Magento Security Tips and Vulnerabilities

The term “hacker” was coined in the 1960th by the group of programmers from the Massachusetts Institute of Technology and originally meant a person who looked for a way to smartly make things more functional and useful. But nowadays it usually possess a negative meaning referred to computer criminals.

E-commerce and financial sites stand first in the list of potential victims as they deal with monetary transactions. Using the most popular e-commerce platform worldwide, Magento sites are also under threat.

Usually hacker attacks are not exclusive to someone’s business and just use the discovered vulnerabilities of a certain shopping cart application or payment gateway and haunt their own tangible purposes, but sometimes can also be used for unfair competition.

E-commerce Site Vulnerabilities

Most e-commerce platforms and payment gateways possess the same vulnerabilities as they are created using similar development approaches and coding techniques.

Sometimes developers have no necessary knowledge of security programming or are bounded by tight deadlines, which put functionality and design first, and push aside security issues.

The second reason is that due to tricky functionality required by customers web applications are too complex and inevitably contain multiple vulnerabilities, as a result.

Common Hacking Techniques

SQL Injection
SQL injection is an attack technique, which exploits application vulnerability and executed by insertion of malicious SQL statements in users input. Depending on the circumstances, it can result e.g. in receiving detailed error notifications disclosing the backend technology details or getting an access to restricted areas by manipulating always-true Boolean values in their queries.

DDOS Attacks
DDoS or Distributed Denial of Services attack is a kind of hacking technique, when multiple requests, exploiting server capacity bottlenecks, make a site unavailable for users . After that hackers proceed to compromise the entire site or its definite functions.

Broken Authentication and Session Management Attacks
This malicious technique exploits the weaknesses within the authentication procedures, or explores sessions IDs and cookies in order to get access to your account.

Cross-site Scripting
Commonly targeted against the end user, cross-site scripting is usually based on lack of input and output validation and unjustified users’ trust.

Remote Command Execution
Remote command code executions are possible in those cases, when an inadequate input validation allows hackers to execute operation system commands with the privileges of the web server.

Magento stores, the same as many other e-commerce sites, are exposed to hacking, but Magento store owners can undertake some precautionary measures to keep their sites safe.

Magento Stores Security Tips

The biggest danger of hacker attacks is that you almost can’t reveal them until it is too late. So, we should take care about the site security in advance and regularly check its health.

1. Use only the latest Magento version
Despite the complexity of changing Magento versions in your store, try to use only the latest ones. Magento constantly improves its products and fixes possible security vulnerabilities. So, the latest Magento version is usually better and more secured.

The latest Magento version is usually better secured

2. Use two-factor authentication
Secure passwords are not enough for proper safety of your Magento store. You should better use two or several layers of authentication, including trusted IPs and devices, private files and so on.

3. Use a custom path to the admin panel
Default Magento uses the same paths to admin panels, which are in most cases located on the Magentosite.com/admin or a similar web page. Using a custom path to admin panel makes it difficult to locate the URL and improves your security.

4. Use an encrypted connection (SSL/HTTPS)
Unencrypted connections are absolutely defenseless against intentional data interceptions and make vulnerable transferring data from customers to you and vice versa. Magento store owners should use secure HTTPS/SSL connections, the more so it is simple. You should just check the “Use Secure URLs” tab in your Magento system configuration menu.

5. Use Secure FTP
FTP password interceptions are almost the most common ways to be hacked. You can eliminate this vulnerability using SFTP (SSH File Protocols), which requires private files submission for the access and provides additional encryption of your credentials.

FTP password interceptions are almost the most common ways to be hacked

6. Do not set file permissions to 777
Magento recommends to not keep 777 file permissions for your files and offers to change them as soon as you finished the rewrite.

7. Carry out regular Magento backups
Regular backups is still one of the most effective methods to decrease the damage of attacks and the easiest way for recovery.

8. Disable directory indexing
In order to hide core Magento files from hackers you can disable directory indexing and make your security stronger.

9. Choose strong passwords
Highly-secured password makes you feel safe about customers’ information and sales data. You should use long enough passwords with upper and lower case letters, numbers and special characters.

10. Never reuse admin Magento password anywhere else
This statement is true for all important passwords you use and Magento passwords are no exception. Use Magento passwords only for the purpose they were created.

11. Eliminate e-mail loopholes
As far as Magento provides the passwords recovery feature, make sure your e-mail is not widely known and keep its passwords secured, the same as Magento admin passwords.

Grant the access to only verified IPs

12. Grant admin access to only approved IP addresses
If you enter the Magento admin area from a definite pull of IP addresses, you can restrict the access from other ones in the .httpaccess file. Just specify a certain IP address or pull of addresses there and improve the overall Magento security.

13. Check Magento security regularly
Regular Magento security checking keeps you up to date and calm about the health of your store. For this purpose you can use Magento extensions or hire an audit company.

14. Keep up-to-date your anti-virus software
Up-to-date antivirus software fulfills a very important task within the security policy. Strong protection against trojans and viruses is usually provided by commercial products and you should better pay for their services and products than suffer from data leaks.

15. Use the Magento community advantages
Since Magento has a tremendous community of users and developers you can use multiple tutorials, guides, forum threads and some good advices in order to keep the safety of your store.

Saving passwords in your browser may be convenient, but certainly not wise

16. Don’t save passwords in your browser
Saving passwords in your browser may be convenient, but certainly not wise. Those who have the access to your computer can easily read the credentials and use them.

17. Know where your browser comes from
Your internet browser is the main mediator between you and the Web. It stores your passwords, cookies, and URLs, so make sure you use a verified one from a trustworthy provider. Otherwise all security efforts are almost useless.

Restoring Sites After Hacker Attacks

If you still have been attacked, the most urgent issue is to eliminate the vulnerability, restore data and security, and resume sales.

The first step on this way is to contact your hosting provider in order to get the backup of your store and find out the vulnerability, if possible. Then change your passwords, even if this is not the point of the safety breach.

The actions above may require you to put your site offline for a while, but do not dramatize this situation. Just customize the 503 error page and ask customers contact you via alternative channels.

It may sound mocking, but online attacks usually make store owners revise their security policy and increase the overall safety of the store.

If you have something to add, share in the comments below.

 

2 Comments

SnapFast

about 3 years ago

Following the security guidelines here are uber important. We recently discovered a Magento specific virus that was added through a Magento vulnerability. It scrapes and saves customer credit card data in a mage.jpg file. You can see more about it here: http://www.snapfast.com/blog/magento-mage-jpg-virus/

Reply

Andy

about 2 years ago

So, how to avoid DDDos attack? It seems that we are unable to avoid the attack.

Reply

Leave a Comment

Please be polite. We appreciate that.
Your email address will not be published and required fields are marked