How to run the Magento security scan independently?
Security is one of the most important questions in e-commerce. Around 80% of users will leave your site if it looks insecure. And in addition, your store has to meet multiple law requirements like PSD2, CCPA, GDPR, etc.
There are numerous open-source tools you can use to perform a simple security test.
First of all, you can check if all critical Magento 1 or 2 security patches are in place. For this matter, you can use Patch Tester. Input your site URL and click the Run button to get results. The unpatched areas will be marked with red/orange depending on the severity of the issue, while the areas secured with patches will be green.
So even if you’re not a tech specialist, you’ll be well informed about security test results.
Some retailers prefer not to enable Magento 1 or 2 security patches right after they are deployed. As a rule, the release of a security patch is followed by the release of a new Magento version, which integrates the patch. However, a full upgrade is valid in case you plan to update your store. It requires a detailed check of the store code, including the templates, and validating them for compliance with the new Magento code. So in case you don’t plan big updates, it’s better to enable patches to save time and effort.
You can also go beyond this simple Magento security patch check with MageReport. This tool verifies if you have the patches and also tests your store for threats and vulnerabilities, such as:
- Brute force attacks
- Cacheleak vulnerability
- Webforms vulnerability
- Unprotected development files
- Ransomware detected
- Cryptojacking code detected
- SSL protection
This Magento security tool is user-friendly as well: all problematic areas are marked with red/orange while well-protected areas are green. MageReport can also run the Magento security test on some 3rd-party extensions.
Though the tools are handy and easy-to-use, they don’t offer 100% accuracy. They have no access to your store code. So to make sure the store is secure, you should address your Magento devs to verify the results.
There is one more valid security site checker - Security Scan developed by Magento. The tool is free and monitors your store security in real-time. Apart from patches, the tool checks the store configuration reports on potential vulnerabilities and offers fixes. You can also enable a daily/weekly automated security check.
Let’s see how to configure Magento 2 Security Scan.
Step 1. Go to https://business.adobe.comand log into your Magento account.
Step 2. Navigate to the Security Scan page and click on the Go to Security Scan button.
Step 3. On the new page - Monitored Websites, click on the +Add Site button. In case you have several Magento 2 websites, you need to enable the Security Scan tool for each separately.
Step 4. Provide your site URL and name and generate a verification code either in META format or in HTML. Then copy it.
Step 5. Next, sign in to your Admin panel and go to Content > Design > Configuration. There you need to find your site and click the Edit button.
Step 6. Open the HTML Head tab and add the generated code to the Scripts and Style Sheets section. Save the changes.
Step 7. Return to the Magento Security Scan and click Verify Confirmation Code to confirm your ownership of the domain.
After that, you will be able to track your store, analyze security risks, get security notifications right in your Magento account. If you have multiple websites with different domains, you can track all of them from one dashboard.
Though the tool was made for Magento 2, it can be used for testing Magento stores as well. Some adjustments are needed, but there are detailed instructions provided. Another pro of the Magento scanner is that it doesn’t hamper the store performance, though it’s run in the admin.
Another way to increase your security level is our all-in-one security solution that protects your store from hacking and fraud. With this tool, you can enable two-step authentication, get notifications about suspicious logins, track your admins’ actions, set user roles and specify their permissions, and more. Also, you can check our Security Service.
Login and Registration Form