When it comes to building a successful e-commerce website, there is a vital need to pay special attention to your site security. Magento is a top choice for e-commerce sites, and if you have chosen Magento to power your site, you should also be diligent about security. There are many facets to online security. But here we are bringing the top five tips to enhance security on your Magento site.
Security patches and software upgrades
Staying up to date is essential, mandatory and compulsory. Truly, this point cannot be stressed hard enough! Magento brings about security patches every now and of course, you need to apply them immediately. These patches are developed to deal with the latest security risks that Magento comes across and therefore you must use them to protect your e-commerce site.
You should also update all software that you use too. Such upgrades and updates apply to:
- Your operating system
- Anti-virus software
- Magento platform itself
If you were to look at the reasons why e-commerce sites get hacked, the top reason is that they did not apply the latest security patch. This leads to the identity theft which takes a huge toll on your business and in most cases, leads to the closure of the business itself. Your website’s identity and your customers’ identities need to be protected from theft.
At every level, you will use passwords to manage your e-commerce site. Isn’t it? It is worth it to keep all passwords unique and change them frequently, too. Restrict the knowledge of these passwords.
Passwords-passwords all the way
- FTP passwords – use SFTP or Secured File Transfer Protocol and secure passwords which allow you the use of a private key to authenticate every user.
- Magento passwords – be unique, be creative. Most of all never use one-password-for-it-all.
- Two-factor authentication is essential even if you have the world’s best passwords.
- Change your passwords after you have worked with developers from outside the organisation.
You can also reduce the risk of being hacked with the use of login and password for every each web page. This is related to the use of SSL/HTTPS for every web page which will make it necessary for the person to use the login credentials for each page.
Customised admin path
Typically, you would access your admin panel for your website by going to ‘my-site.com/admin’. This is a huge vulnerability because a hacker can access your admin page easily and then go about trying to guess your passwords. The use of the word ‘admin’ is the specific point of vulnerability. You have to change the conventional admin path to a customised one.
Here is how you do it:
Step 1 – Locate and open – /app/etc/local.xml
Step 2 – Find- CDATA[admin]]>
Step 3 – Replace the word ‘admin’ with something unique and hard to guess.
Again, do not go with something as simple as your website’s name. Make it as hard to guess as your password.
It is good to remember that brute force attacks can render the admin panel open to hackers. Therefore, restrict admin access to only approved internet addresses. You should also use two-factor authentication process even for accessing the admin panel.
This point was touched upon briefly, but here is why you should invest in encrypted connections. Every single time you type in your login and password credentials, you leave yourself potentially open to a hacker’s greedy fingers! One of the ways in which you can deal with this is to use HTTPS/SSL for your login pages.
This is how you do it:
- Select the tab ‘Use Secure URLs’ which you will find in the system configuration menu. This will change your URL from ‘http://…’ to ‘https://…’
- Get compliant with PCI norms.
- Get SSL certification which will also help you with the above point.
- You should also select ‘Use Secure URLs in front-end’ tab.
- The ‘Use Secure URLs in Admin’ tab as well.
- Remember to choose the ‘Save Config’ option.
Use an encrypted text format file to save all your passwords. You only need to remember a master password to access this file.
Where do you share your email address? The answer is ‘everywhere’. Isn’t it? Social media, your email newsletter campaigns and business cards, too. This is one way in which hackers can gain access to your site.
Use a secure and private email address. Your admin email address should be private – known only to you or your team members who have admin access. This simply means that you have a separate email address for public use.
When you want your customers to reach you, you give them an email that says ‘firstname.lastname@example.org’ but for accessing your site’s admin panel, you have ‘email@example.com’ (or some other equivalent).
Two separate email ids for different purposes is the way to go. Again, do not use the same passwords for every email id that you use when it comes to controlling your content on the site.