Loading..
Processing... Please wait...

Product was successfully added to your shopping cart.



Magento 2 Security Audit Guide

Magento Security Audit in 2024 Magento Security Audit in 2024

Aside from Magento migration, one of the most important things about a Magento website is security. More people than ever are asking how they can keep their website safe. Many experts recommend that you perform a Magento Security Audit, or a Magento Security Scan.

There are many tools and services that can help you perform a Magento Security Audit, but you can save yourself money and time by making sure you have the right precautions in place to keep your website safe.

Below, I will list all the different ways that you can keep your Magento site safe from cyber attacks.

Create Your Own Magento Security Scan:

While it may seem like a lot of work to keep your Magento website safe, the following tips are here to help you figure out what to look for when creating a Magento security audit and keeping your website safe.

1. Migrate to Magento 2(.3)

Support for Magento 1 will end in June 2020. This means that as of June 2020, there will be no more security updates for Magento 1 and site owners will be left to secure their website on their own.

This can cause potential problems for Magento 1 site owners because their websites will now be more prone to cyber attacks.

Now that Magento will no longer be updating Magento 1 websites, those sites will stay with outdated technology.

Hackers will learn how to go past the outdated software and they will be able to access your website for any reason.

Meanwhile, support for Magento 2.0.x users stopped in March 2018. This means that if you are on any variation of Magento 2.0.x, your website has not had a security update in about a year. This means your website has not received any new:

  • Security patches

  • Quality fixes

  • Documentation Updates

Magento 2.0 Release Notes Magento 2.0 Release Notes

Running an old version of Magento 2? Hire me to upgrade it to the latest version.

The best way to protect yourself against hackers is to migrate your Magento 1 site to Magento 2. You may even want to migrate to the latest version of Magento 2, which is Magento 2.3. This will ensure that your site maintains site performance, security, and PCI compliance. Some may say that the process is expensive and requires an expert, but it is entirely possible to do it yourself. If you still need help - contact an expert.

It is also important to note that after June 2020, since Magento will stop providing security updates for Magento 1, they will also stop providing tech support to site owners. This means that if your site does become the target of a cyber attack, you will be responsible for fixing your own site.

That means that migrating to Magento 2 is not a matter of if, but a matter of when.

2. Secure Hosting Environment and SSL Certificates

As we have covered before, your Magento hosting provider should be reliable. There is no way around it. Magento does not run well with a cheap hosting plan because cheap hosting plans tend to come with a small amount of space for both your website and your traffic.

Running Magento 2? See my post on what hardware M2 needs.

In order to have a wide range of space that a Magento site requires, the best thing you can do is invest in a premium shared plan or consider a VPS network. A VPS (Virtual Private Server) provides you with your own server space so that you can have control over the size of your website.

Having a VPS would give you more freedom over your site and the best benefit is that VPS does not require you to use a strict number of software programs. This way, you can easily install your software and setup your server as you please. This means that you can use programs like APACHE and NGINX and more.

Struggling with a slow Magento site? Check out my guide on how to speed it up.

Another really important thing that a website should have is an SSL certificate. SSL certificates are a standard in keeping your website protected. They are essentially padlocks that establish a secure connection from the web browser to the server. This allows the server to protect things like credit card information, data transfers, and logins.

SSL Certificates are generally easy to get, but I advise you against getting a free one. Free SSL certificates are usually shared SSL Certificates, which are SSL Certificates that are shared by those using the same server. Shared SSL Certificates may not be validated by widely used browsers. This means that while you may have an SSL certificate, a browser might still display a “not secure” warning before showing content to a user. Paid SSL certificates, on the other hand, are usually supported by 99% of all browsers.

For a Magento website, the best SSL Certificate to have is one that is tailored to eCommerce websites. Generally, these certificates are Paid SSL Certificates. They are not cheap, but they also give you DDOS protection networks, which are attacks that threaten website security, data privacy and business operations.

3. Magento Security Patches

Magento Security Patches were designed to correct vulnerabilities in Magento’s system. The platform recommends that you upgrade all security patches that come available.

Because there are different ways to host a website and there are different ways to access a server, the platform created three different methods in order to install a patch. I will explain them below:

Use SSH:

Using Secure Shell (SSH) to install a patch is what Magento recommends you do. If you need help setting up SSH, you should contact your hosting provider.

  1. Upload your patch files to your installation folder

  2. Make sure the store compiler is disabled

  3. In the SSH console, run the following commands

    1. .sh extension:
      sh patch_file_name.sh

    2. .patch extension:
      patch --p0<patch_file_name.patch

  4. Download or view the file to make sure the patch was installed (app/etc/applied.patches.list.)

Upload Pre-Patched Files:

  1. Download your Magento installation to your local machine

  2. Apply the patch locally

  3. Upload the updated files to your server

Run a Script:

This method is actually kind of difficult and requires a deeper understanding of Magento programming in order to accomplish. If you have difficulties with the other two methods, a Certified Magento Developer can help you install a patch through this method.

4. Monitor all Website Activity

Keeping track of what happens on your website is incredibly important to prevent cyber attacks. Magento has easy methods of monitoring your website activity.

If you have Magento Commerce, you can find a backend action log. To get to it, just do the following:

  • Admin → Stores → Settings → Configuration

  • Look for “Advanced” → Admin

  • Expand “Admin Actions Logging”

    • To enable admin logging (recommended), mark the checkbox

    • To disable admin logging, clear the checkbox

When you enable admin logging, you ensure that your employees are the only ones going into the website.

To monitor website activity on Magento Community, there are different backend action log extensions to choose from.

5. Limit Backend Access

If you have a large company, it is important to make sure you limit who has access to what. In the backend of Magento 2.3, you can assign roles by going to the backend and using the following instructions:

System → Permission → User Roles → Click “Administrators” → Role Information → Role Resources → Role Access → Custom

Your screen should look like the screenshot below.

Magento 2 Admin User Permisson Setup Magento 2 Admin User Permisson Setup

From there, you should be able to assign roles according to what you want your team to see.

For example:

  • You would want your Finance Team to be able to see sales, reports, and invoices.

  • You would want your Marketing Team to look at marketing, content, and reports.

  • You would want your Customer Service Team to have access to catalog and customers, and shipments.

However, you would never want any of these teams to see all of your site content.

So by limiting access, you ensure that everyone has information to what they need to know, rather than everyone having information to what they could want to know.

Magento 2 Backend Roles Magento 2 Backend Roles

I should note, however, that once you assign a role to someone, it will be difficult for you to change access to where the person is allowed to go.

True story: I once had a client who was just trying to limit his accounting person’s access to the website and the client ended up kicking themselves off the site. I ended up having to create a whole new account for the client so that they can go back in and fix their mistake.

So, when assigning a role, double check to make sure the person has access to everything they need to have access to and make sure that you are assigning the role to the correct person.

6. Monitor Your Codebase and Files

From the moment you set up your website, I recommend that you monitor your Magento files. Looking through your initial files is important because you can check for any new or modified files right away.

Upon upgrading or installing your Magento website, ask your hosting to set up an email notification for your files. That way, if a new core file shows up or a current core file has been tampered with, you will get an email notification right away.

If there is an unauthorized file or an unauthorized change to a file, you may feel free to contact your hosting provider and let them know.

7. Magento 2 Specific Security Configuration

The latest version of Magento, Magento 2.3, has a whole configuration section dedicated to security. I will explain each of the most important features below:

Password Resets

Magento has a lot of ways to ensure that user accounts are password protected. Below, I will go over each of the password features in the security section and explain what they all mean.

  • Password Reset Protection Type: This feature allows you to reset your password by email or by IP address. You may also have the option to reset your password through both methods.

Password Reset Protection Type Password Reset Protection Type
  • Recovery Link Expiration Period (hours): When a recovery link gets sent to you, Magento ensures that only a certain amount of time be given to the user for them to use the recovery link. If it is not used in that timeframe, the link will simply not work.

Recovery Link Expiration Recovery Link Expiration
  • Max Number of Password Reset Requests: Users are only allowed a certain number of password requests per hour. The admin has total control over how many requests are allowed.

Max number of password reset requests Max number of password reset requests
  • Min Time Between Password Reset Requests: If you requested a new password and it did not work, your admin may require you to wait five or ten minutes before you ask for a new password again.

Min Time Between Password Reset Requests Min Time Between Password Reset Requests
  • Password Lifetime (days): The admin may require their team to change their password after a certain amount of days. This method is actually pretty effective in warding off 3rd party cyber attacks.

Password Lifetime Password Lifetime
  • Password Change: This feature will allow the admin to make sure that you do not go past the “change password” page, should you have to change your password. If you disable this feature, you will only be recommended to change the password.

Password Change Password Change

Account Security

  • Add Secret Key to URLs: This feature gives your URL an additional 16 randomly generated characters so that hackers would not be able to go into your dashboard with just your URL. At the end of this post, I explain why this feature is important.

Add secret key to URLs Add secret key to URLs
  • Login is Case Sensitive: This feature makes your team’s login information case sensitive.

Login is case sensitive Login is case sensitive
  • Admin Session Lifetime (seconds): Your admin has the power to control how long you can be logged in to your account. The minimum is one minute and the maximum is one year.

Admin Session Lifetime Admin Session Lifetime
  • Maximum Login Failures to Lockout Account: After failing to log in a certain amount of times, the admin may lock their team member out of the account.

Maximum login failures to lockout account Maximum login failures to lockout account
  • Lockout Time (minutes): This feature allows the admin to choose how long that team member can be locked out of the account.

Lockout Time Lockout Time
  • Admin Account Sharing: The admin may disable this feature to allow their employees to log into their account from multiple devices at once. Disabling the account improves security.

Admin Account Sharing Admin Account Sharing
Security Security

8. Add Captcha to Every Front-End Form

Spam and Brute Force attacks are not talked about as often as they should be. However, they are still very much a threat to your site security.

One way to defend your site against these attacks is to enable a captcha for every fillable form you have on your website. This includes:

  • Contact Us forms

  • Email Sign up forms

  • Order Confirmations

  • Customer logins

On Magento 2.3, captchas are built-in features and can be found through the following instructions:

Stores → Configuration → Customer → Customer Configuration → Captcha

Captcha Captcha

9. Use Two-Factor Authentication for Backend Users

At this moment, this feature is only available for Magento 2.3. Magento’s two-factor authentication ensures your website’s safety by adding an extra step in the login process to access Magento’s admin.

As the site owner, two-factor authentication allows you to:

  • Manage authentication settings from anywhere

  • Manage authentication settings for any user

  • Reset authenticators at anytime

  • Manage trusted devices from users

These factors ensure that you have total control of who enters your backend while allowing a safe login for your employees.

There are four different authenticators that you can use when you enable two-factor authentication.

  • Google Authenticator: Generate and enter a code from the mobile app

  • Authy: number code, touch ID, phone call

  • U2F Keys: requires a Physical device to enable login

  • Duo Security: sends an SMS/Push Notification

10. Keep a Backup Handy

Keeping a backup of your website is essential to making sure your website is secure. Now, a backup website should be seen as a temporary solution to your website.

If your website has been hacked or is down for any reason, your backup should be able to take over while the website issues get fixed.

If your website runs on Magento 2, there is a backup system build into the program. To access the feature, you would just have to do the following:

Stores → Configuration → Advanced → System → Backup Settings

Once you are there, your screen should look like the screen below:

 

Backup Settings Backup Settings

Noticed that you have the option to enable a backup and you have the option to schedule when you can make a backup. With this option, you can create a website back up on a daily basis. Meaning, that your website will have an automatic backup and you will not have to worry about losing so much website information.

However, if you feel more comfortable doing a manual backup, you are also given this option. All you would have to do is go to:

System → Tools → Backups → Any of the three orange buttons on the top right corner of the page.

Backup Interface Backup Interface

11. XXS Prevention

XXS (cross-site scripting) is a computer security vulnerability that allows hackers to inject harmful coding into web pages. There are three main vulnerable types of XXS and it is important to avoid introducing vulnerabilities into the Magento code.

The best way to prevent XXS vulnerabilities from getting to your website is to apply all the latest security patches and audit all of your sites 3rd-party extensions for XXS vulnerabilities.

It is important to remember that even a poorly coded custom module might open your website up for cyber attacks.

12. CSRF Protection

CSRF (Cross Site Request Forgery) attacks on Magento were actually fairly common in 2017. Because of this, Magento implemented secret CSRF tokens on any fillable form on a Magento website.

CSRF tokens make it impossible for a hacker to enter a site without knowing the token number.

The key to keeping your Magento site safe does not require you to become a full-blown hacker, but rather it does require you to know the simple things you can control so that you can keep your Magento website safe.

Do you want to know more about Magento website security? Feel free to reach out to me at any time. I am heavily experienced in keeping Magento websites safe. I would be more than happy to keep your Magento website safe.

  

If you find this post interesting do not hesitate to sign up for our newsletter and join the 1472 people who receive Magento news, tips and tricks regularly.

Thank You!

 

One thought on “Magento 2 Security Audit Guide”
  • Magento Email Marketing: Tips For New Store Owners - Proven Sell September 6, 2019 at 4:00 pm

    [...] a lot you can do to ensure the security of your website. However, here are some of the most important [...]