In August 2016, CSO reported that Cyber Crime damages are expected to cost the world $6 trillion by 2021! Cyber Crime rate is rising globally and is expected to grow faster with time. Every year 111 billion lines of software codes are written and they open up new loopholes for hackers to exploit.
Healthcare, Ecommerce and Financial service sectors are most sought after target for attackers. Moreover, small business enterprise lack resources that large enterprises have and are hence more vulnerable to these attacks.
Currently, Magento is the largest open source ecommerce platform with 1 out of 4 businesses choosing it as a platform of choice. This makes it a soft target because if a vulnerability is found, it would affect a large number of ecommerce stores around the globe.
Ensuring that your Ecommerce site is secured from these attacks is very important. A single attack can destroy an online store’s reputation. Losing customer trust will eventually lead to loss in business.
Let’s get into details of how you can effectively secure your Magento Ecommerce store :
Well begun is half done!
You need to find out the best solution integrators as well as hosting providers. Qualifications needs to be evaluated, and the security approach has to be analyzed. Additionally, you should have a secure software development cycle in place as per Open Web Application Security Project (OWASP) standards. Since Google nowadays gives high preference to https among their ranking factors, you should consider it and create redirects accordingly from http to https.
Securing Server and Admin Desktop Environments :
This is among the most critical aspects that needs to be optimised to keep the store security intact. Not just keep things updated as far as software server is concerned, but even applying patches of security, with likes of databases, server data exchange, and more matters.
Server Based Environment
- Ensure secure working of server with your hosting provider keeping a watch of eliminating all unnecessary software running.
- Disable FTP and manage files only through a secured communication protocol like HTTPS, SFTP, or SSH.
- By default Magento uses .htaccess file during Apache server use for protection. When using a different server like Nginx, you need to manually ensure that directories and system files are well protected.
- There has to be minimum permissions used for a specific task. For example, when planning to send mail try to avoid using administrator or root account.
- Have a close monitoring of issues detected by configuration components of software with the likes of Solr, Memcached, Nginx or Apache, Redis, PHP, MySQL, or the OS itself.
- Only required users should be given access to cron.php file. Additionally, try to restrict the access completely, leading to command execution through system cron scheduler.
- It is wise to change passwords constantly and that too keep them unique, long, and strong.
- You need to keep the system updated with new security patches installed right away as soon as discovered.
Server Based Applications
- Ensure server applications are secure.
- Magento should be avoided executing on same server as that of other software. Blog applications vulnerabilities have tendency to expose private information from Magento. Hence, better run software updates on separate server.
- Do apply patches and keep all software up to date.
Admin Desktop Environment
- Desktop used to access Magento Admin should be secured.
- All malware programs and antivirus programs should be up to date. Additionally, do not allow suspicious links or suspicious programs.
- Have a strong password backing your desktop. Use different programs for doing this, or probably opt for a password manager.
- FTP passwords should not be saved into FTP programs. They are meant to harvest and infect servers by malware programs.
- Employee accounts or user accounts be deleted, no longer in actual use.
Advanced Security Techniques :
- Make use of private keys to transfer data and deployment process can be automated.
- It is best to limit Magento Admin access by updating IP address whitelist of every single computer authorized through a Magento Connect downloader and Admin.
- Ensure not to have the extensions installed directly on a production server. Block /downloader directory access or remove the access altogether, for disabling production site based Magento Connect downloader.
- Make use of Admin login 2-factor authentication. With several extensions available, you can have additional security generated through a phone passcode, or special device token.
- It is ideal to have development leftovers reviewed every now and then. Ensure to have no unusable files prone to attacks like phpinfo files, database dumps, SQL helper scripts, .git directories, useless log files, and more.
- Outgoing connections should be limited only where required such as payment integration.
- A firewall for web application should be in place to analyze suspicious patterns related to attacker trying to track credit card information.