Introducing Magento Security Scan Tool: New Way to Enhance the Magento Store Security
The Magento team has recently introduced Magento Security Scan Tool designed to check Magento stores for potential vulnerabilities as well as for conformance to the Magento security best practices.
In this article, we will briefly review this new tool and describe how online merchants can use it in their work.
Magento Security Best Practices
Any web store can become an object of the hackers’ interest. Hackers might attempt to steal personal or payment information from this site to make fraudulent transactions. We already talked about these issues and the ways of their prevention in our article about the illegitimate customer payment protection in Magento 2.
Magento has its own approach to the security of a web store that includes several time-proven practices covering the main possible vulnerabilities.
The whole scope of the recommendations includes a lot of security recommendations and risk mitigation actions, including:
- Reliable hosting providers that follow the latest recognized security standards;
- HTTPs secure internet protocols;
- Regular software updates, including Magento security patches;
- Protected Magento environment;
- Active and up-to-date recovery plans;
- And regular website security monitoring, of course.
And, Magento security monitoring is the main responsibility area of Magento Security Scan, which is currently available for the whole community.
The Features of Magento Security Scan Tool
Magento Security Scan Tool is designed to regularly monitor the sites that run on the Magento platform. Moreover, merchants can benefit from the updates about the detected security risks, malware, and unauthorized access issues (if any).
With more than 30 security tests, Magento Security Scan Tool performs a comprehensive check of a web store security, including missing patches and configuration process checks, Magento security practices conformance, and timely reports about all suspicious activities that take place in a store.
Using Magento Security Scan Tool, Magento store merchants can also benefit from the following features:
- The security of a store is monitored in real time by the tool;
- The tool reports the issues in the configuration of a Magento store (if any) that make it potentially vulnerable to hacker attacks and gives recommendations how to fix them;
- Security scans can be scheduled on specific date, time, or on demand;
- The tool does not affect the performance of the site during the security scan process;
- The history of security scan results is saved in Magento merchant accounts.
Configuring Magento Security Scan Tool
Magento Security Scan Tool is a free service that is available for the owners of Magento Commerce and Magento Open Source based web stores. The tool can be easily configured and does not require any code to be placed on the site. Moreover, the Magento team plans to further improve the solution and release the SSH tool that is going to scan databases and file structures of websites.
To access the tool, first, login to your Magento account and open the Security Scan section. Next, click on the Go to Security Scan button.
Then, you will be redirected to the Monitored Websites page. Here, you should click on the Add Site button.
Add Site to Magento Security Scan Tool
Note that if you have several websites on different domains, you must configure an individual scan for each domain.
Specify the URL of your site and its name in the corresponding fields to verify your ownership of this site.
From the Confirmation code field below, copy the code generated either in HTML or in META Tag format by clicking on the Copy button.
Now, login to your Magento 2 Admin Panel. Click on Content on the left sidebar and choose Configuration in the Design section.
In the Design Configuration menu opened, choose the store view you want to scan and click on the Edit button in the Action column.
Here, expand the HTML Head section and insert the copied confirmation code in the Scripts and Style Sheets section. Apply changes by clicking on the Save Configuration button.
Online merchants that run web stores based on Magento 1, can also leverage the benefits of Magento Security Scan Tool. For them, the first step of the tool’s configuration related to the code generation will be same as for the Magento 2 store owners.
Still, the next configuration steps have some differences compared to the configuration steps for Magento 2 merchants. Follow the instructions described in the corresponding section of the Security Scan page.
Having completed the configuration step in the Admin Panel, go back to the Security Scan page and click on the Verify Confirmation Code button to confirm your ownership of the domain.
Having confirmed the ownership, in the Set Automatic Security Scan menu, choose between the following three options:
- Scan Weekly – by ticking the corresponding box, you should specify the day, time, and time zone values in the corresponding fields according to which the scan will be performed each week. You can notice that by default, the scan is scheduled for Sunday, midnight, UTC.
- Scan Daily – for this option set the time and time zone in the appropriate fields according to which the scan will be performed every day. Note that by default, each scan starts every day at midnight.
- Do not automatically scan website – this option will manually start the scan on demand.
If you chose one of the first two options, next, enter the email address in the corresponding field you want to receive notifications to about the completed security scans and security updates. Next, click on the Submit button.
After your ownership of the domain is verified, your website will appear in the Monitored Websites list in your Magento account.
Note that if you have multiple websites hosted on different domains, the above-described configuration process will be the same for the security scan of each domain.
If you decided to run security scans manually by choosing the third option in the Set Automatic Security Scan menu, you can start the scanning process by choosing the Run Scan option from the box in the Actions section.
After the scan is finished, its status will be indicated as “complete” in the corresponding column.
Note that you should run security scans regularly, as your site can always become a subject of hacker attacks. That’s why it’s recommended to automate security scans by choosing between the Scan Weekly or Scan Daily options.
When completing the scan, click on the View Report button to see the results.
The results of the scan will be divided into three sections: Successful Scans, Failed Scans, and Unidentified Scans. Accordingly, all scans in the Successful Scans section have the Pass status in the corresponding field, failed scans have the Fail status, and unidentified scans have the Unknown status.
In the Failed Scans and Unidentified Scans sections, the Actions field of particular scans often contains recommendations how to fix the issues detected.
So, the main benefit of the solution is that it provides merchants with regular security information updates and saves a lot of time as it eliminates manual operations. Next, it tells them about the latest Magento security patches stressing the importance of their implementation. And finally, the coming soon SSH scan is going to bring even more value to the entire solution. Well, let’s wait.