Magento security: checklist to protect your store

Table of Content

Magento security: checklist to protect your store
Posted in: Magento 2 Guides

Security is a process, not a product.


According to eMarketer’s latest forecasts, worldwide business-to-consumer (B2C) ecommerce sales will increase by 20.1% this year to reach $1.500 trillion. E-commerce world is growing rapidly, and it’s natural that thousands of dedicated servers working 24/7 or private information, including financial data, are a honeypot for hackers. And this data can easily trap into villains’ hands if you won’t stick to the Magento security rules.

In this article we will dig into the most relevant and timely security points for Magento.

Hackers breach e-commerce websites:

  • to use it for phishing;
  • to use it for email spam;
  • to deface or damage your site:
  • to steal information they can use to their advantage.

The most important reason you need to protect your Magento store is that you should also protect the clients data. Of course, hackers may want to have your own information for several reasons (and industrial espionage too), but first things first you shouldn’t give them your customers’ private data, including payment details. If this data is compromised because of the hacker attack, it may seriously affect your reputation and credibility as well as harm your clients.

Welcome to use this Magento security checklist on your store.

1. Upgrade in time

Software updates bring you not only new features, but also bug and error fixes and elimination or removal of vulnerabilities. That is why it is extremely important to use the latest software versions available at the moment. It works both for Magento and the server software (remember about ShellShock?).

To update your operating system, use the following commands:

yum upgrade

Debian / Ubuntu

apt-get update
apt-get upgrade

2. Backup your Magento store regularly

You can’t be 100% secured from hackers, but there’s a certain way to feel safer: regular backups can save you from many issues. Regularly save backup copies, don’t even attempt to store them on the same server with the original website and regularly restore your copies on a sandbox to make sure they’re working well. Having your backup files on the same server with the original website is insecure not only because you need your copy to be safe if your server crashes, but also because if a hacker gets access to your server, he’ll also get his hands on the backup copy, which is, for sure, highly unwanted.

To download the free backup script and to read more tips on Magento backup feel free to read this article: How to backup a Magento store: tutorial + script

3. Use strong passwords for your Magento store

Did you know that 123456 was the most popular password in 2013, according to SplashData? Admin password is the last stand of your Magento store security. And you need it to be strong! Easy passwords can be brute forced, so use more than 10 characters, including upper and lower case, and special characters like $%!#^ as well, this way your password won’t be hacked as even with modern equipment it will take years to find a match.

I use KeePass, PWGen and APG for password generation.

4. Don’t use your Magento password anywhere else

In fact, this Magento security issue works with any password protected data you own. According to, more than 15% users choose identical passwords for more than one service. Too many people don’t know that using identical passwords for several logins in fact brings the risk of losing all of your accounts at once. Again: all your passwords must be unique. Don’t be lazy, stop reading for a moment and change them if they aren’t. We won’t tell anyone!

5. Don’t save or store passwords on your computer

A significant part of the Trojan software steals saved passwords. You have to be careful with FTP clients and browsers as passwords are stolen through these applications more often. Never ever save passwords using this software without the master password (a password that encrypts the rest of the passwords while saving access details). Ignoring this advice can lead to login data leaks.

I prefer to use KeePass for keeping passwords.

6. Change passwords regularly

Passwords shouldn’t be livelong. I advise to change passwords every 3-6 month. Even if your passwords have leaked (and even if the hacker haven’t used them), regular changeovers will make the previous leaked data useless. Make sure that passwords are changed for all the people that are using the website as well.

7. Use two-factor authorization

Even the safest password is useless if it can be stolen. To raise the level of security for your shop it is recommended to make use of any second authorization factor, for example, IP address. To restrict backend access, add the following lines to the VirtualHost section of Apache web server configuration (be careful - if you add these lines to .htaccess file it will cause an error):

    Order Deny,Allow
    Deny from All
    Allow from

If you're looking for a Magento two factor authentication solution, feel free to check the Amasty extension.

8. Utilize firewall

Setup firewall to deny public access to everything except web server. If you don’t have a permanent IP address to give access to it through the firewall, use VPN or Port Knocking technology.

In RHEL/CentOS the firewall settings can be found in /etc/sysconfig/iptables; when it comes to Debian/Ubuntu, use iptables-persistent (/etc/iptables-persistent/rules.v4).

Also you can install a web application firewall (such as Naxsi) to protect your store from SQL injections. Although Magento has a lot of code dedicated to guard you from injections, better safe than sorry.

9. Look for errors or suspicious activity in logs

Regularly audit Magento core web server logs and look for errors or suspicious activity. You may want to use Admin Actions Log Magento extension for that purpose, and it has been recently updated with the following features extremely important for web security:

  • You can set up a notification for a successful login attempt from an unusual country compared to previous logins.

Magento security: email suspicious logins

  • You can set up a notification for a lot of unsuccessful login attempts during the past hour, which can be a sign of breach attempt

Magento security: email unsuccessful logins

  • "403 Forbidden" status returned by failed login page in the backend, which makes easier to integrate with server security tools.

There is also a nice tool called Fail2ban. It scans log files and bans IPs showing the malicious signs (failed login attempts, seeking for exploits, etc). Generally Fail2Ban is used to update firewall rules to reject the IP addresses for a specified amount of time. The tool reduces the rate of incorrect authentications attempts.

10. Change backend URL

This method is more about security by obscurity, but can be useful as additional means of fighting against bots and brute force attacks. To change backend URL, edit app/etc/local.xml (admin / routers / adminhtml section).

We do not recommend changing the default admin URL using the native interface of the Magento admin panel.

Make sure the new URL is quite hard to guess. You also might want to clear your cache after these steps.

Then check your new URL and make sure that the old URL returns 404 error page.

11. Use HTTPS/SSL for backend

Using a public hotspot in a café or a mall you’re risking to suffer from MitM attack. To avoid that, employ safe connections for authorization. To start using SSL you don’t even need to buy a certificate! Just generate a self-signed certificate and make it a trusted one in your browser.

12. Forget FTP

FTP protocol was created when Internet was a newborn baby, and security wasn’t the issue at the times. Nowadays FTP usage is highly unwanted because authorization is performed with plain text and can be intercepted easily. Use SFTP protocol, as it will also relieve you from issues with IP streaming (NAT), for not everyone has a public IP for Internet usage. To configure SFTP for Magento, follow this guide.

13. Set baseline minimum access permissions

Always set minimum access permissions for web server activities. In Magento you need records in app/etc, media and var only, plus includes/ in case you use compilation. Extended rights may be needed for Magento Connect usage only.

The best combination from the magenti security audit point of view will be as follows: let the website source code belong to the first user (say, admin), and the web server will run the code with the second user (say, apache). Here’s an example of access settings for this combination:

chown -R admin:apache /path/to/your/magento
find /path/to/your/magento -type f -print0 | xargs -r0 chmod 640
find /path/to/your/magento -type d -print0 | xargs -r0 chmod 750
chmod -R g+w /path/to/your/magento/{app/etc,media,var}
# Only if compilation is used
chmod -R g+w /path/to/your/magento/includes

14. Use antivirus software

Use trusted antivirus software and regularly update it to the latest version, as they add fresh information about new scumware to their databases every day. This will add to your data protection and remove malware from your Mac or PC that steals information and sends it to hackers.

15. Block unwanted countries

If you’re not shipping worldwide, think of blocking other countries.

There’s a nice tool called GeoIP Legacy Apache Module which helps to allow, block or redirect users based on country. If you ship to US only, in this way you’re able to protect yourself from any attacks – for instance, a lot of malicious traffic comes from China, and by blocking it you prevent any breach attempts from Chinese IPs.

We do hope that these Magento security tips will keep your data safe and sound. Do you have any questions or just want to share your experience of Magento store protection? Also, for advanced Magento security issues, feel free to check the Magento Security Suite and Magento Security Service from Amasty.

April 18, 2016
May 2, 2016
April 17, 2016
November 21, 2014
Many thanks for the checklist. Was unpleasantly surprised that I missed a couple of points...
Ksenia Dobreva
November 24, 2014
Glad it was helpful!
March 9, 2016
> 10. Change backend URL This is hard way. What happened if my IP will be changed? And what about /downloader directory ? I usually use IOCheck Secure Module - very simple and strong protection /admin and /downloader directories.
April 19, 2016
Thank you for creating and sharing this checklist! Actually, I used to have just only one or two variants of password for everything till I’ve been hacked. KeePass is a nice source, but I prefer LastPass, cause it seems to be easier. I would like to improve my security, but at the same time I don’t want to complicate my life.
Alexandra Zhos
April 20, 2016
Thank you, Clark, for your feedback, by the way. There are a lot of passkeepers, and of course, opinions differ. It’s nice to hear that you have found your favorite one :)
June 13, 2016
12 of 15. Looks like a good result) Thank you for the article!
Alexandra Zhos
June 29, 2016
Hey, Jared, well done, just 3 points left! And thank you for your feedback
September 5, 2016
Thanks a lot! Actually, once I noticed that chinese traffic flooded our local brand store. I found out that more than 90% of this traffic were bots and web crawlers. So despite all business and ethical reasons, blocking access to the particular countries sometimes completely simplify the life.
Alexandra Zhos
September 10, 2016
Unfortunately, the low quality of traffic sometimes can confuse and waste your time. Hope that you solved this problem quickly.
Leave your comment

Your email address will not be published

This blog was created with Amasty Blog Pro

This blog was created with Amasty Blog Pro