Site icon GetPageSpeed

Ultimate Magento 1.x Security Checklist

Magento

Magento

Note: Using Magento 2? Check our Magento 2 security checklist.

1. Proactively scan your store for Malware

Online scanners

You should always use Sucuri scanner to identify hacks to your site. MageReport is another great resource. You should really use both.

CLI scanners

Another freeware web scanner specific to Magento is magescan. Can be installed using our repository:

yum install magescan

Additional CLI scanners are recommended for Magento 2:

2. Disable unused modules

Disable RSS

This is a good example on how to disable a core module. Create and open app/etc/modules/Zzz.xml and paste in:

<?xml version="1.0"?> 
<config>
    <modules>
        <Mage_Rss>
            <active>false</active>
            <codePool>core</codePool>
            <depends>
                <Mage_Catalog/>
                <Mage_CatalogInventory/>
                <Mage_Sales/>
                <Mage_SalesRule/>
                <Mage_Wishlist/>
            </depends>
        </Mage_Rss>
    </modules>
</config>

3. Change name of admin panel

Edit file app/etc/local.xml in your Magento installation and change the name in section admin -> routers -> adminhml -> args -> frontName.

4. Use adaptive request filtering

Fail2Ban is great. We set it up to secure all Magento installations.

5. Block or restrict to specific IPs /rss and /downloader

If you don’t need Magento connect (i.e. using Composer / Git for installing plugins):

location ^/downloader/ {
    deny all;
}

If you’re not using RSS (most likely), disable it via Nginx. This is an alternative method to disabling it using .xml file:

location ~ ^/index.php/?rss/ {
    deny all;
}
location ~ ^/rss/ {
    deny all;
}

6. Admin panel. Whitelist admin IPs and block everyone else

We have the guide to protect Magento admin

7. Enable two-factor authentication

8. Ensure your chmod is set right.

We have the guide to set chmod in Magento 1.x the right way

9. Eliminate core hacks using n98-magerun

n98-magerun is an excellent utility for managing your Magento using CLI. You can find if your developer (or hacker, to that question) has done any changes to core Magento files using n98-magerun.

10. Use EV SSL certificate

It is a common misconception that the security of EV SSL is better than regular certificates. It’s not.
The security depends largely on how any given certificate is installed and configured.

Once you have taken all the security measures above, it is a good time to tell your users that your business is trustworthy.
That’s where EV SSL certificates come in handy. You get the green address bar in some of the major browsers.
And your users know that they are dealing with a verified business entity.

EV SSL Appearance

Namecheap, for example, provides multi-domain EV SSL certificates.

11. Get rid of malware

Use Magento Malware Scanner to find malware in your website:

sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install pip-safe
sudo pip-safe --system install mwscan
# fix up rules location
find /opt/pip-safe/mwscan/lib* -name ruleset.py -exec sed -i 's@mwscan.s3.amazonaws.com@www.getpagespeed.com/files@g' {} \;
mwscan /path/to/magento

Set up and use Malware Detect on your CentOS/RHEL server.

12. Work with trusted developers and set up Git workflow

It is crucial to work with trusted web developers. You also must:

Otherwise, you may end up with developer-made malware like magento1-core-observer.

Exit mobile version