Magento 2 is a powerful and popular e-commerce platform that offers many features and benefits for online merchants. However, with great power comes great responsibility, and Magento 2 store owners need to take security seriously to protect their customers, data, and reputation from cyberattacks. There are various ways to secure your Magento 2 store in 2024.
According to a report by Sucuri, Magento was the third most hacked e-commerce platform in 2021, accounting for 14% of all compromised websites. Hackers target Magento sites to steal sensitive customer information, and credit card details, and redirect payments to malicious gateways. A security breach can result in lost sales, fines, lawsuits, and damage to your brand image.
Fortunately, Magento 2 provides built-in security features and best practices that can help you reduce the risk of a security incident and keep your store safe and compliant. In this article, we will share some of the most important Magento security tips and tricks that you should follow in 2024.
Use the Latest Magento Version
One of the easiest and most effective ways to secure your Magento 2 store is to keep it updated with the latest version. Magento releases regular updates that include security patches, bug fixes, and performance improvements. These patches address known vulnerabilities and loopholes that hackers can exploit to compromise your site.
To check your current Magento version, you can log in to your admin panel and go to System > Web Setup Wizard > System Configuration. You can also use a tool like MageReport to scan your site for missing patches and outdated versions.
To update your Magento version, you can use the Web Setup Wizard or the command line interface (CLI). Before updating, make sure you back up your site and test the update on a staging environment first. You can also refer to the official Magento documentation for more guidance on how to update your site.
To get a free quote for updating your Magento 2 to the latest version, please get in touch with us.
Use Two-Factor Authentication
Another simple but effective way to secure your Magento 2 store is to use two-factor authentication (2FA) for your admin panel login. 2FA adds an extra layer of security by requiring a second factor of verification besides your username and password. This can be a code sent to your email or phone, a token generated by an app, or a biometric scan.
2FA makes it harder for hackers to access your admin panel even if they manage to steal or guess your credentials. It also helps you prevent unauthorized logins from other users who may have access to your account.
To enable 2FA for your Magento 2 store, you can use the built-in module that comes with Magento 2.4 or later versions.
To enable the built-in 2FA module, you need to go to Stores > Configuration > Security > 2FA. There you can choose which providers you want to use for 2FA, such as Google Authenticator, Authy, or Duo Security. You can also select which user roles need to use 2FA and configure other settings.
Set a Custom Path for the Admin Panel
By default, the URL for accessing the Magento 2 admin panel is /admin. This makes it easy for hackers to find and target your admin panel with brute force attacks or other methods. To make it harder for them to locate your admin panel, you should change the default URL to something more unique and obscure.
To change the admin panel URL, you need to edit the env.php file located in app/etc folder of your Magento installation. You need to find the line that says ‘frontName’ => ‘admin’ and replace ‘admin’ with something else of your choice. For example, ‘frontName’ => ‘mystore2024’. Save the file and clear the cache.
You can also change the admin panel URL from the admin panel itself by going to Stores > Configuration > Advanced > Admin > Admin Base URL. There you can enable the Use Custom Admin URL option and enter your desired URL in the Custom Admin URL field.
Acquire an Encrypted Connection (SSL/HTTPS)
Using an encrypted connection (SSL/HTTPS) is not only a good practice for security but also for SEO and user trust. SSL stands for Secure Sockets Layer and HTTPS stands for HyperText Transfer Protocol Secure. They are protocols that encrypt the data transmitted between your site and your visitors’ browsers.
SSL/HTTPS protects your site from eavesdropping, tampering, and spoofing attacks that can compromise your customers’ personal and financial information. It also helps you comply with PCI-DSS requirements and boost your site’s ranking on Google.
To use SSL/HTTPS on your Magento 2 store, you need to obtain an SSL certificate from a trusted certificate authority (CA) such as Let’s Encrypt, Comodo, or DigiCert. You can also get a free SSL certificate from your hosting provider if they offer it.
To install and configure SSL/HTTPS on your Magento 2 store, you need to follow these steps:
• Upload your SSL certificate files to your server and assign them to your domain name.
• Log in to your admin panel and go to Stores > Configuration > General > Web.
• Under Base URLs, change the Base URL from http:// to https://.
• Under Base URLs (Secure), change the Secure Base URL from http:// to https://.
• Enable the Use Secure URLs on Storefront and Use Secure URLs in Admin options.
• Save the configuration and clear the cache.
Use Secure FTP
File Transfer Protocol (FTP) is a method of transferring files between your computer and your server. However, FTP is not a secure protocol, as it sends your login credentials and data in plain text. This means that hackers can intercept and steal your information or modify your files.
To prevent this, you should use Secure FTP (SFTP) or Secure Shell (SSH) instead of FTP. SFTP and SSH are protocols that encrypt your data and credentials, making them more secure and reliable. They also offer more features and functionality than FTP, such as file permissions, compression, and authentication.
To use SFTP or SSH on your Magento 2 store, you need to have access to your server’s SSH keys or passwords. You also need to use client software that supports SFTP or SSH, such as FileZilla, WinSCP, or PuTTY. You can then connect to your server using the SFTP or SSH protocol, your server’s hostname or IP address, your username and password or key, and the port number.
Use an Admin Action Log Extension
Another way to enhance the security of your Magento 2 store is to use an admin action log extension that tracks and records all the actions performed by your admin users. This can help you monitor and audit your admin activity, identify any suspicious or unauthorized actions, and prevent or recover from any data loss or damage.
An admin action log extension can also help you comply with GDPR and other privacy regulations that require you to keep a record of your data processing activities and inform your customers about them.
One of the best admin action log extensions for Magento 2 is Scommerce Mage Admin Action Log, which offers many features and benefits such as:
• Logging all the actions performed by admin users on the Frontend and Backend of your store, such as login, logout, create, edit, delete, view, etc.
• Displaying the details of each action, such as the user name, IP address, date and time, URL, module, controller, action, item ID, old and new values, etc.
• Allowing you to filter, search, export, and delete the logs according to your needs
• Sending email notifications to the store owner or other admin users when certain actions are performed
• Restoring the data to its previous state in case of any accidental or malicious changes
• Supporting multiple store views and languages
To use Scommerce Mage Admin Action Log on your Magento 2 store, you need to purchase the extension from their website and install it on your site. You can also refer to their user guide for more instructions on how to configure and use the extension.
By using Scommerce Mage Admin Action Log on your Magento 2 store, you can improve the security and accountability of your admin users and protect your site from any unwanted or harmful actions.
Have an Active Backup Plan
Having an active backup plan is essential for any Magento 2 store owner, as it can save you from losing your data and business in case of a security breach, a server failure, a human error, or any other disaster. A backup is a copy of your site’s files and database that you can restore if something goes wrong.
You should backup your Magento 2 store regularly and store the backups in a safe and separate location, such as an external drive, a cloud service, or another server. You should also test your backups periodically to make sure they are working properly and can be restored without any issues.
To back up your Magento 2 store, you can use the built-in backup tool that comes with Magento 2. You can access it from System > Tools > Backups in your admin panel. There you can choose which type of backup you want to create: system backup, database backup, or media backup. You can also schedule backups to run automatically at certain intervals.
Disable Directory Indexing
Directory indexing is a feature that allows anyone to view the contents of a directory on your server if there is no index file (such as index.php or index.html) present. This can expose sensitive information about your site’s structure, configuration, and files to hackers who can use it to find vulnerabilities and exploit them.
To disable directory indexing on your Magento 2 store, you need to edit the .htaccess file located in the root folder of your Magento installation. You need to find the line that says Options +FollowSymLinks and add -Indexes after it.
For example:
Options +FollowSymLinks -Indexes
Save the file and clear the cache.
Be Wise with Your Magento Password
Your Magento password is one of the most important security elements of your Magento 2 store, as it grants you access to your admin panel where you can manage everything related to your site. Therefore, you should be wise with your Magento password and follow some best practices such as:
• Use a strong password that is at least 8 characters long and contains a mix of uppercase and lowercase letters, numbers, and symbols.
• Avoid using common or predictable passwords such as “password”, “123456”, “admin”, or “Magento”.
• Change your password regularly and do not reuse it for other accounts or sites.
• Do not share your password with anyone or write it down somewhere where others can see it.
• Use a password manager tool such as LastPass or Dashlane to generate and store your passwords securely.
Enable reCAPTCHA on Frontend and Backend
Another way to enhance the security of your Magento 2 store is to enable reCAPTCHA on your frontend and back end forms. reCAPTCHA is a service provided by Google that helps you prevent spam and bots from submitting fake or malicious forms on your site. reCAPTCHA works by asking the user to verify that they are human by solving a simple challenge, such as clicking on a checkbox, selecting images, or typing a code.
reCAPTCHA can help you protect your site from various forms of spam and abuse, such as:
• Fake account registrations
• Fake newsletter subscriptions
• Fake contact inquiries
• Fake reviews or comments
• Fake orders or payments
• Brute force attacks on your admin panel login
To enable reCAPTCHA on your Magento 2 store, you can use the built-in module that comes with Magento 2.4 or later versions.
To enable the built-in reCAPTCHA module, you need to follow these steps:
• Register your site with Google reCAPTCHA and get the site key and secret key for your site.
• Log in to your admin panel and go to Stores > Configuration > Security > Google reCAPTCHA Storefront/Google reCAPTCHA Admin.
• Enable the reCAPTCHA type that you want to use for your frontend/backend forms, such as reCAPTCHA v2 (“I’m not a robot” Checkbox), reCAPTCHA v2 (Invisible reCAPTCHA badge), or reCAPTCHA v3 (Invisible reCAPTCHA badge).
• Enter the site key and secret key that you obtained from Google reCAPTCHA.
• Select the forms that you want to enable reCAPTCHA for, such as Create New Customer Account, Login, Forgot Password, Contact Us, etc.
• Configure other settings such as the theme, size, position, language, score threshold, etc.
• Save the configuration and clear the cache.
By enabling reCAPTCHA on your Magento 2 store, you can improve the security and usability of your site’s forms and protect your site from spam and bots.
Use an Anti-Spam Catalog Search Extension
Another way to enhance the security of your Magento 2 store is to use an anti-spam catalog search extension that prevents spam and bots from abusing your site’s search functionality. Spam and bots can use your site’s search feature to perform malicious activities such as:
• Generating fake traffic and inflating your site’s analytics
• Consuming your server resources and slowing down your site’s performance
• Injecting malicious code or links into your site’s search results
• Scraping your site’s content and data
• Affecting your site’s SEO and ranking
An anti-spam catalog search extension can help you block spam and bots from using your site’s search feature by using various methods such as:
• Captcha verification
• IP address blocking
• Keyword blocking
• Search frequency limiting
• Search result caching
One of the best anti-spam catalog search extensions for Magento 2 is Scommerce Mage Anti-Spam Catalog Search, which offers many features and benefits such as:
• Blocking spam and bots from using your site’s search feature based on captcha verification, IP address, keyword, or search frequency
• Allowing you to customize the captcha type, style, message, and position
• Allowing you to whitelist or blacklist certain IP addresses or keywords
• Allowing you to set the maximum number of searches allowed per IP address per minute
• Caching the search results to improve your site’s speed and performance
• Logging all the blocked searches and displaying them in a grid view
• Sending email notifications to the store owner or other admin users when a search is blocked
• Supporting multiple store views and languages
By using Scommerce Mage Anti-Spam Catalog Search on your Magento 2 store, you can improve the security and efficiency of your site’s search feature and protect your site from spam and bots.
Eliminate Email Loopholes
Email is another common entry point for hackers who want to compromise your Magento 2 store. Hackers can use email phishing techniques to trick you into clicking on malicious links or attachments that can infect your computer with malware or steal your credentials.
To eliminate email loopholes on your Magento 2 store, you should follow some best practices such as:
• Use a reputable email service provider such as Gmail, Outlook, or Zoho that offers spam filtering, encryption, and authentication features
• Do not open or reply to suspicious or unsolicited emails that ask for your personal or financial information, or that urge you to take immediate action
• Verify the sender’s identity and email address before clicking on any links or attachments
• Use a different email address for your admin panel login than the one you use for your store’s contact or newsletter
• Enable email encryption and digital signatures to protect your email communication from interception and tampering
Invest in a Sound Hosting Plan
Your hosting provider plays a crucial role in the security of your Magento 2 store, as it is responsible for storing and serving your site’s files and database. A poor hosting provider can expose your site to various security risks such as downtime, data loss, malware infection, or unauthorized access.
To invest in a sound hosting plan for your Magento 2 store, you should look for a hosting provider that offers:
• Magento-specific hosting solutions that are optimized for performance, security, and compatibility with Magento 2
• Dedicated or cloud hosting plans that offer more resources, control, and isolation than shared hosting plans
• 24/7 technical support and customer service that can help you with any issues or questions related to your site’s security
• Security features such as SSL certificates, firewalls, malware scanning, backups, and DDoS protection
• Compliance with PCI-DSS and other industry standards and regulations
Upgrade Operating System / PHP / MySQL Versions
Another way to enhance the security of your Magento 2 store is to upgrade your operating system (OS), PHP, and MySQL versions to the latest and supported versions. These components are essential for running your Magento 2 store and keeping it secure, fast, and stable.
Upgrading your OS, PHP, and MySQL versions can help you benefit from:
• Security patches and bug fixes that address known vulnerabilities and issues
• Performance improvements and optimizations that boost your site’s speed and efficiency
• New features and functionalities that enhance your site’s capabilities and compatibility
• Compliance with Magento 2 system requirements and recommendations
To upgrade your OS, PHP, and MySQL versions, you need to have access to your server’s command line interface (CLI) and follow the instructions provided by your OS, PHP, and MySQL vendors. You can also refer to the official Magento documentation for more guidance on how to upgrade your system components.
Before upgrading, make sure you back up your site and test the upgrade on a staging environment first. You should also check the compatibility of your Magento 2 version, extensions, and themes with the new OS, PHP, and MySQL versions.
By upgrading your OS, PHP, and MySQL versions, you can improve the security and performance of your Magento 2 store and keep it up to date with the latest standards and technologies.
Scan Your Magento Store for Malware Using Adobe
Another way to enhance the security of your Magento 2 store is to scan your site for malware using Adobe’s Magento Security Scan Tool. Malware is malicious software that can infect your site and cause various problems, such as:
• Redirecting your site’s traffic to other sites
• Displaying unwanted ads or pop-ups on your site
• Stealing your site’s data or credentials
• Damaging your site’s files or database
• Affecting your site’s SEO and ranking
Adobe’s Magento Security Scan Tool is a free service that allows you to monitor your site’s security status and detect any malware or vulnerabilities on your site. The tool can help you:
• Scan your site for over 16,000 known security risks
• Receive email notifications and reports of any security issues found
• Get recommendations and guidance on how to fix the issues
• Compare your site’s security performance with other Magento sites
To use Adobe’s Magento Security Scan Tool, you need to follow these steps:
• Register or log in to your Magento account at https://account.magento.com/scanner/dashboard
• Add your site’s URL and verify your ownership by adding a verification code to your site’s DNS record or HTML file
• Configure the scan settings, such as the scan frequency, email recipients, and security patches
• Run the scan manually or wait for the scheduled scan to run automatically
• Review the scan results and take action to resolve any issues
By scanning your Magento 2 store for malware using Adobe’s Magento Security Scan Tool, you can improve the security and integrity of your site and protect it from malware attacks.
Use IP Whitelisting for Your Admin
Another way to enhance the security of your Magento 2 store is to use IP whitelisting for your admin panel. IP whitelisting is a method of restricting access to your admin panel based on the IP address of the user. This means that only the users with the whitelisted IP addresses can access your admin panel, while others will be blocked.
IP whitelisting can help you protect your admin panel from unauthorized access, brute force attacks, phishing attempts, and other threats. It can also help you comply with PCI-DSS and other regulations that require you to limit access to your site’s data and systems.
To use IP whitelisting for your Magento 2 admin panel, you can use the built-in module that comes with Magento 2.4 or later versions.
To enable the built-in IP whitelisting module, you need to go to Stores > Configuration > Security > Admin Session Lifetime. There you can enable the Restrict Admin Access by IP Address option and enter the list of allowed IP addresses in the Allowed IPs field. You can also configure other settings such as the admin session lifetime and the lockout time.
By using IP whitelisting for your Magento 2 admin panel, you can improve the security and privacy of your admin users and protect your site from unauthorized access.
Limit Password Lifetime and Set Forced Password Change
Another way to better secure your Magento 2 store is to limit the password lifetime and set forced password changes for your admin users. Password lifetime is the period of time that a password can be used before it expires and needs to be changed. Forced password change is a feature that prompts the user to change their password after a certain period of time or after a certain event.
Limiting the password lifetime and setting forced password change can help you prevent your admin passwords from being compromised, stolen, or guessed by hackers. It can also help you comply with PCI-DSS and other regulations that require you to change your passwords regularly and use strong passwords.
To limit the password lifetime and set forced password change for your Magento 2 admin users, you can use the built-in module that comes with Magento 2.4 or later versions.
To enable the built-in password management module, you need to go to Stores > Configuration > Advanced > Admin > Security. There you can configure the following settings:
• Password Lifetime: The number of days that a password can be used before it expires
• Password Change: The frequency of prompting the user to change their password, such as every login, every X days, or after the first login
• Password Expiration Notification: The number of days before the password expires that the user will receive an email notification
• Password Requirements: The minimum length and complexity of the password, such as the number of uppercase, lowercase, numeric, and special characters
• Lockout Time: The number of minutes that an account will be locked out after a certain number of failed login attempts
• Maximum Login Failures to Lockout Account: The number of failed login attempts that will trigger the account lockout
By limiting the password lifetime and setting forced password changes for your Magento 2 admin users, you can improve the security and accountability of your admin users and protect your site from unauthorized access.
Conclusion
Security is not something that you can ignore or neglect when running a Magento 2 store. Security is something that you need to prioritize and maintain on a regular basis to protect your site from hackers and cyberattacks.
By following the Magento security tips and tricks we shared in this article, you can improve the security of your Magento 2 store and keep it safe and compliant in 2024. Remember that security is an ongoing process that requires constant vigilance and updates.
If you need any help with securing your Magento 2 store or want to learn more about Magento security best practices, feel free to contact us at Scommerce Mage. We are a team of Magento experts who can help you with any Magento-related issues or questions. We hope you enjoyed this article and found it useful. Thank you for reading!
