@LoginnameI would recommend to go through the below link and try to implement as much as you can. More secure your environment is less chances of security breach you'll have. List is for M1 but you can apply the most of them for M2 as well. It also provide you an with option that what all can be done to make your Magento secure.

https://www.raveinfosys.com/blog/magento/magento-security/

Regarding the files and folder you mentioned, I would say let it be on the server. My 2 cents.

Problem solved? Please give 'Kudos' and accept 'Answer as Solution'.

@Loginname

You can add below items with your site to secure more:

1. Protect admin panel with htpasswd 

2. Enable reCaptcha for frontend and backend both

3. Add 2FA to authenticate

4. Permission should be proper as per Magento standards

5. Check customized code should follow Magento standards to protect from SQL injections. 

6. Before install check, all third-party plugin, follow all standards or not.

I think these are helping secure your site. Cheers 

Hello @Loginname,

When you’re ready to deploy your site to production, you should remove write access from files in the following directories for improved security:

• vendor
• app/code
• app/etc
• pub/static
• Any other static resources
• generated
• var/view_preprocessed

To update components, install new components, or to upgrade the Magento software, all of the preceding directories must be read-write.

Make code files and directories read-only
To remove writable permissions to files and directories from the web server user’s group:

1. Log in to your Magento server.
2. Change to your Magento installation directory.
3. Enter the following command to change to production mode:
   

   php bin/magento deploy:mode:set production

4. Enter the following command:
   

   find app/code var vendor pub/static app/etc generated/code generated/metadata var/view_preprocessed \( -type f -or -type d \) -exec chmod u-w {} \; && chmod o-rwx app/etc/env.php && chmod u+x bin/magento

Make code files and directories writable
To make files and directories writable so you can update components and upgrade the Magento software:

1. Log in to your Magento server.
2. Change to your Magento installation directory.
3. Enter the following command:
   

   find app/code lib var generated vendor pub/static pub/media app/etc \( -type d -or -type f \) -exec chmod g+w {} \; && chmod o+rwx app/etc/env.php

Furthermore, Security plays an important role in the success of an online store. If you are running an eCommerce store then it is mandatory to secure your website and protect your customers’ data.

Admin Name and Password

• To prevent unauthorized access to your account, it is highly recommended that you use a complex admin name and a strong password. This ensures that attackers cannot guess or simply use the default name to try and login to your account. Just use a combination of uppercase, lowercase, symbols, and numbers to create a strong password.

Use the Latest Version of Magento 2

• Make sure that you have updated your Magento 2 to the latest version to avoid any security lapses. Every Magento update improves security through patches and killing known vulnerabilities. For this simple reason, it is not easy to attack a Magento 2 store that is updated to the latest version and latest Magento 2 security patch. If your store is not using the latest version, update it now, and if you need a little guidance, here it is: How to Update Magento 2 Using Composer.

Custom Admin URL

• Another practice to make Magento 2 store secure is to use a custom Admin URL. It is highly recommended to change your URL to a unique one for Magento 2 admin rather than using the default URL. If you don’t know how to do it, here’s a guide to help you out: Display or change the Admin URI

Two-Step Verification

• Two-step verification protects your account by requiring additional verification from the user when signing in to the Admin Panel. In this process, after signing in to the account, a security code is sent to the Admin’s mobile number or email, which then the user has to verify to access the admin panel. It works as an additional security layer which makes difficult for attackers.

Limit Admin Access

• Want to ensure no one accesses your Admin panel from anywhere else? Just limit your store admin access to your IP Address, and this simple IP restriction will leave a lot of hackers scratching their head when they try to access your Magento 2 store.

SSL Certificate

• SSL (Secure Socket Layer) secures a website by establishing an encrypted link between a web server and the browser. All the data that passes between this link remains private. SSL is especially important for all websites that deal in online transactions.
  
  Hence, adding SSL certificate to your Magento 2 store helps protect the private information of your users like login credentials, credit card information, and other sensitive data. To add this layer of security, you have to purchase an SSL Certificate and then configure it your Magento 2 store to force the store pages to load on HTTPS.

Create a Backup

• In the unfortunate case where your store is hacked, it’s important that you have a full backup of your store that restores your Magento 2 to working conditions. In a technologically advanced world where even the hackers are smart, you have to have backups of your Magento 2 store files as well as your Database. You can create backups by downloading all the files using FTP. You can get also get the database by going to PHPMyAdmin.

Use Reliable Sources for Magento 2 Extensions

• Extensions are essential for a Magento 2 store. Before installing any Magento 2 extension, ensure that it has been developed by a reliable developer, the reviews are good, and that it has a good tracking record. To be on the safe side, always get extensions from a reliable and authorized third-party extension maker!

Enable Admin Login Captcha

• Enabling CAPTCHA prevents hackers and even bots from your Magento 2 store from attackers. You have to enable this awesome Magento 2 feature.
  
  Go to Stores → Configuration from the Admin Panel of your store and then click on Admin under the Advanced Tab.
  Now unfold the CAPTCHA section and select Yes from Enable CAPTCHA in Admin drop-down menu. Then select Admin Forgot Password from the Forms option and set all the remaining values according to your need.
  At last, just click on Save Config from the top of the page. Click on save config

Configure Action Log

• If you use Magento 2 Enterprise Edition, one of its great features is the configuration of Action Log. The feature helps you track administrator activity and to view all the log history. Not only that, you can also check the source of all the activities in your admin panel and even view the IP of that resource. For community edition, you have to install a third-party extension to add this feature.

--
If my answer is useful, please Accept as Solution & give Kudos

Your website has been hacked. If your Magento store was hacked or you were under a denial-of-service attack, these are very real pain points for eCommerce merchants.

High-profile cyberattacks have destroyed businesses from small retailers to multi-national banks. Even businesses as large as Yahoo have been hit by a series of hacks leaving them with the task of rebuilding trust amongst loyal customers.

Small businesses put so much faith in Magento to run their stores smoothly. Who can they trust if even the security of the platform isn’t guaranteed?

Read our guidelines on how to secure a Magento store?

Thank you!

Hello Loginname,

Magento is one of the leading eCommerce platforms, which makes it a desirable target for hackers and attackers. So Magento security is one of the most essential things for now to secure your customers' personal information and private data. Here are the best essential Magento Security tips:

1. Use a strong password for your Magento admin panel. A strong password should be at least 8 characters long and include a mix of uppercase and lowercase letters, numbers, and special characters.

2. Keep your Magento installation up to date. New versions of Magento include security fixes for vulnerabilities that hackers may have exploited.

3. Secure your Magento installation by setting up a proper file permissions system. Magento's default file permissions are too lax. As a result, they can allow hackers access to sensitive information if they can gain access to your server.

4. Use a secure connection (SSL) for your Magento store. It will encrypt all data transmitted between your server and your customers' browsers, making it much more difficult for hackers to intercept and steal sensitive information.

5. Implement a security policy for your Magento store. It should include regular backups of your database and files and restrict access to the admin panel to only trusted IP addresses.

There are a few things you can do to make your magento installation more secure:

1. Use a strong password for the admin panel, and never use the same password for multiple accounts.
2. Keep your magento installation and all extensions up to date. Regularly check for updates and apply them as soon as possible.
3. Use a security plugin like Magereport or Sucuri to scan your site for potential vulnerabilities.
4. Use a secure hosting provider with intrusion detection, prevention, and firewalls to protect your site from attacks.
5. Enable two-factor authentication for the admin panel.
6. Ensure you have a backup of your site in case something goes wrong.
7. Use a secure connection (SSL) for the admin panel and frontend store.
8. Follow security best practices when configuring your server and firewall.

Moreover, the above essential Magento security tips are to protect your Magento store from attackers. Prevention is always better than cure, and there is no doubt that adequate protection needs advanced solutions. So keep your Magento store updated and immediately enhance your website's security.

Thus, I hope the information above helps you to understand the tips to make magento more secure.

--------------------------------

Regards,

Rex M

VPS Hosting | Magento Hosting

Someone has hacked into your website. These are very real pain points for eCommerce business owners, such as if your Magento store was hacked or if you were the target of a denial-of-service attack.

Businesses of all sizes, from local shops to multinational financial institutions, have been wiped out by high-profile cyberattacks. Even well-established companies like Yahoo have been subjected to a slew of cyberattacks, leaving them with the challenge of regaining the faith of their most devoted clients.

MyFedLoan

There are several steps you can take to make your Magento installation more secure:

1. Keep your Magento software and any third-party extensions up to date with the latest security patches.  ES File Explorer

2. Use a strong, unique password for your Magento admin panel, and make sure to change it regularly.

3. Use a web application firewall (WAF) to protect your site from common attacks such as SQL injection and cross-site scripting (XSS).

4. Restrict access to your Magento admin panel by IP address or using two-factor authentication.

5. Regularly scan your site for vulnerabilities using a tool like Magento Security Scan.

6. Use HTTPS to encrypt all communications between your site and visitors' browsers.

7. Do not use the default admin URL.

8. Regularly backup your site's files and database.

9. Regularly review your Magento logs and monitor for any suspicious activity.

10. Use a hosting service that provides security features such as firewalls and intrusion detection/prevention systems.

11. Do not store sensitive information like credit card data on the site.

It's important to keep in mind that no system is completely secure, so it's important to stay informed about the latest security threats and best practices for protecting your site.

Great information,

Thanks for sharing it with us

MyFedLoan Login

• Remove any unused sample data or sample files that came with the fresh installation, like changelog.md, issue_template.md, etc. These are not needed on a production site.
• Make sure to use a strong unique auth.json with a complex admin password. Don't leave the default auth.json file.
• Limit access to the Magento setup folder by adding authentication or removing it from the web root after installation is complete.
• Disable the Magento Admin URI if possible and do not use 'admin' as the path. Use a custom complex path instead.
• Use a web application firewall (WAF) like ModSecurity to monitor and block suspicious requests.
• Enable SSL across the entire site. All admin and customer traffic should be over HTTPS.
• Use strong unique passwords everywhere, especially for admin accounts, Redis, etc.
• Limit access to cron jobs and disable unused cron jobs.
• Keep Magento and all extensions/themes updated to the latest secure versions.
• Review permissions on files/folders and limit access to what is required for the web server user.
• Disable unused functionality in Magento if not required.