Search Go hack yourself with Detectify

An EASM blog from Detectify

Magento security 101: How to secure your Magento site

October 6, 2017

Due to its popularity as an e-commerce platform, Magento is an attractive target for hacker attacks, but basic security precautions can go a long way. We know that getting started with security can feel a little daunting, so we have put together this short guide to help you out. Follow our Magento security 101 and improve your Magento site’s security!

1. Use the latest version

Make sure that you are using the latest version of Magento as software updates often include security patches. If you are using Open Source (formerly known as Community Edition), the latest version as of October 2017 is 2.2. If you are running an older version, we strongly recommend you to upgrade and check Magento’s technical resources page for the latest release information.

2. Use a strong password

This may sound like a no-brainer, but it’s still worth mentioning because weak passwords are more popular than one might think. Seriously, take a look at the Worst passwords of 2016 (a list based on 5 million leaked passwords) and prepare to be amazed.

Once you’ve got your strong password in place, don’t change it too often. Contrary to popular belief, changing your password regularly can do more harm than good as you are more likely to choose a weak password that’s easy to remember. To generate strong passwords without having to worry about forgetting them, consider using a password manager.

3. Add two-factor authentication

Strong passwords are great, but there’s always an extra layer of security to add to the mix. A simple yet powerful measure is to add a two-step authentication to your login. To do this, you can buy an extension on Magento Marketplace.

4. Manage your admin panel

Change the Admin Directory to something unique (do not use /index.php/admin/), add an SSL certificate and make sure to restrict access to the admin panel to your IPs. This is a simple step that is often overlooked – our research showed that over 23.17% of all Magento sites use the default admin directory.

When the admin panel is exposed it gives the attacker the opportunity to bruteforce the login. The attacker can test common passwords, which has a high chance of succeeding as many people reuse their passwords. Exposing the admin panel also widens the attack surface and gives attackers one more page to check for vulnerabilities. To find out more about how attackers approach Magento sites, check out our video seminar where our security researchers explain how hackers think.

Not sure if your admin panel is secure? If you run a Detectify security check on your Magento website, the scanner will notify you when an exposed or disclosed Magento Admin panel is found.

Magento admin panel disclosure

Run a Detectify scan to check for Magento Admin Panel Disclosure

5. Stay up to date with the latest vulnerabilities

What is considered secure today could easily become vulnerable tomorrow, which is why reading up on the latest security research can help you keep your site secure. Magento’s Security Center is a good place to start – the center offers patch information as well as a number of security best practices for Magento users. However, when it comes to security, it’s always a good idea to have more than one source of information and that’s where automated tools come into play.

If you find security research a little overwhelming (don’t worry, we’ve all been there), automated security scanning tools like Detectify can help you out. Detectify’s researchers add new security tests to the scanner on a regular basis, ensuring that you can always check your site for the latest vulnerabilities.

Magento downloader vulnerability finding

Security never stands still. To help you stay one step ahead of hackers, we are always adding new security test modules to our scanner.

6. Monitor your Magento site’s security

Working with security is a long-term commitment, which is why we recommend testing your e-commerce store for vulnerabilities on a regular basis. Detectify tests your site for over 700 vulnerabilities (including security issues specific to Magento) and gives you a clear overview of its security status.

Detectify Magento findings

Your Detectify threat score is a handy summary of your site’s security status

The informative scan reports list all the security issues discovered as well as their severity level and tips on how to fix them. Detectify does not only look for Magento-specific security issues, but also checks your company blog, email settings, and much more. You can schedule regular scans, which means Detectify will keep an eye on your site’s security while you focus on your customers.

Detectify report Magento findings

Check your Detectify report for the exact location of vulnerabilities

Ready to get on top of your site’s security? Sign up for our 14-day free trial (no credit card required) and check your Magento store for vulnerabilities!

Start your free trial

More Magento security reading

Is your Magento store vulnerable? Why it’s time to put security first

Thousands of vulnerable Magento web stores out there

GDPR Compliance Checklist for eCommerce by our friends at Divante

[VIDEO SEMINAR] Magento security from a hacker’s perspective

Magento 2 Security Guide – An Actionable Checklist for 2019