September 14, 2020, came to be the day of doom for many Magento merchants. Over 2,800 Magento 1 stores were hacked to steal credit card details in the largest documented campaign to date.
It’s not unusual for hackers to wreak havoc across ecommerce websites. Computer malware, viruses, worms, trojans, and many other ecommerce frauds… there’s a lot of nasty stuff floating around the net. There will always be someone trying to take advantage of a vulnerable system or gaining unlawful access with malicious intent.
If you don’t want to become a part of the next Magento security breach, this guide is for you. Read on to discover the main Magento security vulnerabilities and ways to prevent them so that your data and your customers’ data are safe.
The prime problem of Magento 1 is that it is no longer supported. As of June 20, 2020, Adobe announced the end-of-life for its Magento 1 product, thus, making the platform edition obsolete and vulnerable to cyberattacks.
There you have the reason for a MageCart attack mentioned earlier. Outdated Magento stores remain attractive targets for those determined to steal personal and financial data from online customers.
Hackers can easily scan for outdated versions of Magento and use automated bots to access them, upload shell scripts, and install the card skimming malware. Card skimming attacks are undetectable by end-users, so the responsibility falls on website operators to update their systems to the latest version of Magento. At this point, any website using Magento 1.x should be assumed compromised.
— Paul Bischoff, a privacy advocate with Comparitech.
That’s why Magento store protection should be the #1 priority for merchants. Magento 1 isn’t secure and will never be. But Magento 2 will keep you in safe hands.
If you’re bitten by a tick, removing yourself won’t stop the infection. The same happened with Magento. After the critical vulnerability was found in Magento, an upgrade was necessary. So Adobe revamped the whole system to eliminate Magento security issues and protect their merchants from similar attacks in the future.
Here are Magento security features Adobe has introduced after Magento 1 end-of-life.
Magento 1 uses a weaker system of password hashing (a one-way process of turning a string of characters into what is known as a hashed password). To address this Magento vulnerability, Magento 2 supports Argon2ID13, a stronger hashing algorithm than the previous gold standard — SHA-256.
Magento has implemented new rules to prevent cross-site scripting (XSS) attacks by making escaped data the default.
XSS attacks are a type of malicious script injection used in phishing attacks, logging keystrokes, and other unauthorized activities.
Starting in version 2.0.6, Magento allows users to set file systems access permissions. The recommendations are that certain files and directories be write-only in a development environment and read-only in a production environment.
Magento safeguards your store from clickjacking attacks by using an X-Frame-Options HTTP request header. For more information, see the X-Frame-Options header.
Magento uses an encryption key to protect passwords and sensitive data. Currently, Magento 2 uses the AES-256 algorithm, and you can choose to generate a random key at any time through the admin panel.
Hackers use automated password guessing bots to retrieve shoppers’ personal data and merchants’ access to the back-office operations. To prevent this type of attack, Magento by default creates a random Admin URI when you install the product.
The biggest reason why Magento 2 security trumps Magento 1 is regular updates. Adobe’s final Magento 1 security patch was released on June 22, 2020. Meanwhile, Magento 2 merchant get their security patches every quarter in an official Adobe Security Bulletin.
In addition to the new architecture and security framework of Magento 2, there are processes in place to minimize the impact of vulnerabilities.
They include:
There’s no such thing as an unhackable site. Even if you hire the best-of-the-best developers, engineers, and security experts, there’s still a possibility of being hacked.
So, our recommendation is to enforce a strict security workflow for onboarding and day-to-day activities.
Here are ways of securing Magento:
So with the boring stuff out of the way, let’s get down to bulletproofing your Magento store!
There are a lot of moving parts in Magento security. No developer, architect, manager, or other roles understand There are a lot of moving parts in Magento security. No developer, solution architect, manager, or other roles understand security risks as well as a qualified security expert. That’s why the first step is to have your site combed through by an expert. Preferably, you should get this done at least once a year to stay secure.
Great news, you don’t have to go to a third party every time you want to run a scan. Magento offers its Security Scan free of charge.
Magento Security Scan allows you to monitor all of your websites (if you have more than one) for possible risks and highlights the patches and updates you require. Set a schedule (Magento recommends scanning on a weekly basis) and receive reports and corrective actions for each failed test. To get started, check out this guide.
There are also free scanning tools out there like MageReport, but it’s not as in-depth as Magento’s tool and does not offer automated or scheduled scanning.
Magento recommends a multilayered approach to securing your admin account(s).
You can:
On the Admin sidebar, go to Stores > Settings > Configuration.
In the left panel under Advanced, choose Admin.
Expand the Security section.
It’s a good idea to change the default admin URL to something else to make it less of a target for hackers.
Default Base URL: http://yourdomain.com/magento/
Default Admin URL and Path: http://yourdomain.com/magento/admin
There’s a simple way to change the admin URL available in the admin panel, but keep in mind, any mistakes will render your site inaccessible to all admins, and the only way to fix it is by editing server configuration files (not something you want to experience, trust us).
You might have heard of blacklisting — when you block access to a certain site, IP address, or network.
Whitelisting is the opposite — allowing access to certain information, sites, and in our case, the Magento admin panel, to only trusted IP addresses.
Magento includes options for restricting access for admins. In other words, you can create permissions to limit what a site admin sees and grant them limited access.
You can set up user roles by going to the Admin sidebar. Click System, under Permissions, choose User Roles. In the upper-right corner, click Add New Role.
After assigning a Role name and entering your password you can set up the Role Scope (see image below).
Magento Commerce allows you to log any actions performed by admins. You can turn on Action logs by navigating to Stores > Settings > Configuration. In the left panel, expand Advanced and choose Admin. Expand the Admin Actions Logging section and select the checkbox enable admin logging for each action you want to log.
In Magento, you can set up both Captcha and Google reCaptcha for admins and customers. Both protect you against spam and other types of automated abuse.
Captcha is a human validation test i.e. the blurry, squiggly letters and numbers you’ve probably had to squint to see.
Google reCaptcha is a superior type of human validation i.e. the “I Am Not A Robot” checkbox.
Invisible reCAPTCHA (Magento recommended) — which verifies a user is human automatically, without any interaction. It sounds like magic, but Google managed to find a way to do it.
Two-Factor Authentication, or 2FA for short, is a method of confirming a user’s identity by making users complete a second step in the verification process. Magento 2FA is only available for Admin users and is not extended to customer accounts.
This is how you can configure 2FA in Magento:
On the Admin sidebar, go to Stores > Settings > Configuration.
In the left panel, expand Security and choose 2FA.
When you first fire up Magento, the system automatically generates an encryption key. This key is used to protect passwords and other sensitive data like credit card info and integration (payment and shipping module) passwords.
Magento recommends keeping this key safe and hidden at all times. If you experience a data breach, you can create a new encryption key to prevent anyone from accessing data using the old key.
You can generate a new key in the admin panel. To reiterate, we don’t recommend doing this on your own.
Magento requires a minimum of seven characters (both letters and numbers). We recommend using something a bit more robust — a 10-12 character alphanumeric password.
Pro-tip — Don’t try to think of a password yourself. We recommend using LastPass to randomly generate a password.
Change your passwords if you suspect there’s a data breach, regardless of whether or not your account was hacked, and set a reminder to change your password once a year.
You can set the level of security for passwords used by both customers and admins directly in the admin interface
Password options for customers
On the Admin sidebar, go to Stores > Settings > Configuration.
In the panel on the left, expand Customers and choose Customer Configuration.
Expand the Password Options section.
The major credit card companies created the Payment Card Industry Data Security Standard (PCI DSS) to make sure merchants adopt critical security measures. Merchants who fail to comply with PCI requirements can expect large fines, which can also result in losing their ability to process payments.
Magento makes it easier for merchants to become PCI compliant — Magento Commerce Cloud is PCI-certified and Magento offers integrated payment gateways like PayPal, Authorize.Net, and others that securely transmit credit card info.
| 12 Requirements for PCI-DSS | |
| Build and Maintain a Secure Network | Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data | Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program | Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures | Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks | Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes |
| Maintain an Information Security Policy | Requirement 12: Maintain a policy that addresses information security |
Important Note: DO NOT USE the Saved Credit Cards Module in a Production environment!
Saved Credit Cards is not PCI-compliant and you may be exposing your customers’ credit card info.
When native functionality is not enough, extensions come to the rescue. Magento has a rich repository of security extensions — both paid and free. Here are a few you may try:
Security automation is the process of automatically handling security-related tasks like antivirus scanning, intrusion detection, creating backups, renewing SSL certificates, and much more.
IBM made a groundbreaking discovery: organizations without automated security solutions experienced breach costs that were 95% higher than organizations with fully-deployed automation.
Just like any other type of insurance (car, home, etc.) cyber insurance protects businesses from damages caused by cyberattacks. In particular, cyber liability covers
If you don’t have an incident response plan (or you don’t know what this is), let’s create one.
To make it easier, we took Talesh Seeparsan’s Magento-centric Incident Response Plan Template and made a Google spreadsheet that you can copy for your own use.
Prerequisites for using the template:
IBM found that companies with an IRT and extensive testing of their response plans saved over $1.2 million. More specifically, the study showed that the combined effect of the IRT and testing the incident response plan, through drills and simulations, helped teams respond faster and produce greater cost savings than any single security process.
There are no excuses for not having a patched and fully-updated Magento store.
To install a Magento security patch, you should
Scan your site, identify any patches you need to install, and please, do not let hackers get easy access through a vulnerability. Sign up for the Magento Security Alert Registry and make a point to visit the Magento Security Center from time to time for the latest news and information.
To save yourself some trouble, you can also hire a Magento developer. They will install a Magento security patch in no time — be it a hotfix or a custom patch.
Don’t panic. If there was a data breach or information exposure there’s no way of getting that information back. Your priority should be identifying what was exposed, gathering evidence, and making sure data isn’t leaking.
Follow your Incident Response Plan:
To learn what Elogic developers encounter in their work, we asked around and learned of two wild stories of malicious intent.
One of our most experienced full-stack developers at Elogic, Andriy Biloshytskiy, had an interesting experience a few years ago. Something very strange happened to one of the projects he was working on at the time.
There were no recent updates on the site, nothing had changed, except the site wasn’t working,” Andriy says. “So, I did a cursory investigation and found something both odd and amusing — there was a piece of JavaScript code with no closing tags, which caused the crash. After a Google search, I found the malicious script was intended to siphon the computing power of people visiting the store — to mine Bitcoin.
– Andriy Biloshytskiy, Full-stack developer at Elogic Commerce
The perpetrator (possibly a store admin) was never caught. The store didn’t have admin logs so there was no way to know for sure who was responsible.
When developers work on projects, they often clone the store on their work PC or server to test and write new code. This story happened after one of our developers cloned a store but instead of getting right to work, he saw a pop-up.
The pop-up was a warning from his antivirus software, and the source of the infection was the freshly installed Magento instance. After locating the infected file, a core PHP file, the developer deleted the malicious code and went about his job.
The moral of the story is: whether the attack is targeted, a human error, or a system glitch/vulnerability, you can help prevent breaches by implementing and following security standards.
Let Elogic audit and optimize your Magento store for you!
Request Magento code audit nowWhile choosing between Magento 2 Commerce vs Open Source, you might have wondered which one is more secure. While it’s true that both Magento editions deliver outstanding feature sets (depending on a merchant’s business needs, of course), we can vouch for the security of Magento Commerce (aka Adobe Commerce).
Here are five major security advantages to using Magento Commerce and Commerce Cloud.
PCI compliance isn’t a feature listed in Magento Open Source, but it is in Magento Commerce. Better yet, Magento Commerce Cloud is PCI certified as a Level 1 Solution Provider, so merchants can use Magento’s PCI Attestation of Compliance to aid their own PCI certification process.
Magento Commerce Cloud has a shared responsibility security model where you, Magento, and Amazon Web Services (best-of-breed cloud services) share the responsibilities for operational security. You’re responsible for testing custom code and any custom applications. Magento ensures the platform itself is secure, and Amazon takes care of physical security for servers and compliance.
Magento Commerce gives you the ability to keep a record of every change (action) made by an admin who works in your store. The logged information includes the name of the user, the action, and whether the action was successful, and it also logs the IP address and date.
Just like a firewall on a PC, a WAF prevents malicious traffic from entering a network by using a set of security rules. Any traffic that triggers the rules is blocked before it unleashes itself on your site or network. Magento Commerce Cloud uses Fastly CDN for WAF services.
Magento Commerce Cloud also uses Fastly CDN for additional security features like DDoS protection, which includes Layer 3, 4, and 7 DDoS mitigation
Site security and more broadly, cybersecurity, should be one of your main priorities. You’re not just running a blog or personal page, you’re responsible for protecting confidential information, including names, addresses, phone numbers, and credit card info.
Remember:
After Magento 1 fiasco, Adobe has upgraded Magento 2 to new security levels. Magento ecommerce architecture is designed to provide a highly secure environment thanks to Web Application Firewall (WAF), Fastly CDN for extra DDoS protection, and hashing to encrypt data. Security patches are released every quarter, and Magento Security Scanner is available. Merchants can additionally use SSL certificates, CAPTCHA, two-factor authentication, and other Magento security best practices to protect their customers.
So it’s safe to say that Magento is one of the most secure platforms among the ones offered in the ecommerce market.
Some best practices to secure Magento include the following:
See a complete Magento security checklist above.
Magento PCI compliance depends on its edition:
Magento Open Source is not PCI compliant, so you will have to adopt either a third-party payment method that redirects you to another site to make the transaction (like PayPal, Authorize.net) or a SaaS PCI compliant payment method (CRE Secure).
Magento Commerce and Commerce Cloud are PCI certified as a Level 1 Solution Provider.
