If I apply any recommended security patches from Magento Connect - is that all I need to do in terms of security for Magento, or are there other plugins that need to be installed to really harden the Magento security?
I've been reading some information online and of course there are a number of different opinions on best security plugins, including two factor authentication as a recommendation.
What would be the minimum security Magento needs, beyond the core security patches?
I have the latest version of Magento installed, which includes the 5 August security patch.
IMHO I wouldn't install third-party extensions to improve Magento's security as many third-party extensions have loopholes themself which can increase your security risk.
Here's what I will suggest:-
1. Make sure to use only the minimum required file permissions. If your server doesn't require insecure permissions like 666 or 777 (for example if the server uses SuPHP or SuExec), don't use those insecure permissions at all.
2. Rename the Admin URL to something unique and if possible block access to it from the outside world (only allow your own IP address) with this .htaccess rule:-
RewriteCond %{REQUEST_URI} ^/(index.php/)?admin/ [NC] RewriteCond %{REMOTE_ADDR} !^X.X.X.X RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
3. Implement a web application firewall like Mod Security to add an extra layer of protection to your website which can prevent a lot of attacks including SQL injections.
4. Reduce the amount of third-party extensions as some of them are very poorly coded with loopholes which not only opens up your Magento installation to hacking but may also eat up a lot of resources (CPU and RAM) for no apparent reason if they are inefficiently coded. The same goes for third-party themes where some are never supported or updated after being released.
5. Constantly implement all security patches and update all extensions and themes to the latest available version.
Thanks JHL. Very sensible suggestions!
In regards to the first point - excuse my complete ignorance, but I didnt realise that there was any other type of file permissions rules other than the 777 (or 666 etc). While I do have WHM, I am on shared hosting so is this something I have to ask my hosting provider about or is there any way I can do it?
I was wondering about the admin URL and why Magento suggested admin123 - thanks, now I understand and can name it something more obscure and I can access the .httaccess to add the rule you suggested.
I also can apply Mod Security through WPM.
You're so right about the third-party extensions use of extra bandwidth and CPU needlessly (I worked that one out when I was working with an open source CMS), but it's really great to get a reminder about it, not just for me, but for anyone else who reads this thread. And the theme I have used is updated regularly, so at least that is a big plus for it.
I wont forget to update the patches.
I am still on the test site, so I was looking to see what are the best practices for security (and to implement them) as I am not that familiar with Magento, before I release it to production.
I was also thinking about implementing Cloudflare for this domain too - is that something you'd recommend? It's been very useful for Wordpress...
As to Magento itself and not server administration (permissions, configuration, OS/server secuity updates).
1) Always patch to the latest security patch level for your version. (Patches are serial not rollup, everyone must be applied as they are issued)
2) Upgrade Magento to the latest version (use a dev server to test till you get it right as to compatibility with your modules and theme templates)
3) Limit access to Admin, Connect, downloader (lock down to specific IP addresses so the world can't hack your admin). Changing the admin link is merely security by obscurity, we don't know that all the ways of leaking the changed link have been patched.
4) Run a web application firewall
5) Install a module that limits the number of failed Admin access attempts and logs them for audit (tells you when your WAF has been bypassed, if your access limiting failed (3 above) or if your obscured link has been leaked and people are trying to hack you anyway.
6) On the module end, always buy from trusted deveopers, keep the modules up to date (Wordpresses weakness and Magento's is developers that don't understand security, XSS, etc and introduce security vulnerabilities with benefits).
@Zana15: Yes, you should check with your hosting provider on what is the ideal file permissions in their server. Hopefully they run something like SuPHP or SuExec so you do not need to use any file permissions beyond 644 for files and 755 for directories.
As for CloudFlare, you can use it whether it is for Magento or WordPress as it is application-agnostic. If you find it useful while you are using WordPress, you can implement it for Magento as well.
Personally I will stay clear of CloudFlare (especially the Free version) because of a few reasons:-
Thank you @JLHC and @chiefairfor the security question comments and opinions and clarifying the file permissions questions. Greatly appreciated
I hope this helps other people who are also new to Magento - they can also get some really good information about securing their Magento site. I am sure I am not the only one who would greatly benefit from the information in this thread!
I'll take the opinion about Cloudflare on board and do some more research, so thanks for giving me your opinion about it @JLHC. I also use some very well documented and high recommended security plugins for Wordpress that are fantastic at preventing improper logins, as if you would use "admin" or your domain name or part of it as your log in! That is probably another point that should go here too (because not everyone may know this and it is good to reiterate it):
** Dont use admin as your admin username for any program - use something more obscure and unrelated to your website.
** And make sure your password is really random - there are some random password generators that can create strong passwords, but I make up my own obscure ones.
** Dont store your passwords on your computer or your email, if you can help it - I put my on paper (old school I know, but it's safer as far as I am concerned)
@Zana15: Yes, very good points about the username and password.
For passwords, I highly recommend the use of a password manager like LastPass which can help you generate very complex passwords and use unique passwords for each websites.
While you are at it, Two Factor Authentication is another thing that should be considered when the websites or services you use support it (especially your email as a hacker can reset your passwords to all other services if they have access to your email).