Ultimate Magento 1.x Security Checklist

by , , revisited on

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

Note: Using Magento 2? Check our Magento 2 security checklist.

1. Proactively scan your store for Malware

Online scanners

You should always use Sucuri scanner to identify hacks to your site. MageReport is another great resource. You should really use both.

CLI scanners

Another freeware web scanner specific to Magento is magescan. Can be installed using our repository:

yum install magescan

Additional CLI scanners are recommended for Magento 2:

2. Disable unused modules

Disable RSS

This is a good example on how to disable a core module. Create and open app/etc/modules/Zzz.xml and paste in:

<?xml version="1.0"?> 

3. Change name of admin panel

Edit file app/etc/local.xml in your Magento installation and change the name in section admin -> routers -> adminhml -> args -> frontName.

4. Use adaptive request filtering

Fail2Ban is great. We set it up to secure all Magento installations.

5. Block or restrict to specific IPs /rss and /downloader

If you don’t need Magento connect (i.e. using Composer / Git for installing plugins):

location ^/downloader/ {
    deny all;

If you’re not using RSS (most likely), disable it via Nginx. This is an alternative method to disabling it using .xml file:

location ~ ^/index.php/?rss/ {
    deny all;
location ~ ^/rss/ {
    deny all;

6. Admin panel. Whitelist admin IPs and block everyone else

We have the guide to protect Magento admin

7. Enable two-factor authentication

  • Install and enable 2-factor authentication plugin (Google Authenticator, SMS, etc.)
  • Use a VPN tunnel and block any other access to the services (you will need to work with your hosting provider to set up this method)

8. Ensure your chmod is set right.

We have the guide to set chmod in Magento 1.x the right way

9. Eliminate core hacks using n98-magerun

n98-magerun is an excellent utility for managing your Magento using CLI. You can find if your developer (or hacker, to that question) has done any changes to core Magento files using n98-magerun.

10. Use EV SSL certificate

It is a common misconception that the security of EV SSL is better than regular certificates. It’s not.
The security depends largely on how any given certificate is installed and configured.

Once you have taken all the security measures above, it is a good time to tell your users that your business is trustworthy.
That’s where EV SSL certificates come in handy. You get the green address bar in some of the major browsers.
And your users know that they are dealing with a verified business entity.

EV SSL Appearance
EV SSL Appearance

Namecheap, for example, provides multi-domain EV SSL certificates.

11. Get rid of malware

Use Magento Malware Scanner to find malware in your website:

sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install pip-safe
sudo pip-safe --system install mwscan
# fix up rules location
find /opt/pip-safe/mwscan/lib* -name ruleset.py -exec sed -i 's@mwscan.s3.amazonaws.com@www.getpagespeed.com/files@g' {} \;
mwscan /path/to/magento

Set up and use Malware Detect on your CentOS/RHEL server.

12. Work with trusted developers and set up Git workflow

It is crucial to work with trusted web developers. You also must:

  • set up a Git workflow for pushing changes
  • disallow any allow direct changes on live website by developers

Otherwise, you may end up with developer-made malware like magento1-core-observer.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.