How to Keep Your Magento Site Safe From Attacks


Any store or shop is always exposed to risks of burglary. By usual practice stores choose to employ vicinity guards and CCTVs to heighten security. And as with any other shop, a Magento ecommerce site is also exposed to similar risks. What makes it even more challenging for an ecommerce site is the fact that culprits are cloaked and difficult if not impossible to apprehend.

These culprits are after your user’s data, spamming your site or phishing. Magento has a few security features to cover your site but we also make use of some methods and make sure these are implemented on all our Magento sites.

 

Keep Magento versions up to date

If you haven’t yet, now is the best time to update to the latest Magento version 1.8. Latest versions usually have the fix for issues you experience on older versions. It’s best that you get notified when a newer version is releases so you can keep your shop on track.

To do this though your site needs to be running in version 1.7.0.2. Assuming that it already is, here is how you can upgrade to 1.8.

First you need to enable maintenance mode

cd /magento_folder
#for example: cd /var/www/magento
touch maintenance.flag

Backup your database and folders. You can create backup manually or using our Magento Backup extension.

a) Manual backup (database and folders):

mysqldump [magento_database_name] –u [magento_user] –
p[magento_database_password] > \
> magento_database_name_backup_date.sql
# for example: mysqldump magento_db –u dbuser –pdbpassword > magento_db_ backup_01012013.sql
tar –cvf magento_backup_date.tar /magento_folder
# for example: tar –cvf /var/www/magento_backup.tar /var/www/magento
cp -R /your_magento_folder /your_magento_backup_folder
# for example: cp /your_magento_folder/ magento_backup.tar /your_magento_backup_folder

b) Backup using Mageplace Backup extension (more about this later)

c) Proceed with upgrade

cd /magento_folder
rm -rf var/cache/* var/session/*
chmod -R 777 /magento_folder
chmod 550 ./mage
./mage mage-setup .
./mage config-set preferred_state stable
./mage list-installed

The last command should list the expected Magento modules as follows:

Installed package for channel 'community':

Lib_Js_Ext 1.7.0.0 stable
Lib_LinLibertineFont 2.8.14.1 stable
Lib_Js_TinyMCE 3.4.7.0 stable
Lib_Js_Calendar 1.51.1.1 stable
Lib_Phpseclib 1.5.0.0 stable
Lib_ZF 1.11.1.0 stable
Lib_Js_Prototype 1.7.0.0.4 stable
Lib_ZF_Locale 1.11.1.0 stable
Mage_All_Latest 1.7.0.2 stable
Interface_Adminhtml_Default 1.7.0.2 stable
Interface_Frontend_Default 1.7.0.2 stable
Interface_Install_Default 1.7.0.2 stable
Mage_Downloader 1.7.0.2 stable
Mage_Centinel 1.7.0.2 stable
Interface_Frontend_Base_Default 1.7.0.20 stable
Phoenix_Moneybookers 1.3.2 stable
Mage_Compiler 1.7.0.2 stable
Magento_Mobile 1.7.0.2.23.1 stable
Mage_Core_Adminhtml 1.7.0.2 stable
Mage_Core_Modules 1.7.0.2 stable
Lib_Varien 1.7.0.2 stable
Lib_Google_Checkout 1.7.0.2 stable
Lib_Js_Mage 1.7.0.2 stable
Mage_Locale_en_US 1.7.0.2 stable
Lib_Mage 1.7.0.2 stable

If modules were not listed, you’ll need to upgrade using:

./mage install
http://connect20.magentocommerce.com/community
Mage_All_Latest --force

If your Magento modules were listed - use the following commands:

./mage list-upgrades
./mage upgrade-all

When the process is complete you’ll see a list of modules saying ‘already installed’, ’package upgraded’ etc...), make sure your permissions are set back to normal:

php shell/indexer.php reindexall
chmod -R 644 ./*
find . -type d -exec chmod 755 {} \;
chmod 550 ./mage

d) Verification

Check compatibility of all third party extensions of your site and new Magento before moving to 1.8.0.0 too.

It is possible that some of them will not work on the upgraded Magento version. In this case it’s necessary to contact developer or find something new.

e) Go live

cd /magento_folder
rm -f maintenance.flag

 

Use two-factor authentication extension

There are a few extensions that deliver two-factor authentication, so that you don’t have to worry about password-related Magento security risks anymore.

Rublon is an excellent two-factor authentication extension which provides a layer of stealth. It only allows trusted devices to access Magento backend by using a smartphone app. Rublon requires Rublon mobile app and is free at http://www.magentocommerce.com/magento-connect/rublon.html

 

Hide your admin page

The default URL to access a Magento site is www.my-site.com/admin and it becomes very easy for hackers to access this and start guessing passwords.

You can change your admin path by changing /admin with another word. First you need to locate and open /app/etc/local.xml. Find and replace the term admin with your preferred word.

 

SSL Certificates

All data a user transmits online can be intercepted and used wrongly if it reaches the wrong hands. Online stores will require confidential user data and nobody would want these information stolen.

SSL certificates work by ensuring all data are transmitted securely through HTTPS connection. This works whenever sensitive information is requested from the user. You will know if you see a padlock icon in the address bar and when URL prefix is HTTPS.

 

How to Purchase

Login to Magento admin. In the My Magento Go Stores section from your account dashboard locate your store name and click on Purchase SSL button.


Select the SSL provider that your prefer from the dropdown list. Select an option for the Extended Validation and Duration/Term fields. Click Next.


Fill out the Organizational Info section with the correct contact details of your business.

Make sure you enter the name of the right person in charge of your everyday store operations in the Admin contact section. You can use the same info you entered in the previous section by clicking on the checkbox. When done click the Continue button.

Select the payment option you prefer. Once you have made sure the billing address is correct, proceed by clicking on Continue.


You can verify certificate options and other information in the SSL Order review section before placing your order.

After clicking on Place Order, your account dashboard will show a notification like Custom SSL Pending Approval.

 

Changing your DNS Settings:

You need to change the “A Record” of your custom URL so it points to the new IP address. The process for this step may be different depending on your DNS manager or registrar.

Commit the changes on “A Record” by clicking on Confirm DNS Change. The status and expiration date of your SSL certificate is published on your account dashboard.

 

Magento configuration

Login to your Magento admin and navigate to System > Configuration.

In the General tab from the left click on Web link. This opens a page will full options but you only need to make changes on the Secure tab.

Set both Use Secure URLs in Frontend and Use Secure URLs in Admin to YES. This will apply SSL security on those parts of your site.


Disable directory indexing

Disabling directory indexing is another way with which you can harden the security of your Magento site. Once disabled, you are able to hide the obvious pathways via which the files of your domain are stored. This prevents cyber crooks in accessing your Magento-powered website’s core files. However, they can still access your files if they already know what the full path of your files is.

 

Limit unsecured FTP access

If you do have to connect through regular (non-secure) FTP for some accounts (i.e. to upload photos), limit access for these accounts to a narrow set of directories. You can then use .htaccess and httpd.conf files to prevent scripts from running in these directories that can change other files and directories on the server that should not not be accessible through that FTP account.

If you have access to the httpd.conf file on your server, this is the best method to preventing scripts from running in a specific directory. Place this code in your httpd.conf file:

1
2 AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
3 Options -ExecCGI
4

If you don't have access to httpd.conf, you'll have to use .htaccess. Include the following code in the .htaccess file of the directory you want to restrict:

1 AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
2 Options -ExecCGI

Because .htaccess does not support the tags, the .htaccess file must be placed in the directory you want to effect. Because of this, you need to set the permissions of the .htaccess file to 444 (read-only) to prevent modifications to the .htaccess file. You may also want to chown the file so the permissions cannot be changed. This method isn't fool-proof, but it's a good start to preventing naughty scripts from wreaking havoc.

Important: placing this code in a directory's .htaccess file will prevent scripts from running in that directory and all sub-directories.

 

Restrict admin access to only approved IP addresses

You can use .htaccess to limit access to your admin area. In the .htaccess file for your admin directory (details below), place the following code in order to block access to all IP addresses except those specifically listed:

1 AuthName "Protected Area"
2 AuthType Basic
3
4 order deny,allow
5 deny from all
6 allow from 11.111.111.11
7 allow from 22.2
8

"allow from 11.111.111.11" allows the specific IP address 11.111.111.11
"allow from 22.2" allows a range of IP addresses beginning with 22.2

Now for the admin directory. Magento's admin URL path is not a physical directory, it's just a symbolic link. To get started, create a directory with the same name as your admin path. The presence of this new physical directory will override the symbolic link, rendering your admin area inaccessible. To solve this, you need to copy your index.php file into your new admin directory. Then you have to change the paths within index.php to two files (includes/config.php and app/Mage.php) to account for the fact that the relative path has changed as a result of the new duplicate index.php file in the admin directory. Assuming your admin directory is just one level down from your root directory, the two lines you need to change will look like this:

1 ...
2 $compilerConfig = '../includes/config.php';
3 ...
4 $mageFilename = '../app/Mage.php';
5 ...

Once you've done this, you can drop your .htaccess file in your new physical admin directory and access your admin like this: http://www.[your-site].com/[your-admin-directory]/index.php/[your-admin-path]

There's one more step, though. The admin URL can still be accessed through /index.php/admin. You need to disable this so that anybody who knows you're running Magento can't exploit this fact. Here's how I did this:

Add this code to your site's root .htaccess file:

1 Redirect permanent /index.php/admin /admin/index.php/admin
2 Redirect 301 /index.php/admin /admin/index.php/admin

There is a downside to restricting access based on IP: if you travel a lot you may find this method very inconvenient as you'd have to manually add each new IP address or IP range to the .htaccess file in order to gain access.