WebPerf Complete Guide on Magento Security

Magento is a very popular eCommerce platform used today that people choose to grow their online businesses. According to BuiltWith, over 22% of the top 100,000 eCommerce websites are using Magento, along with Magento Enterprise. It is known for being a very robust platform with a high level of functionality and customizability. As with any major platform, security concerns always present themselves as new vulnerabilities are constantly being discovered or exploited. Follow our complete guide below on what you can do to harden your Magento security and help prevent yourself from getting becoming a victim of the next brute-force attack or hacked.


Magento Vulnerabilities


We have written previous guides on Joomla, Drupal, and WordPress security, and looking at the patches and published vulnerabilities and comparing it would appear that Magento is actually quite secure. It could also be that perhaps it is not targeted as much as the other CMS platforms, but that doesn’t mean you should let your guard down. According to CVE Details, an online security vulnerability data source, there were only 5 vulnerabilities reported in 2015.

What types of Magento vulnerabilities are they? According to CVE Details, 43% of Magento vulnerabilities are from remote code execution. You can see the percentages of the rest below.



According to the Magento security center, they pushed out seven security patches in 2015 and two so far in 2016. You can join their Magento security alert registry to be instantly notified of new security patches. Sucuri also does a good job of notifying people of new Magento exploits on their blog.

Magento Security Scan


There is a great free little tool from the Dutch web hosting team over at Byte called MageReport.com. This tool allows you to scan your Magento eCommerce site and it will give you quick insight about the security status of your Magento install and advise on how to fix the following vulnerabilities:

• Credit Card Hijack
• Ransomware
• Cacheleak vulnerability
• GuruInc Javascript Hack
• Outdated Magento version
• Unprotected development files
• Default /admin location
• Unprotected Magmi
• Unprotected version control
• Outdated server software
• Security patch 5994 (admin disclosure)
• Security patch 5344 (Shoplift)
• Security patch 6285 (XSS, RSS)
• Security patch 6482 (XSS)
• Security patch 6788 (secrets leak)
• Security patch 7405 (admin takeover)
• SSL Certificate check

Because the hosting team at Byte specializes in Magento Shops you can rest assured that this toll will be maintained for a long time, as they use this for their own customers.

Magento Security


Even though Magento is a pretty secure CMS when compared to others, it is still very widely used, which means it is always going to be at risk of being attacked or hacked. You can never prevent security breaches all the time, the best thing you can do is implement the best security practices to protect yourself. Follow the recommendations below to harden your Magento security.

Magento Security Index

1. Keep Magento and Extensions Up to Date
2. Smart Usernames and Passwords
3. Magento Security Extensions
4. Block Bad Bots
5. Secure Connections
6. File Permissions
7. Custom Path for the Administrator Login
8. Restrict Admin Access by IP Addresses
9. Harden HTTP Security Headers
10. SSL Certificate

1. Keep Magento and Extensions Up to Date


It is very important that you are always running the latest version of Magento as updates generally contain security fixes. There are three main steps when it comes to upgrading a Magento installation.

1. Install a fresh version the Magento file tree (the version you are trying to upgrade to)
2. Run the installer from the file tree on top of the outdated database (thereby upgrading the database)
3. Move over themes and custom extensions from the old version to the current version.

Customer Paradigm has a good in-depth tutorial on how to fully upgrade Magento. Magento also does a good job of notifying you of important updates that become available within your messages inbox. This is hooked up directly to the Magento security center so you can see when new patches are pushed out.



Updating Magento Extensions


It is also very important to keep your Magento extensions up to date. To can run an update by visiting he Magento Connect Manager. Click into “System” → “Magento Connect”→ “Magento Connect Manager”, it will then require you to login again to confirm your administrator account. You can then run a scan on your extensions and see if there are updates. They will be highlighted in yellow. You can then select the ones to upgrade and click on “Commit Changes.”



2. Smart Usernames and Passwords


Be smart with your usernames and passwords that you choose to use in Magento. Don’t use “admin” as your username and choose a more complex password. This is probably one of the best ways to harden your Magento security, and ironically it is one of the easiest. Many people though use something they can easily remember such as “1234567” and end up regretting later when they are hacked. Remember there are always bots crawling the internet and as your site grows they will always be trying to spoof your login. See this guide on how to choose a strong password.

Approximately 76 percent of attacks on corporate networks involved weak passwords. – gemalto
​

Unlike WordPress where you can only change your administrator’s username in the database, Magento lets you update your administrator’s username right from the dashboard. You can do this after you have already installed Magento. Simply click into “System” → “My Account.”



We also recommend using a free program like KeePass or KeePassX which allow you to generate secure passwords and store them in a database locally on your computer. There are also online services such as PassPack and LastPass, but remember that technically these could be hacked as well.

3. Magento Security Extensions


There are a lot of great Magento security extensions which will lock down your site and help protect you from attacks. These extensions allow you to rate limit or block security threats, block malicious networks, scan for vulnerabilities, enforce strong passwords, see which files have changed, implement a firewall to block common security threats, and much more. We recommend only downloading extensions from Magento Connect or trusted 3rd party sites. Here are some popular Magento security extensions:

• ET IP Security: Extension allows to restrict access to website for visitors by IP or IP mask.
• MageFence: MageFence is the complete security solution for Magento that keeps your website safe and secure at all times.
• MageSecure: Protects your Magento store from hackers by scanning list of tests & vulnerabilities.
• Spam Killer: Integration with Akismet.
• Mage Firewall: Block web attacks, blacklist offenders, uses NinjaFirewall’s rules

You can also scan your Magento site with Sucuri’s Website Malware and Security Scanner and Unmask Parasites. If the test doesn’t show any threats, it does not guarantee your website is completely secure, it just shows that the site poses no immediate threat to visitors.



Two-Factor Authentication


We also recommend implementing two-factor authentication as this can easily prevent intruders from accessing your site. Two popular extensions are Rublon and Two-Factor Authentication. KeyCDN also now has two-factor authentication so you can secure Magento on your web host as well as on your CDN account.

4. Block Bad Bots


There are always bad bots, scrapers, and crawlers hitting your Magento sites and stealing your bandwidth. You can see a comprehensive list of bots at botreports.com. Many of the security extensions mentioned above can work great to block bad bots, but sometimes you might need to do this at the server level. If you wanted to block multiple User-Agent strings at once, you could add the following to your .htaccess file.

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]
RewriteRule .* - [F,L]

---

Or you can also use the BrowserMatchNoCase directive like this:

BrowserMatchNoCase "agent1" bots
BrowserMatchNoCase "Wget" bots
BrowserMatchNoCase "Catall Spider" bots

Order Allow,Deny
Allow from ALL
Deny from env=bots

And here is an example on Nginx.

if ($http_user_agent ~ (agent1|Wget|Catall Spider) ) {
return 403;
}


KeyCDN now has a feature as well which you can enable to block bad bots on the CDN side to save money on bandwidth.

5. Secure Connections


No matter where you are you should always trying to ensure the connections you are using are secure when connecting to your Magento shop. You should use SFTP encryption if your web host provides it, or SSH. If you are using an FTP client the default port for SFTP is usually 22.



Note: Some FTP clients store passwords in plain text or encoded on your computer. Even some encoded passwords can be converted back to the original. We recommend not saving FTP passwords in the client, or setting up what some call a master password.

It is also important to make sure your firewall rules are setup properly on your home router. And remember whenever you work from a public place like an internet cafe or Starbucks these are not trusted networks.

Your web host where your website resides should also be running secured hosting. This means Magento should always be running on up to date and supported versions of PHP, MySQL, account isolation, web application firewalls, etc. Be careful with cheap shared hosts as you can run into issues if they are overcrowding servers and sharing resources such as IPs.

6. File Permissions


To protect your Magneto shop you want to make sure and use the correct file permissions. Each directory and file has different permissions which allow people to read, write and modify them. If your permissions are too loose this could open up a door for an intruder and if they are too restrictive this could break your Magento install as extensions and the Magento installation need to be able to write to certain directories.

Magento has some great documentation on setting privileges and ownership after you install Magento.

• 500 permissions for directories (dr-x------) gives the web server user read and execute privileges to prevent the accidental deletion or modification of files in the directory. Other users have no access to Magento directories.
• 400 permissions for files (-r--------) prevent any user (even the web server user) from overwriting files.
  This prevents attacks that depend on overwriting existing files with malicious content.
• 700 permissions (drwx------) for the media/ and var/ directories give full control (that is, read/write/execute) to the owner and no permissions to anyone else.
• 600 permissions (-rw-------) for files in the media/ and var/ directories enable the web server user to write to them and to overwrite them.

However, you can get even more restrictive than the above recommendations to really lock down your installation.

Lock Down local.xml File


It is also important to note that the local.xml file, located in app/etc/local.xml holds all of your database connection, and this is not a file you want someone else getting their hands on. As a means of prevention, restrict this file’s permissions to 600, or (-rw-------). These permissions restrict read-and-write access to your user alone.

7. Custom Path for Administrator Login


Normally your Magento admin login will be at https://domain.com/admin. Depending on how popular your site is you will probably start to get bots and many failed login attempts trying to access your backend. You can easily fix this by simply changing your admin login URL to something only you know.

To change the admin path in Magento, go to the app/etc/local.xml file, find the line with this code: <![CDATA[admin]]>, and change the string admin to the required admin string. For example, if you want to change the admin panel URL to https://domain.com.com/backdoor, change the CDATA code to <![CDATA[backdoor]]>

You might also want to change the path for Magento Connect Manager, as this is another entry point for hackers.

8. Restrict Admin Access by IP Addresss


You can also restrict access to your admin area by IP address by using the following in your .htaccess file. Note, if you have changed your default admin path you would need to update it in the code below.

############################################
## Secure admin

RewriteCond %{REQUEST_URI} ^/(index.php/)?admin/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/downloader/ [NC]
RewriteCond %{REMOTE_ADDR} !^my.ip.add.ress
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

It is also important to remember that a lot of ISPs assign dynamic IP addresses which change from time to time. So you might only want to do the step above if you have a static IP.

9. Harden HTTP Security Headers


HTTP security headers provide yet another layer of security by helping to mitigate attacks and security vulnerabilities. They usually only require a small configuration change on your web server. These headers tell your browser how to behave when handling your site’s content. Below are six common HTTP security headers we recommend implementing and or updating.

• Content-Security Policy
• X-XSS-Protection
• Strict-Transport-Security
• X-Frame-Options
• Public-Key-Pins
• X-Content-Type

Make sure to check out our in-depth post on HTTP security headers.

10. SSL Certificate


HTTPS everywhere is happening. For eCommerce sites, the reason you need an SSL certificate is because they are processing sensitive data. For other sites the biggest reason for this is your Magento login page. If you aren’t running over a HTTPS connection your username and password are sent in clear text over the internet. Many people will argue that blogs and informational sites don’t need to be running on HTTPS, but how important are your login credentials? Also, many sites have multiple authors logging in from all sorts of different networks, so running over a secured connection can only help harden your Magento security.



With the SEO advantages of HTTPs and performance benefits of HTTP/2 there is no reason not to be running on HTTPS and using an SSL certificate. And KeyCDN now also offers free SSL certificates with our Let’s Encrypt integration.

If you are running your Magento site over HTTPS you will also want to enable HTTPS/SSL secure URLs in the back-end. To do this click into “System” → “Configuration”→ “Web.” You will want to update the “Base URL” to HTTPs as well as changing “Use Secure URLs in Frontend” and “Use Secure URLS in Admin” to yes.



Summary


As you can see there are many ways you can harden your Magento security and some great extensions to help you do so. From keeping Magento and extensions up to date, being smart with usernames and passwords, using security extensions, custom admin path, file permissions, two-factor authentication, using an SSL certificate and more. Many of these recommendations can be implemented within a matter of minutes and you can rest easy knowing your Magento site a little more secure from intruders and hackers.

Have any other good Magento security tips that you think we missed? If so, let us know below in the comments!

Related Articles

• Hardening Your HTTP Security Headers
• 12 Tips to Speed Up Magento Performance

Featured

250GB Free Traffic
Supercharge your Website Today with KeyCDN
HTTP/2 – Free SSL – RESTful API – 24+ POPs – Instant Purge

The post Complete Guide on Magento Security appeared first on KeyCDN Blog.

Continue reading...