you achieve and maintain a number of PCI-compliant requirements and protect your customers and website from attackers.

Firewalls inspect and filter malicious traffic before reaching your server. These services detect and block malicious bots, hacker tools, and vulnerability exploitation attempts. They can also virtually patch your Magento installation in the event that you are unable to update to the latest version.

Did you know?

Some of the PCI requirements that are covered through the virtual patching, hardening, and security options the Sucuri Firewall include:

  • Requirement 1: Establish and implement a firewall
  • Requirement 2: Harden your environment, disable unnecessary services & configure system parameters to prevent misuse
  • Requirement 6: Ensure that system components are protected from known vulnerabilities
  • Requirement 6: Address common coding vulnerabilities
  • Requirement 10: Implement audit trails
  • Requirement 10: Review logs

5.4 - Backups

Backups are designed to recover your system to its last known good state or configuration, and are a critical component of website security. Maintaining regular backups will ensure the continuity of your store in the event of a compromise.

When backing up your website, you’ll want to include all of the following assets:

  • Server log files
  • Magento file system
  • Magento database
  • Custom files and configurations
  • Here are some tips to keep in mind when you are implementing a Magento backup solution.

 

Location:

Store Magento backups in an offsite location. Never store backups (or old versions) on your server; they can be hacked and used to compromise your real site.

 

Automatic:

Your backup solution should run automatically at a frequency that suits the needs of your website. Ideally, you should choose a service that alerts you during any failures.

 

Redundancy:

Maintain copies of your backups in multiple secure locations to mitigate the risk of data loss.

 

Snapshots:

Maintain snapshots from older timeframes to mitigate the risk of an infection rendering a recent backup useless. While you may experience data loss, this will allow you to restore your site to the last known good configuration.

 

Testing:

Test your backups to make sure they work as intended and avoid any surprises if you need to restore them in an emergency.

 

File Types:

Some backup solutions exclude certain file types such as videos and archives, so it’s a good idea to check the features and ensure that all of your website assets and media are supported.

Did you know?

 

Sucuri customers can leverage our secure and reliable Website Backups disaster recovery solution for their Magento sites.

5.5 - Detection Tools

To help you respond quickly to a security breach, we recommend that you employ a tool that helps identify any changes to your website. The solution that you choose should include the following features.

When backing up your website, you’ll want to include all of the following assets:

  • Server log files
  • Magento file system
  • Magento database
  • Custom files and configurations


Here are some tips to keep in mind when you are implementing a Magento backup solution.

Magento Security Scanner

Magento has a free security scanner that checks if there are any known vulnerability issues or missing patches for your website.

Integrity Monitoring

Integrity checks are an important aspect of auditing your Magento website. Any new or recently modified files on your server or database may be part of a compromise. These monitoring services can give you an early warning of an intrusion on your website.

If you want to check the integrity of your file system manually, you can find all Magento 1.x and Magento 2.x versions on GitHub. Using an SSH terminal, download Magento locally and then follow the steps below.

The following commands use Magento version 2.4 as an example of the clean files and public_html as an example of where your Magento installation is located on the server.

To check core file integrity with SSH commands:

				
					$ mkdir magento-2.4
				
			
				
					$ cd magento-2.4
				
			
				
					$ wget https://github.com/magento/magento2/archive/2.4.tar.gz
				
			
				
					$ tar -zxvf 2.4.tar.gz
				
			
				
					$ diff -r 2.4 ./public_html
				
			

The final diff command will compare the clean Magento files with your existing installation. The output will also report additional modules you have added, and these can be compared with other known good files. Remember to remove the duplicate clean files from your server after testing.

You can also use Magento Corediff to check Magento core file integrity. Created by Sansec, this forensic tool can be used to quickly find unauthorized code base modifications in both Magento 1 and 2 installations.

Auditing / Alerting Tools

Auditing tools offer visibility into user activity on the website. As the website administrator, you should be monitoring your website for unusual behavior and answering the following questions:

  1. Who is logging in?
  2. Should they be logging in?
  3. Why are they changing content on the site?
  4. Why are they logging in during strange hours?
  5. Who installed that component?


We strongly encourage Magento site owners to use a tool that logs and alerts of any actions taken on a website, including:

  • Unauthorized admin user creation
  • Unauthorized role creation or modification
  • User authentication successes and failures
  • Page creation or modification
  • Module activation or modification
  • Third-party component installation
  • Template modifications
  • Settings modifications
  • File uploads


You can work with your hosting provider to review server logs for suspicious activity. We also recommend that Magento users implement an Intrusion Detection System (IDS) to protect from malware, hacks, zero-day exploits, and DDoS attacks.

Third-Party Scanning

The security of your Magento site is only as strong as its weakest link—this may include any external JavaScript used for business or marketing needs. In the past, bad actors have used these as attack vectors on Magento sites. Since it’s not possible to secure your providers, your best option is to monitor them with a supply chain monitoring tool.

6

Protect Against Card Testing Attacks

A common problem that ecommerce websites face is to be used in a “card testing attack”. When attackers successfully steal credit card details online through skimming attacks it is common for them to first test them before attempting to sell them online. The way they do this is to make a small, usually $1 transaction to verify that the card is still active so that it can later be sold.

Of course, attackers have automated this process — so if you’ve ever seen hundreds or thousands of small transactions take place on your ecommerce website in a matter of minutes then this is likely the cause.

Preventing your website from being used as a staging grounds for credit card theft is easy, although slightly inconvenient for your customers:

  1. Disable “guest checkout”
  2. Require that all transactions be done from a verified account
  3. Add a CAPTCHA to your checkout process

Once these three requirements are in place your website should be protected against card testing attacks.

7

Security Services

There are a number of free online tools you can use to scan your Magento installation remotely. These tools can help identify credit card stealers, intermediary domains, malicious payloads, and other security issues.

To scan Magento for malware and security issues:

  1. Visit the SiteCheck website.
  2. Enter your Magento website URL.
  3. Click Scan Website.
  4. You will receive a status report with any identified security issues.
  5. Note any payloads and locations (if available).
  6. Note any blocklist warnings.
  7. Scan all other websites being hosted on the same server.

Did you know?

 

You can use the following services to scan your Magento installation for malware and security issues:

There are a number of professional security solutions available that can take care of your website security needs for you. Not all services are the same—some charge more to fix complex hacks, and others provide different tiered feature sets. Choose the one that best suits your needs.

If your host provides security services, take some time to research exactly what features they include. They’re normally happy to advise you on ways you can complement their baseline feature sets with additional services.

Sucuri is committed to helping Magento website administrators identify infections, clean up hacks, and protect their ecommerce sites. The benefit to employing a cloud-based security service like Sucuri is that it provides complete end-to-end website security—: protection, detection, and response services are included in an all-in-one platform, with no hidden fees.

Our high availability Globally Distributed Anycast Network (GDAN) ensures that websites can efficiently service their global audiences while mitigating DDoS attacks.

Protect your Magento website and combat online threats with our powerful monitoring and protection platform.

Ready to protect your Magento website?

Sucuri Resource Library

Say on top emerging website security threats with our helpful guides, email, courses, and blog content.

Webinar

Learn how to identify issues if you suspect your WordPress site has been hacked.

Email Course

Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.

Report

Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.