Security

Ultimate Magento Security Checklist

by , , revisited on


1. Proactively scan your store for Malware

You should always use Sucuri scanner to identify hacks to your site. MageReport is another great resource. You should really use both.

2. Disable unused modules

Disable RSS

Open /app/etc/modules/Zzz.xml and paste in:

<?xml version="1.0"?> 
<config>
    <modules>
        <Mage_Rss>
            <active>false</active>
            <codePool>core</codePool>
            <depends>
                <Mage_Catalog/>
                <Mage_CatalogInventory/>
                <Mage_Sales/>
                <Mage_SalesRule/>
                <Mage_Wishlist/>
            </depends>
        </Mage_Rss>
    </modules>
</config>

3. Change name of admin panel

Edit file app/etc/local.xml in your Magento installation and change the name in section admin -> routers -> adminhml -> args -> frontName.

4. Use adaptive request filtering

Fail2Ban is great. We set it up to secure all Magento installations

5. Block or restrict to specific IPs /rss and /downloader

If you don’t need Magento connect (i.e. using Git for installing plugins):

location ^/downloader/ {
    deny all;
}

If you’re not using RSS (most likely), disable it via Nginx. This is alternative to disabling it using .xml file:

location ~ ^/index.php/?rss/ {
    deny all;
}
location ~ ^/rss/ {
    deny all;
}

6. Admin panel. Whitelist admin IPs and block everyone else

We have the guide to protect Magento admin

7. Enable two-factor authentication

  • Install and enable 2-factor authentication plugin (Google Authenticator, SMS, etc.)
  • Use a VPN tunnel and block any other access to the services (you will need to work with your hosting provider to set up this method)

8. Ensure your CHMOD is set right.

We have the guide to set chmod in Magento 1.x the right way

Leave a Reply