How to Secure а Magento 2 Online Store?
According to Statista, people spent more than $3.5 trillion through ecommerce websites in 2019 alone. The projections suggest the figures will continue to grow, and, unsurprisingly, quite a few people have started thinking about launching an online shop of their own.
Naturally, website security is one of their prime concerns…
Being one of the most popular ecommerce platforms in the world, Magento 2 is at the heart of many ecommerce projects today. The open-source platform is extremely versatile and very efficient in handling small and large online shops alike.
Managing an online shop can be a very profitable venture, but you have to be aware of the associated risks.
Table of Contents:
Why Is Securing a Magento Website So Important?
There’s no beating around the bush here – ecommerce websites are among hacker’s favorite targets.
In most cases, before you buy something online, you need to register an account and hand over some personal information. There’s already an incentive for cybercriminals to steal this data and use it for all sorts of fraudulent activities.
Most online purchases also involve entering credit card details – another thing the hackers are interested in. Some online shop owners save themselves the trouble of securing credit card data and opt to have a payment processor handle the transactions.
This is far from enough, though.
With the right access level, hackers can steal precious billing information by setting up fake pages that mimic the payment processor’s interface.
In the worst-case scenario, consequences for customers are enormous, but they’re even more devastating for the shop owner. The damage to the brand and website reputation is often irreparable, and subsequent lawsuits can bury their entire project to the ground.
Magento Core Security
Magento is owned by Adobe – a company that can’t afford to overlook security. There is a dedicated security team that validates all Magento-related products according to the Open Web Application Security Project (OWASP) standards. The team regularly scans the entire code base and issues patches whenever a vulnerability pops up.
Adobe employees aren’t the only ones finding holes in the Magento 2 security. A generous bug bounty program encourages independent security researchers to help with identifying and fixing vulnerabilities.
All in all, there’s a great deal of effort to ensure that one of the world’s most popular ecommerce applications is as secure as possible.
Does this mean that you, as a website owner, can sit back and relax, though?
The answer is a firm No. As an online store owner, it is your responsibility to keep your website and user data well-protected as much as your host’s.
Let’s see how you can do that.
How to Secure a Magento 2 Website?
Protecting a website is a never-ending process that requires the ability to adapt to a constantly changing landscape.
In the next few paragraphs, we’ll give you a few essential steps that should act as a foundation for a truly secure Magento 2 online shop.
Keep Magento 2 Up-To-Date
Remember the dedicated security team and the third-party researchers who regularly examine Magento’s code to find security vulnerabilities?
In addition to them, theme and extension developers also put a lot of effort into keeping their products bug-free.
New versions of the Magento core and its add-ons are critical in the fight against hackers. They bring essential fixes to security problems that would normally expose your website to cybercriminals.
You have to keep in mind – updating Magento 2 or one of its extensions might cause compatibility issues, which is why it’s always best to run the updates in a testing environment first. This way, you can identify and fix any potential issues before pushing the new version to production.
Activate Two-Factor Authentication (2FA)
Two-factor authentication (2FA) is the most widely recognized method for improving account security.
It’s so popular that with Magento 2.4, Adobe added this functionality directly into the app’s core. Right now, you can activate the option without the need to install additional extensions.
What’s so special about 2FA, though?
Two-factor authentication introduces a second step in the user authentication process. In addition to the username and password, you’ll also need to enter another piece of information or perform an extra action.
Depending on the type of 2FA you’ve configured, the second factor could be a unique code, a smartphone notification, or even a special physical device attached to your key ring. Its job is to ensure that even if someone steals your login details – they still won’t be able to compromise your account.
Magento’s 2FA system gives you the following providers to choose from:
- Google Authenticator
- U2F Tokens
- Duo Security
Adobe did an excellent job of explaining how they all work in Magento’s documentation. Setting up 2FA with all four providers is very easy, and, considering the significant security benefits, there’s little reason not to activate it.
Make Regular Backups
No matter the size and scope of your ecommerce project, you always have to plan for the worst. Even if someone manages to compromise your website, you need to have a backup plan to restore everything as quickly as possible.
Magento used to have a built-in backup feature in the Admin Panel. But with the launch of Magento 2.3, Adobe announced the feature’s deprecation, urging users to consider alternative backup solutions.
You can look through the various options and extensions. Whichever tool you pick, keep in mind it’s always best to store backups offsite, preferably on a remote server.
Your hosting provider can also help you at this stage.
Any reliable host will integrate a reliable backup solution into your hosting package and give you an easy method for restoring backed up data.
For example, if you host your site on ScalaHosting’s Magento plans, you will have access to daily backups for the last seven days at any given time. Restoring files and databases is as easy as submitting a request to our support team.
Activate Google reCAPTCHA
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. You may have seen it as the I am not a robot checkbox or the Select all images with fire hydrants challenge that you sometimes face before accessing a specific web page.
It’s one of the most effective ways of stopping automated scripts from spamming your comments section or launching brute-force attacks.
reCAPTCHA is Google’s CAPTCHA system, and, luckily, Magento 2 supports it out of the box.
Before you can activate it on your site, you need to create an account first. After you’ve registered your page, you can go back to the Magento 2 admin dashboard and tweak the options.
You can put a CAPTCHA challenge in various places throughout the website, including the customer login and Forgot Password pages, the contact form, the product review section, etc.
Use a Custom Admin Panel URL
If hackers want to compromise your Magento 2 admin account, they need to know not only what your login credentials are but where to enter them as well. The least you can do is leave them guessing.
By default, the login URL for your Magento store looks like this:
Any user with some knowledge of the ecommerce platform knows that. Fortunately, Magento 2 gives you a couple of options for changing the URL, thus putting a spoke in the hackers’ wheel.
It’s possible to do it by editing the /app/etc/env.php file, but most of you will probably find it easier to modify it from the Configuration section of the Magento 2 admin panel.
This is by no means a surefire method to keep hackers away, but it can slow them down, which can often be exactly what you need to react.
Apply IP Restrictions
It would be best if you restrict access to the administrative panel for outside people altogether.
All that’s needed is a small modification in the main configuration file (.htaccess if you use Apache and nginx.conf if you use Nginx). You can determine which IP addresses have access to the admin URL and which don’t. Because the restrictions are applied on a server level, getting around them is practically impossible.
The only downside of this particular security measure is that managing your website while you’re on the move is going to be a bit of a hassle.
Disable Directory Indexing
Directory indexing can be a problem for any website, not just ecommerce shops.
In simple terms, this is a server configuration that allows outside users to view your website’s file and folder structure. That’s hardly ideal even for a simple personal blog, but when it comes to an ecommerce website, such data leakage can be devastating.
Fortunately, modifying the .htaccess file is usually enough to rectify the issue, and there are plenty of tutorials out there that can give you the exact steps.
Magento Security Extensions
The above precautions are far from the only steps you can take to secure your Magento website. They’ll only work if you combine them with other best practices, like using unique and strong passwords and installing an SSL certificate to encrypt users’ data.
Naturally, many of you may turn to third-party extensions when boosting the security of Magento 2 websites. Why would they not – instead of doing tons of manual work, you can simply install a plugin that does all tedious tasks for you.
This is indeed a compelling prospect, but you shouldn’t forget that putting too many extensions on your Magento 2 website could result in unwanted side effects.
Because of all this, you might want to adopt a more conservative strategy toward security extensions for Magento 2. Research them well, see what they can do, and figure out whether you can easily perform the same tasks manually.
ScalaHosting and Magento
The role of the hosting provider in securing a Magento-based website shouldn’t be underestimated. A poorly configured server can undo a lot of the work you’ve put into protecting your online shop and its customers.
At ScalaHosting, we know very well how vital the hosting environment can be, so we’ve put all our experience and expertise into making sure your website will perform reliably and securely on our Magento hosting plans.
We have a team of trained Magento specialists who have optimized our servers to offer the best possible performance and security for Magento 2 websites. Every account comes with a dedicated firewall and custom security rules, specifically optimized for the popular ecommerce application.
The Magento hosting packages also include SShield – a security system we developed in-house. It employs artificial intelligence that identifies 99.998% of all attacks to the server. If it detects a successful breach, SShield alerts you immediately so you can take the appropriate actions in a swift manner.
As an ecommerce website owner, you are facing quite a few security challenges. You’re responsible for storing a lot of sensitive personal and billing data, which immediately makes you a more attractive target for cybercriminals.
Magento 2 can help you a lot in that respect.
It has all the features needed to create a secure online store, and third-party extensions bring additional functionality and security.
Is Magento 2 secure?
Magento 2 wouldn’t have been one of the most widely used ecommerce platforms if it didn’t offer adequate security. With the right configuration, its built-in features can help you secure most small to medium online shops. A few additional tricks, and you can ensure a truly safe environment for a Magento 2 store of any size.
Are Magento online stores more vulnerable to cyberattacks?
In general, online shops tend to process and store more sensitive data than other website types, making them a lucrative target for cyberattacks.
Since Magento 2 is one of the most popular ecommerce systems on the planet, you could argue that it’s a bit more likely to fall into the hackers’ sights. Fortunately, the platform has enough features to fend off the most common attacks.
How can my hosting provider help with my Magento store security?
A secure hosting environment is crucial for the success of any online project. If your online shop is to stay safe, your host needs to properly configure its servers, set up firewalls, deal with backups, and take many other precautions to protect your website.