Security

Ultimate Magento Security Checklist

by , , revisited on


1. Proactively scan your store for Malware

You should always use Sucuri scanner to identify hacks to your site. MageReport is another great resource. You should really use both.

2. Disable unused modules

Disable RSS

This is a good example on how to disable a core module. Create and open app/etc/modules/Zzz.xml and paste in:

<?xml version="1.0"?> 
<config>
    <modules>
        <Mage_Rss>
            <active>false</active>
            <codePool>core</codePool>
            <depends>
                <Mage_Catalog/>
                <Mage_CatalogInventory/>
                <Mage_Sales/>
                <Mage_SalesRule/>
                <Mage_Wishlist/>
            </depends>
        </Mage_Rss>
    </modules>
</config>

3. Change name of admin panel

Edit file app/etc/local.xml in your Magento installation and change the name in section admin -> routers -> adminhml -> args -> frontName.

4. Use adaptive request filtering

Fail2Ban is great. We set it up to secure all Magento installations.

5. Block or restrict to specific IPs /rss and /downloader

If you don’t need Magento connect (i.e. using Composer / Git for installing plugins):

location ^/downloader/ {
    deny all;
}

If you’re not using RSS (most likely), disable it via Nginx. This is alternative method to disabling it using .xml file:

location ~ ^/index.php/?rss/ {
    deny all;
}
location ~ ^/rss/ {
    deny all;
}

6. Admin panel. Whitelist admin IPs and block everyone else

We have the guide to protect Magento admin

7. Enable two-factor authentication

  • Install and enable 2-factor authentication plugin (Google Authenticator, SMS, etc.)
  • Use a VPN tunnel and block any other access to the services (you will need to work with your hosting provider to set up this method)

8. Ensure your CHMOD is set right.

We have the guide to set chmod in Magento 1.x the right way

9. Eliminate core hacks using n98-magerun

n98-magerun is excellent utility for managing your Magento using CLI. You can find if your developer (or hacker, to that question) has done any changes to core Magento files using n98-magerun.

10. Use EV SSL certificate

It is a common misconveption that the security of EV SSL is better than regular certificates. It’s not.
The security depends largely on how any given certificate is installed and configured.

Once you have taken all the security measures above, it is the good time to tell your users that your business is trustworthy.
That’s where EV SSL certificates come in handy. You get the green address bar in all major browsers.
And your users know that they are dealing with a verified business entity.

EV SSL Appearance
EV SSL Appearance

Namecheap provides multi-domain EV SSL certificates. That’s good enough to secure your website itself as well as a couple of its subdomains (which you can use for hosting static assets like images).

Leave a Reply