In this part of Magento 2 training, we try to create a security checklist in the field of Magento security.
Magento has a unique security system and its structure is designed to prevent flom hacking or bullet attacks or brute force, but hackers always move a few steps ahead of security experts. On the other hand, by installing any extension on Magento, there is a possibility of endangering the overall Magento security.
Related posts: What is Magento?
Magento Security Checklist
- Continuous backup of databases and data
- Change the admin address
- Enable HTTPS / SSL
- Use strong passwords for the admin.
A strong password for the admin guarantees your security. Guessing a password is usually easy because they often use a phone number or date of birth or a few numbers. A password is strong when it has the following characteristics:
- Your password should contain uppercase and lowercase letters of certain numbers and characters.
- The minimum password length must be 10 characters
- Do not use guessable passwords such as phone number or date of birth.
- The password can be completely random. You can use password management software to manage passwords.
- The Magento admin password must be different from your other personal passwords so that if one of your Magento passwords is leaked, it will still be secure.
- Change your password every 3 or 6 months.
5. Always use the latest version of Magento to maintain Magento security.
According to this point that Magento is an open-source e-commerce platform and that its codes are made to be available to the public, it is possible that a security bug will be found on Magento, and with this bug, stores that have made up with Magento will be in threatened.
These bugs are usually detected and fixed in the first hour, But this problem will be solved for your store if you have updated Magento.
6. Check logs regularly:
Logs contain errors that occur in your store. By examining them, you can find out the problems of your store and offer them a solution before anything happens. Logs are typically in mg_root / var/log.
7. Access to admin address only from specific IPs:
If you use static IP, you can restrict access to admin to a list of specific IPs. This can be done by your work server or through C Panel
8. Use of the private email for admin
Usually, the email used for admin and the store is the same, and if your email is hacked, the hacker can use a password forgetting to recover and change your store password.
9. Using Antivirus:
Antivirus scans your server files to help you find any infected files. Antivirus scans server files regularly.
10. Use antivirus:
Yes, use antivirus again, but this time on your operating system. Hackers have several methods for gathering information, one of them is keyloggers that store the information you type. Prevent this type of attack and similar attacks with a strong and up-to-date antivirus.
11. File access:
Normally, people who set up a server and Magento some problems. They start with Magento to reduce the cost of setting up a server with a few searches and articles from the Internet without considering the consequences; and in the end, they are very happy to be able to set up a Magento, but sometimes an error on the server، a wrong premium will ruin your business and you will have to face multiple costs to prevent hackers from infiltrating and deleting infected files. Do not use 777 access in any way.
12. Disable dangerous PHP functions:
Some PHP functions allow command line (terminal) commands to be executed in the form of PHP code to the attacker. It is better to disable these functions.
Change this line inside the php.ini file
disable_functions = proc_open, PHP info, show_source, system, shell_exec, pass-thru, exec, open
13. Another security Magento tip is to get the extensions from reputable companies:
Note that a null and free extension is exactly like the phrase “cheese in a mousetrap is free”. By installing a null extension, you create a backup for hackers, and then your information and server easily fall into the hands of hackers.
Note that in most cases, the hacking of your store has no symptoms and your store may have been hacked for months, but do not notice.
Magento is more popular with hackers because it runs on a server and a server can be used for many more cases.
For example, phishing or DDoS attacks or bitcoin mining, … In any of these cases, you do not normally notice the server being hacked. We hope you find out more about Magento security.