Magento is considered one of the most popular and efficient eCommerce CMS (Content Management Systems) out there. Alternatives include WordPress' WooCommerce, Shopify, and Prestashop. However, proper Magento website security and maintenance measures are necessary to ensure optimal performance and the protection of customer's personal and payment information. When a Magento web store is compromised, hackers could redirect customers to a false page, or alter an order before completion of the payment processing. Additionally, customers could suffer from identity theft, financial loss, or the merchants could face damage to its reputation, loss of merchandise, have high processing fees, or revoked privileges from banks.
However, when appropriately managed and consistently Magento is a great eCommerce CMS used by multiple top brands include Nike, Ford, Samsung, Nestle Nespresso, Lenovo, Vizio, Olympus, and Men's Health.
Benefits of the Magento website platform:
- Marketing and promotional tools. The Magento platform has an intuitive and versatile, visual-based editor, and offers tools such as pricing rules and flexible coupons.
- SEO. Magento can be optimized for search engines, as it can support sitemaps, meta titles, descriptions, and URL rewrites.
- Analytics. Magento websites link with Google Analytics to produce Sales reports and dashboards.
- Sales opportunities increase. There are opportunities to upsell and cross-sell products on the Magento platform. Admin can add prompts to browse related products at the product pages and checkout pages.
- Mobile responsiveness. Magento websites are responsive to all mobile devices, including smartphones and tablets.
- Magento is highly robust. Magento can host up to 500,000 products and handle 80,000 orders per hour.
- Great customer and admin accounts implemented. Magento's flexibility enables customers to manage, track and cancel orders easily. Admin has complete access to customer orders.
- Dynamic filters. Excellent user experience with effective search filter options using multiple parameters.
- Catalogue browsing. Magento supports digital products to be downloaded and have advanced pricing rules.
- Flexible shipping options. Magento allows shipping to multiple addresses in one order, as well as offer free and paid shipping options.
- Seamless checkouts. Secured SSL support, with one page and one step checkout processing.
- Multiple payment gateways. Payment extensions to choose the preferred payment method.
- Expansive. Magento is open-source, and has a strong community, yielding an extensive library of custom extensions.
- Global support. Magento supports multilingual, localization in multiple countries, and multi-currency.
- Customer service. Live chats, contact us forms, and rich customer accounts make order tracking very intuitive.
Below is a list of best practices for securing and maintaining Magento websites:
1. Reliable hosting and developers. Use secure hosting with software development life cycles aligned with industry standards such as the Open Web Application Security Project (OWASP). Test the coding for security issues, and be sure to use a securely encrypted HTTPs channel (Google ranking factor).
2. Protect the Magento environment. This step begins with the initial installation setup and continues with security-related configurations, password management, and ongoing maintenance. Ensure that the software on the server is up to date, and apply the recommended Magento security patch. This recommendation also applies to database software and other websites that use the same server.
3. Server environment. Ensure that the server operating system is secure and that there is no unnecessary software running on the server. Disable FTP, and only use secured communication protocols (SSH/SFT P/HTTPS) to manage files. Magento includes '.htaccess' files to protect system files when using the Apache webserver.
Use strong and unique passwords and change them periodically. Closely monitor issues reported for software components used by Magento installation, including the OS, MySQL database, PHO, Apache, and other parts in your configuration.
Limit the access to cron.php file to only the required users. Try to block access completely and execute the command using the system cron scheduler.
4. Server applications. Avoid using other software on the same server as Magneto. There may be vulnerabilities in other sites that can expose private information stored in the Magento system. Keep all software up to date, and apply Magento security patches as necessary.
5. Admin environment. Keep your antivirus software up to date, and use a malware scanner regularly. Don't download and install unknown programs or click on suspicious links. Use a strong password to log into your computer and change it periodically. Don't save FTP passwords in FTP programs, since malware infiltrates them and use to infect servers.
6. Magento installation. It's essential to use the latest version of Magento as it'll include the most recent security enhancements. If you're not able to make the upgrade, then install all security patches, as recommended by Magento. Only install Magento extensions from trusted sources.
Use unique admin URL, and not the default "admin" or "backend", as this can reduce exposure to scripts that may be able to break into Magento sites. Block access to development or staging systems, as they can become compromised and produce data leaks. Use a strong password for the Magento Admin and use Magento's security configuration settings.
Having a disaster recovery plan is extremely important for any online business. Ensure that you have scheduled backups of your server and database to an external location. For larger Magento websites, work closely with your hosting provider to deploy a professional database backup solution.
The typical recovery plan, as recommended by Magento:
- Align with your IT security team, hosting provider or system integrator to determine the full scope of the attack.
- Block access to the website and ensure that the hacker cannot remove any more site information.
- Do a backup of the current site, including the installed malware or compromised files.
- Determine whether credit card information was accessed, what information did it take, how much time elapsed since the compromise, and if the information was encrypted.
- Typical Magento website attacks include:
- Server attack: Installed backdoors and malware, and data is compromised.
- Site defacing: User accounts may be compromised.
- Botnetting: Your site becomes part of a botnet that sends spam email.
- Silent card capture: Hackers install hidden malware or card capture software, or may modify the checkout process to collect and send out credit card data.
- In your investigation, determine how and when the site was compromised. Check server log files and file changes. If possible, wipe and reinstall everything, because malware might be hidden and waiting to restore itself. Reinstall the required data from known and clean sources, such as from your version control system or original distribution files from magento.com. Apply all of the latest security patches, and reset all credentials, including the database, file access, payment and shipping integrations, web services, and Admin logins.
- If you suspect payment information compromised, you'll need to inform your payment processor. Additionally, you also need to educate your customers about the attack and provide details on the type of compromised information and the consequences.
7. Security Reviews. Magento's recommended security checks:
- Periodically check unauthorized Admin users.
- Check the Admin actions log for suspicious activity (Enterprise users).
- Use automated log review tools.
- Align with your hosting provider to review server logs of suspicious activity. Implement an Intrusion Detection System (IDS) on your network.
- Use tools such as Tripwire to receive notifications of malware installations.
- Monitor system logins (SSH and FTP) for unexpected uploads, activity, or commands.
8. Advanced security techniques. Automate the deployment process and use private keys for data transfer. Limit access to the Magento Admin by updating the whitelist with the IP address of each authorized computer that will use the Admin and Magento Connect downloader. Do not install extensions directly on a production server. You can block or remove access to the /downloader directory.
Use a two-factor authorization for Admin logins. Many extensions are available from Magento Connect, which provide additional security by requiring additional passcode generated on your phone. Be sure to review your server for development leftovers, and ensure that there are no accessible log files, tunnels to execute SQL, public visible '.git' directories or other unprotected files not required, and may fall prey to an attack. Limit the outgoing connections to only those that are necessary, such as payment integrations. Additionally, be sure to use a web application firewall that analyzes traffic and discovers suspicious patterns.
9. Hiring a Magento maintenance specialist. If you're busy operating an eCommerce online business, then chances are, finding time to secure and maintain your Magento website is exceptionally challenging. Usually, here we suggest hiring a company that specializes in Magento websites to keep your site well.
Below is a list of features which to include in a Magento website maintenance package:
- Development hours
- Server monitoring
- Bug fixes and updates to CMS modules
- Backup configuration
- Back-end development and front-end development and design
- Code audit
- New features implementation
- Install security patches and updates
- Magento version upgrades
- Extension installation, configuration support, and updates
- Site downtime support
- Malware scans, investigations, recovery, and monitoring
- Antivirus scans and investigations
- Emergency support hours
- Magento store performance optimization
- Critical support
- Telephone/email/chat support
- Support tickets
- Dedicated Account Management & Project Manager
- Expert consulting
- Support for Magento 1 & Magento 2
- Priority urgent request support
- Database optimization
- Security checks and updates
- Service level agreement (quick response time)
- Support marketing initiatives
- Strategy & planning
- Quality Assurance (QA) team
- Spam content cleanup
- Advanced performance caching
- User acceptance testing
- Release planning
- Monthly meetings/follow-ups
- Disaster recovery plan
- Integrations with CRM or ERP systems
- Advanced Google Analytics tracking
At Webilize, we have WebilizeCare Customer Success Services, offering support to companies at all levels from small and mid-sized to the enterprise. Requests can range from simple security and maintenance tasks to complex integrations. We offer support plans for Magento and WordPress websites.
Be sure to read our related blog post called "WordPress Security and Maintenance Best Practice."
Other articles you might be interested in