The first PC virus, dubbed (c)Brain, was created in 1986 by the Farooq Alvi Brothers in Lahore, Pakistan, reportedly to deter unauthorized copying of the software they had written.
Computer malware, viruses, worms, trojans… there’s a lot of nasty stuff floating around the net, and there will always be someone trying to take advantage of a vulnerable system or gaining unlawful access with malicious intent.
This article will show you the Magento security best practices to implement to prevent attacks from happening so your data and your customers’ data is safe.
Magento 2 is pretty darn secure. Magento 1 — not so much.
We can confidently say this from our own experience, and you can read Magento’s security overview, which includes the following advantages of Magento 2:
Magento 1 uses a weaker system of password hashing (a one-way process of turning a string of characters into what is known as a hashed password). Magento 2 supports Argon2ID13, a stronger hashing algorithm than the previous gold standard — SHA-256.
Magento has implemented new rules to prevent cross-site scripting (XSS) attacks.
XSS attacks are a type of malicious script injection used in phishing attacks, logging keystrokes, and other unauthorized activities.
Starting in version 2.0.6, Magento allows users to set file systems access permissions. The recommendations are that certain files and directories be write-only in a development environment and read-only in a production environment.
Magento safeguards your store from clickjacking attacks by using an X-Frame-Options HTTP request header. For more information, see X-Frame-Options header.
Magento uses an encryption key to protect passwords and sensitive data. Currently, Magento 2 uses the AES-256 algorithm, and you can choose to generate a random key at any time through the admin panel.
And the biggest reason why Magento security trumps Magento 1 is… Magento 1 support is terminating at the end of June 2020.
June 2020. This date has been ringing in most Magento merchants’ and agencies’ ears ever since Magento finally announced the big date. If you haven’t migrated yet, start planning now. After June 2020, there won’t be any new security patches for Magento 1 — not to mention, the technology vulnerabilities in PHP and the rest of the Magento 1 stack that will not be addressed. One of the best ways to safeguard your site is to install patches and updates as soon as they are released.
In addition to the new architecture and security framework of Magento 2, there are processes in place to minimize the impact of vulnerabilities.
They include:
In the next section, we’ll show you the consequences of cyberattacks, the most common causes of attacks, and we’ll share some of our own experiences with cybersecurity.
According to a study by Kaspersky Labs, cyberattacks are incurring more losses for companies of all levels. For enterprises, the average cost of one incident from March 2017 to February 2018 reached $1.23 million. That is 24% higher than losses from 2016-2017 and 38% higher than losses from 2015–2016. For small and medium businesses (SMB), the losses were estimated at $120,000 per incident on average (32,000 more than a year ago).
IBM’s Cost of a Data Breach Report 2019 discovered that lost business was the biggest contributor to data breach costs. The Kaspersky results pale in comparison with what IBM found:
| Organization size | Cost of data breach (avg) | Cost per employee |
| Large organizations (more than 25,000 employees) | $5.11 million | $204 |
| Smaller organizations (500-1,000 employees) | $2.65 million | $3,533 |
This shows that smaller organizations have higher costs relative to their size than larger companies, which can severely affect how they recover and their ability to grow.
Another interesting insight from the IBM report was that breaches from system glitches and human error still cost companies millions, and were responsible for nearly half (49%) of the data breaches studied in the report.
To learn what Elogic developers encounter in their work, we asked around and learned of two wild stories of malicious intent.
One of our most experienced full-stack developers at Elogic, Andriy Biloshytskiy, had an interesting experience a few years ago. Something very strange happened to one of the projects he was working on at the time.
There were no recent updates on the site, nothing had changed, except the site wasn’t working,” Andriy said. “So, I did a cursory investigation and found something both odd and amusing — there was a piece of JavaScript code with no closing tags, which caused the crash. After a Google search, I found the malicious script was intended to siphon the computing power of people visiting the store — to mine Bitcoin.
– Andriy Biloshytskiy, Full-stack developer
The perpetrator (possibly a store admin) was never caught. The store didn’t have admin logs so there was no way to know for sure who was responsible.
When developers work on projects, they often clone the store on their work PC or server to test and write new code. This story happened after one of our developers cloned a store but instead of getting right to work, he saw a pop-up.
The pop-up was a warning from his antivirus software, and the source of the infection was the freshly installed Magento instance. After locating the infected file, a core PHP file, the developer deleted the malicious code and went about his job.
The moral of the story is: whether the attack is targeted, a human error, or a system glitch/vulnerability, you can help prevent breaches by implementing and following security standards.
There’s no such thing as an unhackable site. Even if you hire the best-of-the-best developers, engineers, and security experts, there’s still a possibility of being hacked.
So, our recommendation is to enforce a strict security workflow for onboarding and day-to-day activities.
Here’s what it looks like:
So with the boring stuff out of the way, let’s get down to bulletproofing your Magento store!
There are a lot of moving parts in Magento security. No developer, architect, manager, or other roles understand security risks as well as a qualified security expert. That’s why the first step is to have your site combed through by an expert. Preferably, you should get this done at least once a year to stay secure.
Great news, you don’t have to go to a third-party every time you want to run a scan. Magento offers its Security Scan free of charge.
Magento Security Scan allows you to monitor all of your websites (if you have more than one) for possible risks and highlights the patches and updates you require. Set a schedule (Magento recommends scanning on a weekly basis) and receive reports and corrective actions for each failed test. To get started, check out this guide.
There are also free scanning tools out there like MageReport, but it’s not as in-depth as Magento’s tool and does not offer automated or scheduled scanning.
Magento recommends a multilayered approach to securing your admin account(s).
You can:
On the Admin sidebar, go to Stores > Settings > Configuration.
In the left panel under Advanced, choose Admin.
Expand the Security section.
It’s a good idea to change the default admin URL to something else to make it less of a target for hackers.
Default Base URL: http://yourdomain.com/magento/
Default Admin URL and Path: http://yourdomain.com/magento/admin
There’s a simple way to change the admin URL available in the admin panel, but keep in mind, any mistakes will render your site inaccessible to all admins, and the only way to fix it is by editing server configuration files (not something you want to experience, trust us).
You might have heard of blacklisting — when you block access to a certain site, IP address, or network.
Whitelisting is the opposite — allowing access to certain information, sites, and in our case, the Magento admin panel, to only trusted IP addresses.
Magento includes options for restricting access for admins. In other words, you can create permissions to limit what a site admin sees and grant them limited access.
You can set up user roles by going to the Admin sidebar. Click System, under Permissions, choose User Roles. In the upper-right corner, click Add New Role.
After assigning a Role name and entering your password you can set up the Role Scope (see image below).
Magento Commerce allows you to log any actions performed by admins. You can turn on Action logs by navigating to Stores > Settings > Configuration. In the left panel, expand Advanced and choose Admin. Expand the Admin Actions Logging section and select the checkbox enable admin logging for each action you want to log.
In Magento, you can set up both Captcha and Google reCaptcha for admins and customers. Both protect you against spam and other types of automated abuse.
Captcha is a human validation test i.e. the blurry, squiggly letters and numbers you’ve probably had to squint to see.
Google reCaptcha is a superior type of human validation i.e. the “I Am Not A Robot” checkbox.
Invisible reCAPTCHA (Magento recommended) — which verifies a user is human automatically, without any interaction. It sounds like magic, but Google managed to find a way to do it.
Two-Factor Authentication, or 2FA for short, is a method of confirming a user’s identity by making users complete a second step in the verification process. Magento 2FA is only available for Admin users and is not extended to customer accounts.
This is how you can configure 2FA in Magento:
On the Admin sidebar, go to Stores > Settings > Configuration.
In the left panel, expand Security and choose 2FA.
When you first fire up Magento, the system automatically generates an encryption key. This key is used to protect passwords and other sensitive data like credit card info and integration (payment and shipping module) passwords.
Magento recommends keeping this key safe and hidden at all times. If you experience a data breach, you can create a new encryption key to prevent anyone from accessing data using the old key.
You can generate a new key in the admin panel. To reiterate, we don’t recommend doing this on your own.
Magento requires a minimum of seven characters (both letters and numbers). We recommend using something a bit more robust — a 10-12 character alphanumeric password.
Pro-tip — Don’t try to think of a password yourself. We recommend using LastPass to randomly generate a password.
Change your passwords if you suspect there’s a data breach, regardless of whether or not your account was hacked, and set a reminder to change your password once a year.
You can set the level of security for passwords used by both customers and admins directly in the admin interface
Password options for customers
On the Admin sidebar, go to Stores > Settings > Configuration.
In the panel on the left, expand Customers and choose Customer Configuration.
Expand the Password Options section.
The major credit card companies created the Payment Card Industry Data Security Standard (PCI DSS) to make sure merchants adopt critical security measures. Merchants who fail to comply with PCI requirements can expect large fines, which can also result in losing their ability to process payments.
Magento makes it easier for merchants to become PCI compliant — Magento Commerce Cloud is PCI-certified and Magento offers integrated payment gateways like PayPal, Authorize.Net, and others that securely transmit credit card info.
| 12 Requirements for PCI-DSS | |
| Build and Maintain a Secure Network | Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data | Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program | Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures | Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks | Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes |
| Maintain an Information Security Policy | Requirement 12: Maintain a policy that addresses information security |
Important Note: DO NOT USE the Saved Credit Cards Module in a Production environment!
Saved Credit Cards is not PCI-compliant and you may be exposing your customers’ credit card info.
Anna Völkl is a Magento Master with many years of experience. The following is a SlideShare presentation Anna presented in 2017. It highlights Magento security best practices and includes a list of security extensions.
Passwords & Login
Configuration & Monitoring
Recommended Extensions for M2
Security automation is the process of automatically handling security-related tasks like antivirus scanning, intrusion detection, creating backups, renewing SSL certificates, and much more.
IBM made a groundbreaking discovery: organizations without automated security solutions experienced breach costs that were 95% higher than organizations with fully-deployed automation.
Just like any other type of insurance (car, home, etc.) cyber insurance protects businesses from damages caused by cyberattacks.
According to Wikipedia, cyber insurance is “Coverage provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused by errors and omissions, failure to safeguard data or defamation, and other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.”
If you don’t have an incident response plan (or you don’t know what this is), let’s create one.
To make it easier, we took Talesh Seeparsan’s Magento-centric Incident Response Plan Template and made a Google spreadsheet that you can copy for your own use.
Prerequisites for using the template:
IBM found that companies with an IRT and extensive testing of their response plans saved over $1.2 million. More specifically, the study showed that the combined effect of the IRT and testing the incident response plan, through drills and simulations, helped teams respond faster and produce greater cost savings than any single security process.
There are no excuses for not having a patched and fully-updated Magento store.
It really makes us sad when we see reports like Sucuri’s Website Hack Trend Report 2018, which found that 83.1% of Magento websites were mostly out of date and vulnerable at the point of infection, up 2.8% from 2017.
Scan your site, identify any patches you need to install, and please, do not let hackers get easy access through a vulnerability. Sign up for the Magento Security Alert Registry and make a point to visit the Magento Security Center from time to time for the latest news and information.
Don’t panic. If there was a data breach or information exposure there’s no way of getting that information back. Your priority should be identifying what was exposed, gathering evidence, and making sure data isn’t leaking.
Follow your Incident Response Plan:
There are five major advantages to using Magento Commerce and Commerce Cloud. You can read about the additional benefits of the cloud version here.
Magento Commerce Cloud is PCI certified as a Level 1 Solution Provider, so merchants can use Magento’s PCI Attestation of Compliance to aid their own PCI certification process.
Magento Commerce Cloud has a shared responsibility security model where you, Magento, and Amazon Web Services (best-of-breed cloud services) share the responsibilities for operational security. You’re responsible for testing custom code and any custom applications. Magento ensures the platform itself is secure, and Amazon takes care of physical security for servers and compliance.
Magento Commerce gives you the ability to keep a record of every change (action) made by an admin who works in your store. The logged information includes the name of the user, the action, and whether the action was successful, and it also logs the IP address and date.
Just like a firewall on a PC, a WAF prevents malicious traffic from entering a network by using a set of security rules. Any traffic that triggers the rules is blocked before it unleashes itself on your site or network. Magento Commerce Cloud uses Fastly CDN for WAF services.
Magento Commerce Cloud also uses Fastly CDN for additional security features like DDoS protection, which includes Layer 3, 4, and 7 DDoS mitigation
Site security and more broadly, cybersecurity, should be one of your main priorities. You’re not just running a blog or personal page, you’re responsible for protecting confidential information, including names, addresses, phone numbers, and credit card info.
Remember:
