The information in the form of article will help to those who want to make your Magento Store secure. As it appears to be that there there are 15 life hacks to improve Magento Store. If you religiously follow those safe methods, it will certainly remove your worry in regard of your personal data and business.
Lets ponder over the motive of the hackers with respect to E-commerce, the most palpably reasons are given below.
Personal data
The very nature of the attack is to extract customer’s personal data.
Deface
The unique thing of this trickery is to change the front page of your storeThis one will just change the front page of your store. The immediate effect(DDoS) will be disastrous as your store will down. The consequence is telling in the sense that your store starts malfunctioning that will have direct effect on your revenue
Lifehack #1. Files and Folders permissions
It is advisable that you ought to give minimum required permission to your file. Not doing this will invite hacker scripts that will easily modify files/folders and gain access server and help hackers to executes command remotely. In this process hackers will get full control to the server.
So the security in Magento is in the following way:
Step 1. SSH to your server
Step 2. Execute the following commands:
|
1 2 3 4 5 6 7 |
find /path/to/magento/ -type d -print0 | xargs -r0 chmod 755 find /path/to/magento/ -type f -print0 | xargs -r0 chmod 644 chmod -R g+w/path/to/magento/{app/etc,media,var} chmod -R g+w/path/to/magento/includes |
Lifehack #2. Block requests to any external ports via firewall
In a normal practice for LAMP stack you need to allow connections to the following ports:
- Port 22 for ssh
- Port 3306 for MySQL
- Port 80 for HTTP
- Port 443 for HTTPS
Lifehack #3. Use two VPS nodes: one for php application and another one for the MySQL database
This will help you for much needed enhance performance and that will ultimately shield you from malicious hackers attack. A simple explanation is given below.
In the two nodes setup there are 2 important security life hacks:
1) Use the private network connection (in case if the Application and Database servers are located in one data center).
2) Allow connection from the application server’s private network IP.
This solution is good to thwart any malicious design. For example, in regard of DDoS , attack the attackers don’t know your DB server’s IP and and hence they cannot do any harm to your database server.
Lifehack #4. Change the default admin path of your magento store
It is as easy as changing your app/etc/local.xml settings in this section:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
<admin> <routers> <adminhtml> <args> <frontName><![CDATA[admin]]></frontName> <!-- change admin to the new admin address and empty the cache folder --> </args> </adminhtml> </routers> </admin> |
Lifehack #5. Choose a complex admin password
It was revealed by statics that that 69% of hacks were possible because of the weak admin passwords. If your password happens to be short , there is every chance that the hackers will break your password and attacker will easily compromise your store.So pay attention to the tips mentioned aforesaid to prevent hacking.
Lifehack #6. Protect your admin folder
In order to make your admin, more, secure, you should edit the: path/to/magento/admin/.htaccess
|
1 2 3 4 5 |
order deny,allow deny from all allow from 1.2.3.4 5.6.7.8 |
Lifehack #7. Safe guard your downloader folder
This directive in the root .htaccess file will automatically redirect all of the requests to the path/to/magento/downloader folder to 404 page.
|
1 |
RewriteRule ^downloader/ - [L,R=404] |
Another thing of doing this is adding the following to the path/to/magento/downloader/.htaccess
|
1 2 3 4 5 |
order deny,allow deny from all allow from 1.2.3.4 5.6.7.8 |
Where 1.2.3.4 and 5.6.7.8 are IP addresses you want to let through.
If you are using nginx server – add the following to your /etc/nginx/sites-enbled/yourdomain.conf
|
1 2 3 4 5 6 7 8 9 |
location /downloader/ { allow 194.8.145.155; deny all; # other code, depending on your config and the way of passing requests to PHP # usually the same as for / location |
Lifehack #8. Install the latest magento security patches
If you are not sure which patches are already installed – you can always use MageReport to find it out.
Lifehack #9. Disable dangerous PHP functions
To avoid dangerous functions, be sure to add the following rule to your php.ini file in path/to/magento/php.ini: disable_functions = proc_open,phpinfo,show_source,system,shell_exec,passthru,exec,popen
Lifehack #10. Use secured HTTPS connection for all of you login pages
You should use encrypted connection so that it prevents you the risk of being interpreted your username and password by the hacker while you are using it
Eliminate that possibility by requiring HTTPS/SSL in Magento.
Lifehack #11. Use anti-virus software to scan your web shop for viruses
Here at Indian Mangento Experts, we usually use, php-clamav library to regularly check our customer’s stores for viruses. It helps to prevent stores from being hacked in advance.
Lifehack #12. Backup your data is indispensable
Unpredictability as it may in case of your E-commerce store with respect to your data i.e. source code+data). In order to keep your e-Commerce Store safe, you need to take backup regularly.
Lifehack #13. Configure the proper logging
Despite logs have no relation to security, it has immense helpful to us as its points out anomaly of your E-commerse store and it information help us to fix the bugs after you have got your magento shop back online.
Lifehack #14. Use trusted extensions from famous extension providers
It is imperative that you ought to use Trusted extension providers. It surely guarantees you of security and quality of their products. Beware of third party vendors,as their quality sometimes may not guarantee you neither security nor performance.
Lifehack #15. If you are using shared hosting – choose magento focused hosting provider
The following inference is completely based on experience.
If you choose to have shared hosting, it is better to work with magento focused hosting providers.
This is proven fact that their services are always performance and security optimized and this is specially for Magento.