Magento is not only interesting for retailers – hackers like to target widely used platforms and the fact that online stores handle sensitive payment information is an added bonus. Our analysis of the world’s 30,000 biggest Magento stores shows that 23% are making one of the most common Magento security mistakes. Read this article to find out what these mistakes are and learn how the experts from Magento agencies Divante and Vaimo work with security.
Your customers want security
In online retail, trust is crucial and your customers need to feel confident that you will protect their data. If customers don’t feel comfortable visiting your store and sharing their payment details with you, your business will suffer. PJ Utsi, co-founder of Magento partner Vaimo, explains that consumers are becoming increasingly aware of security risks: “Tech giants are pushing us towards a better security mindset with Apple and Google forcing 2FA. People are beginning to understand the value of security.”
25% of online shoppers in the US are concerned about personal data security and see security risks as a barrier to making online purchases more often. This is hardly surprising – when e-commerce security goes wrong, credit card details could be exposed and hackers are well aware of that. Mateusz Koszutowski, DevOps at Poland-based software house Divante, says this is why e-commerce platforms like Magento are an attractive target: “Our work has changed because there’s more money on the internet. More money means more hacker attacks because that’s what hackers are after.”
Personal data and payment information at risk
There are more than 250,000 Magento stores around the globe handling over $100 billion every year. This makes Magento one of the most popular e-commerce platforms as well as a lucrative target for hackers.
In one of the most recent hacking campaigns that spanned over two years, more than 6000 Magento stores fell victim to payment information theft. Unknowingly exposing sensitive information can prove fatal for an online store as it does not only put sensitive data at risk, but also damages the retailer’s brand.
How hackers approach targets
Nowadays, hackers seldom pinpoint only one victim. Instead, they target widely used technologies and attack hundreds of websites. This can be automated, giving the attackers an extremely broad scope and a higher chance of success. Detectify’s security researcher Linus Särud explains how a hacker would target a Magento web store:
“If I was to hack a Magento website I would look into two things: the installed version of Magento and the third party extensions and plugins that are being used. Magento has previously had a few publicly disclosed vulnerabilities, so if the system hasn’t been updated, it could be vulnerable. A hacker could just search Google for information on how to exploit it.”
Linus adds that unlike the core product, third party extensions are seldom updated, which renders them vulnerable:
“Even if there are no public vulnerabilities in the third party extension, an attacker is much more likely to find a vulnerability if they dig into the code for an extension than in the core Magento product. The core has been security tested by several people, while it is not unusual for extensions to be made in someone’s spare time. Unlike self-coded solutions, the code for third party extensions is public, which makes it easier for the attacker to find vulnerabilities.”
The most common Magento security mistakes
Missing HTTPS by default
To see what the most common security mistakes are in practice, we analyzed 30,137 biggest Magento websites based on Alexa rankings. We have confirmed that several of the vulnerable web shops are very active and still receive orders. 50.16% of the stores we checked did not use HTTPS per default, which is a surprisingly high percentage of our sample. Website visitors can’t be expected to manually switch to HTTPS, which is why forcing HTTPS by default is a simple precaution that prevents attackers from intercepting credit card details.
Exposed admin panels
Exposed admin panels are another common Magento security mistakes. Out of the 30,137 stores we analyzed, 23.17% had their admin panel exposed at /admin. While this is not a critical vulnerability in itself, an exposed admin panel makes it easier for hackers to try and gain access to your website. Mateusz Koszutowski explains that securing the admin panel is one of the most basic security measures: “The first thing we change when we start with a project is the admin panel URL.”
Insecure third-party applications are another source of vulnerabilities, Mateusz explains: “In my experience, the most common mistake is using third party applications – some plugins or modules that are often useful and extend the Magento application, but haven’t been checked by us. These modules sometimes aren’t supported and they don’t have security updates.”
Keeping your store safe – best practices
Make sure the platform is up-to-date
When vulnerabilities are discovered, they are quickly patched in the latest version of Magento, which is why it is crucial to keep your store updated. Divante’s Mateusz Koszutowski says that this can save you from a lot of security-related headaches and adds that Magento’s own security guidelines are a good resource: “Magento has an article about security best practices and we try to implement all of these best practices in our projects. When we go live with a project we have a checklist with these tips and we make sure to check off every single one of them. For customers who want to be sure that everything is okay, we have an offer from a specialist affiliate company that tests the services before launch.”
Work proactively with security education
Sharing security knowledge internally is important as it helps developers write safer code and consider security every step of the way, Mateusz Koszutowski says: “I think all developers should know how to prevent attacks and implement secure applications.”
Developing security skills inside the organisation also allows agencies to answer clients’ security questions and take the lead when it comes to projects like preparing for the GDPR. PJ Utsi explains that the learning process goes both ways: “As we operate one of the most important sales channels for our clients, the discussion about GDPR and security is not new to us. We have worked with big clients who take security very seriously and that has taught us a lot.”
Implement a long-term security strategy
Increased security awareness has led to people beginning to understand the value of security and organisations are now willing to invest in security services. With the GDPR becoming enforceable in May 2018 and bringing new security standards and requirements to the table, many companies are working hard to adapt their security routines. It is important to take responsibility for compliance work, says PJ Utsi: “We are focusing on GDPR so that we can be compliant by May. Many companies rely on their suppliers and don’t realize how big of a job they have ahead of them.”
Finally, viewing security as an ongoing project is a cornerstone of every security-focused mindset. Security never stands stills, which is why continuous security monitoring is needed to complement the development process. As PJ Utsi points out: “Security is a never-ending story. You need to understand that you’re never done – you need to do ongoing work with security and do regular internal audits, reviews and tests on your site, something many companies forget.”
To find out more about securing your Magento store, check out our Magento security 101 with 6 simple steps you can follow to improve your site’s security.
Want to know more about how hackers approach Magento sites?
Sign up to get access to our exclusive video seminar where our security researchers Fredrik Almroth and Linus Särud explain how black-hat hackers analyze and attack Magento stores.
Sign up using this form, and we will send you the video immediately per email, so that you can watch it whenever you want. We require double opt-in. Remember to check your spam filter if you don’t receive the confirmation email. And of course, the video seminar is for free!