Magento is considered one of the most popular and efficient eCommerce CMS (Content Management Systems) out there. Alternatives include WordPress’ WooCommerce, Shopify, and Prestashop. However, proper Magento website security and maintenance measures are necessary in order to ensure optimal performance, and the protection of customer's personal and payment information. When a Magento web store is compromised, hackers could redirect customers to a false page, or alter an order before completion of the payment processing. Additionally, customers could suffer identify theft, financial loss, and/or the merchants could face damage to its reputation, loss of merchandise, have high processing fees, or revoked privileges from banks.
However, when managed properly and consistently Magento is a great eCommerce CMS used by multiple top brands include Nike, Ford, Samsung, Nestle Nespresso, Lenovo, Vizio, Olympus, and Men’s Health.
Benefits of the Magento website platform:
Below is a list of best practices for securing and maintaining Magento websites:
1. Reliable hosting and developers. Use secure hosting with a software development life cycles aligned with industry standards such as the Open Web Application Security Project (OWASP). Test the coding for security issues, and be sure to use a securely encrypted HTTPs channel (Google ranking factor).
2. Protect the Magento environment. This step begins with the initial installation setup and continues with security-related configurations, password management, and ongoing maintenance. Ensure that the software on the server is up to date, and apply the recommended Magento security patch. This also applies to database software and other websites that use the same server.
3. Server environment. Ensure that the server operating system is secure and that there is no unnecessary software running on the server. Disable FTP, and only use secured communication protocols (SSH/SFT P/HTTPS) to manage files. Magento includes '.htaccess' files in order to protect system files when using the Apache web server.
Use strong and unique passwords, and change them periodically. Closely monitor issues that are reported for software components used by Magento installation, including the OS, MySQL database, PHO, Apache, and other components in your configuration.
Limit the access to cron.php file to only the required users. Try to block access completely and execute the command using system cron scheduler.
4. Server applications. Avoid using other software on the same server as Magneto. There may be vulnerabilities in other sites that can expose private information stored in the Magento system. Keep all software up to date, and apply Magento security patches as necessary.
5. Admin environment. Keep your antivirus software up to date, and use a malware scanner regularly. Don’t download and install unknown programs or click on suspicious links. Use a strong password to log into your computer and change it periodically. Don’t save FTP passwords in FTP programs, since they are usually infiltrated by malware and can be used to infect servers.
6. Magento installation. It’s important to use the latest version of Magento as it’ll include the most recent security enhancements. If you’re not able to make the upgrade, then install all security patches, as recommended by Magento. Only install Magento extensions from trusted sources.
Use a unique admin URL, and not the default “admin” or “backend”. This can help reduce exposure to scripts that may be able to break into Magento sites. Block access to development or staging systems, as they can become compromised and produce data leaks. Use a strong password for the Magento Admin, and use Magento’s security configuration settings.
Having a disaster recovery plan is extremely important for any online business. Ensure that you have scheduled backups of your server and database to an external location. For larger Magento websites, work closely with your hosting provider to deploy a professional database backup solution.
Typical recovery plan, as recommended by Magento:
7. Security Reviews. Magento’s recommended security checks:
8. Advanced security techniques. Automate the deployment process and use private keys for data transfer. Limit access to the Magento Admin by updating the whitelist with the IP address of each authorized computer that will use the Admin and Magento Connect downloader. Do not install extensions directly on a production server. You can block or remove access to the /downloader directory.
Use a two-factor authorization for admin logins. There are a number of extensions that are available from Magento Connect which provide additional security by requiring additional passcode generated on your phone. Be sure to review your server for development leftovers, and ensure that there are no accessible log files, tunnels to execute SQL, public visible '.git' directories, or other unprotected files not required, and may fall prey to an attack. Limit the outgoing connections to only those that are required such as payment integrations. Additionally, be sure to use a web application firewall that analyzes traffic and discovers suspicious patterns.
9. Hiring a Magento maintenance specialist. If you’re busy operating an eCommerce online business, then chances are, finding time to secure and maintain your Magento website is extremely challenging. This is when we would suggest hiring a company that specializes in Magento websites to maintain your website.
Below is a list of features which may be included in a Magento website maintenance package:
At Webilize, we have WebilizeCare Customer Success Services, offering support to companies at all levels from small and mid-sized to enterprise. Requests can range from simple security and maintenance tasks to complex integrations. We offer support plans for Magento and WordPress websites.
Be sure to read our related blog post called, “WordPress Security and Maintenance Best Practice”