Magento is considered one of the most popular and efficient eCommerce CMS (Content Management Systems) out there. Alternatives include WordPress’ WooCommerce, Shopify, and Prestashop. However, proper Magento website security and maintenance measures are necessary in order to ensure optimal performance, and the protection of customer's personal and payment information. When a Magento web store is compromised, hackers could redirect customers to a false page, or alter an order before completion of the payment processing. Additionally, customers could suffer identify theft, financial loss, and/or the merchants could face damage to its reputation, loss of merchandise, have high processing fees, or revoked privileges from banks.
However, when managed properly and consistently Magento is a great eCommerce CMS used by multiple top brands include Nike, Ford, Samsung, Nestle Nespresso, Lenovo, Vizio, Olympus, and Men’s Health.
Benefits of the Magento website platform:
- Marketing and promotional tools. The Magento platform has an intuitive and versatile, visual-based editor, and offers tools such as pricing rules and flexible coupons.
- SEO. Magento can be optimized for search engines, as it can support sitemaps, meta titles, descriptions, and URL rewrites.
- Analytics. Magento websites can also be linked with Google Analytics. Sales reports and dashboards can be produced.
- Increased sales opportunities. There are opportunities to upsell and cross-sell products on the Magento platform. Admin can add prompts to browse related products at the product pages and checkout pages.
- Mobile responsiveness. Magento websites are responsive on all mobile devices, including smartphones, and tablets.
- Magento is highly robust. Magento can host up to 500,000 products and handle 80,000 orders per hour.
- Great customer and admin accounts. Magento’s flexibility enables customers to easily manage, track and cancel orders. Admin has complete access to customer orders.
- Dynamic filters. Great user experience with dynamic search filter options using multiple parameters.
- Catalog browsing. Magento supports digital products to be downloaded and have advanced pricing rules.
- Flexible shipping options. Magento allows shipping to multiple addresses in one order, as well as offer free and paid shipping options.
- Seamless checkouts. Secured SSL support, with one page and one step checkout processing.
- Multiple payment gateways. Payment extensions can be used to choose the preferred payment method.
- Expansive. Magento is open-source, and has a strong community, yielding an expansive library of custom extensions.
- Global support. Magento supports multilingual, localization in multiple countries, and multi-currency.
- Customer service. Live chats, contact us forms, and rich customer accounts make order tracking very intuitive.
Below is a list of best practices for securing and maintaining Magento websites:
1. Reliable hosting and developers. Use secure hosting with a software development life cycles aligned with industry standards such as the Open Web Application Security Project (OWASP). Test the coding for security issues, and be sure to use a securely encrypted HTTPs channel (Google ranking factor).
2. Protect the Magento environment. This step begins with the initial installation setup and continues with security-related configurations, password management, and ongoing maintenance. Ensure that the software on the server is up to date, and apply the recommended Magento security patch. This also applies to database software and other websites that use the same server.
3. Server environment. Ensure that the server operating system is secure and that there is no unnecessary software running on the server. Disable FTP, and only use secured communication protocols (SSH/SFT P/HTTPS) to manage files. Magento includes '.htaccess' files in order to protect system files when using the Apache web server.
Use strong and unique passwords, and change them periodically. Closely monitor issues that are reported for software components used by Magento installation, including the OS, MySQL database, PHO, Apache, and other components in your configuration.
Limit the access to cron.php file to only the required users. Try to block access completely and execute the command using system cron scheduler.
4. Server applications. Avoid using other software on the same server as Magneto. There may be vulnerabilities in other sites that can expose private information stored in the Magento system. Keep all software up to date, and apply Magento security patches as necessary.
5. Admin environment. Keep your antivirus software up to date, and use a malware scanner regularly. Don’t download and install unknown programs or click on suspicious links. Use a strong password to log into your computer and change it periodically. Don’t save FTP passwords in FTP programs, since they are usually infiltrated by malware and can be used to infect servers.
6. Magento installation. It’s important to use the latest version of Magento as it’ll include the most recent security enhancements. If you’re not able to make the upgrade, then install all security patches, as recommended by Magento. Only install Magento extensions from trusted sources.
Use a unique admin URL, and not the default “admin” or “backend”. This can help reduce exposure to scripts that may be able to break into Magento sites. Block access to development or staging systems, as they can become compromised and produce data leaks. Use a strong password for the Magento Admin, and use Magento’s security configuration settings.
Having a disaster recovery plan is extremely important for any online business. Ensure that you have scheduled backups of your server and database to an external location. For larger Magento websites, work closely with your hosting provider to deploy a professional database backup solution.
Typical recovery plan, as recommended by Magento:
- Align with your IT security team, hosting provider or system integrator to determine the full scope of the attack.
- Block access to the website and ensure that the hacker cannot remove any more site information.
- Backup the current site, which includes the installed malware and/or compromised files.
- Determine whether credit card information was accessed, what information was taken, how much time elapsed since the compromise, and if the information was encrypted.
- Typical Magento website attacks include:
- Server attack: Backdoors and malware are installed and data is compromised.
- Site defacing: User accounts may be compromised.
- Botnetting: Your site becomes part of a bot net that sends spam email.
- Silent card capture: Hackers install hidden malware or card capture software, or may modify the checkout process to collect and send out credit card data.
- In your investigation, determine how and when the site was compromised. Check server log files and file changes. If possible, wipe and reinstall everything, because Malware might be hidden and waiting to restore itself. Reinstall the required files from known and clean sources such as from your own version control system or original distribution files from magento.com. Apply all of the latest security patches, and reset all credentials, including the database, file access, payment and shipping integrations, web services, and Admin logins.
- If you suspect that payment information has been compromised, you’ll need to inform your payment processor. Additionally, you’ll also need to inform your customers about the attack and provide details on the type of information that had been compromised and its impact.
7. Security Reviews. Magento’s recommended security checks:
- Periodically check unauthorized Admin users.
- Check Admin actions log for suspicious activity (Enterprise users).
- Use automated log review tools.
- Align with your hosting provider to review server logs of suspicious activity. Implement an Intrusion Detection System (IDS) on your network.
- Use tools such as Tripwire to receive notifications of malware installations.
- Monitor system logins (SSH and FTP) for unexpected uploads, activity, or commands.
8. Advanced security techniques. Automate the deployment process and use private keys for data transfer. Limit access to the Magento Admin by updating the whitelist with the IP address of each authorized computer that will use the Admin and Magento Connect downloader. Do not install extensions directly on a production server. You can block or remove access to the /downloader directory.
Use a two-factor authorization for admin logins. There are a number of extensions that are available from Magento Connect which provide additional security by requiring additional passcode generated on your phone. Be sure to review your server for development leftovers, and ensure that there are no accessible log files, tunnels to execute SQL, public visible '.git' directories, or other unprotected files not required, and may fall prey to an attack. Limit the outgoing connections to only those that are required such as payment integrations. Additionally, be sure to use a web application firewall that analyzes traffic and discovers suspicious patterns.
9. Hiring a Magento maintenance specialist. If you’re busy operating an eCommerce online business, then chances are, finding time to secure and maintain your Magento website is extremely challenging. This is when we would suggest hiring a company that specializes in Magento websites to maintain your website.
Below is a list of features which may be included in a Magento website maintenance package:
- Development hours
- Server monitoring
- Bug fixes and updates to CMS modules
- Backup configuration
- Back-end development and front-end development and design
- Code audit
- New features implementation
- Install security patches and updates
- Magento version upgrades
- Extension installation, configuration support, and updates
- Site downtime support
- Malware scans, investigations, recovery, and monitoring
- Anti-virus scans and investigations
- Emergency support hours
- Magento store performance optimization
- Critical support
- Telephone/email/chat support
- Support tickets
- Dedicated Account Management & Project Manager
- Expert consulting
- Support for Magento 1 & Magento 2
- Priority urgent request support
- Database optimization
- Security checks and updates
- Service level agreement (quick response time)
- Support marketing initiatives
- Strategy & planning
- Quality Assurance (QA) team
- Spam content cleanup
- Advanced performance caching
- User acceptance testing
- Release planning
- Monthly meetings/follow-ups
- Disaster recovery plan
- Integrations with CRM or ERP systems
- Advanced Google Analytics tracking
At Webilize, we have WebilizeCare Customer Success Services, offering support to companies at all levels from small and mid-sized to enterprise. Requests can range from simple security and maintenance tasks to complex integrations. We offer support plans for Magento and WordPress websites.
Be sure to read our related blog post called, “WordPress Security and Maintenance Best Practice”