cancel
Showing results for 
Search instead for 
Did you mean: 

any tips to make magento more secure?

any tips to make magento more secure?

Hi

 

anyone having tips about what is a good idea to do after mangento 2.2.2 is intalled? I'm more like looking into ideas to make it more secure...

 

I see in my installtion and find files like

changelog..md

pull_request_template.md

issue_template.md

php.ini.sample

installer.php

contributinh.md

auth.json.sample

 

and folders like

setup/

update/

 

I'm looking for tips to make magento more secure... should I leave this files on the LIVE server or can it lead to comprosing the site? I know I must patch up the magento setup installtion but worried that these files and other things can make the site hacked...

 

any ideas?

 

 

4 REPLIES 4

Re: any tips to make magento more secure?

@LoginnameI would recommend to go through the below link and try to implement as much as you can. More secure your environment is less chances of security breach you'll have. List is for M1 but you can apply the most of them for M2 as well. It also provide you an with option that what all can be done to make your Magento secure.

 

https://www.raveinfosys.com/blog/magento/magento-security/

 

Regarding the files and folder you mentioned, I would say let it be on the server. My 2 cents.

 

Problem solved? Please give 'Kudos' and accept 'Answer as Solution'.

- Tarandeep
Problem solved?Please give 'Kudos' and accept 'Answer as Solution'.

Re: any tips to make magento more secure?

@Loginname

 

You can add below items with your site to secure more:

 

1. Protect admin panel with htpasswd 

2. Enable reCaptcha for frontend and backend both

3. Add 2FA to authenticate

4. Permission should be proper as per Magento standards

5. Check customized code should follow Magento standards to protect from SQL injections. 

6. Before install check, all third-party plugin, follow all standards or not.

 

I think these are helping secure your site. Cheers 

Manish Mittal
https://www.manishmittal.com/

Re: any tips to make magento more secure?

Hello @Loginname,

 

When you’re ready to deploy your site to production, you should remove write access from files in the following directories for improved security:

  • vendor
  • app/code
  • app/etc
  • pub/static
  • Any other static resources
  • generated
  • var/view_preprocessed

To update components, install new components, or to upgrade the Magento software, all of the preceding directories must be read-write.

 

Make code files and directories read-only
To remove writable permissions to files and directories from the web server user’s group:

  1. Log in to your Magento server.
  2. Change to your Magento installation directory.
  3. Enter the following command to change to production mode:
    php bin/magento deploy:mode:set production
  4. Enter the following command:
    find app/code var vendor pub/static app/etc generated/code generated/metadata var/view_preprocessed \( -type f -or -type d \) -exec chmod u-w {} \; && chmod o-rwx app/etc/env.php && chmod u+x bin/magento

Make code files and directories writable
To make files and directories writable so you can update components and upgrade the Magento software:

  1. Log in to your Magento server.
  2. Change to your Magento installation directory.
  3. Enter the following command:
    find app/code lib var generated vendor pub/static pub/media app/etc \( -type d -or -type f \) -exec chmod g+w {} \; && chmod o+rwx app/etc/env.php

 

Furthermore, Security plays an important role in the success of an online store. If you are running an eCommerce store then it is mandatory to secure your website and protect your customers’ data.

 

Admin Name and Password

  • To prevent unauthorized access to your account, it is highly recommended that you use a complex admin name and a strong password. This ensures that attackers cannot guess or simply use the default name to try and login to your account. Just use a combination of uppercase, lowercase, symbols, and numbers to create a strong password.

Use the Latest Version of Magento 2

  • Make sure that you have updated your Magento 2 to the latest version to avoid any security lapses. Every Magento update improves security through patches and killing known vulnerabilities. For this simple reason, it is not easy to attack a Magento 2 store that is updated to the latest version and latest Magento 2 security patch. If your store is not using the latest version, update it now, and if you need a little guidance, here it is: How to Update Magento 2 Using Composer.

Custom Admin URL

  • Another practice to make Magento 2 store secure is to use a custom Admin URL. It is highly recommended to change your URL to a unique one for Magento 2 admin rather than using the default URL. If you don’t know how to do it, here’s a guide to help you out: Display or change the Admin URI

Two-Step Verification

  • Two-step verification protects your account by requiring additional verification from the user when signing in to the Admin Panel. In this process, after signing in to the account, a security code is sent to the Admin’s mobile number or email, which then the user has to verify to access the admin panel. It works as an additional security layer which makes difficult for attackers.

Limit Admin Access

  • Want to ensure no one accesses your Admin panel from anywhere else? Just limit your store admin access to your IP Address, and this simple IP restriction will leave a lot of hackers scratching their head when they try to access your Magento 2 store.

SSL Certificate

  • SSL (Secure Socket Layer) secures a website by establishing an encrypted link between a web server and the browser. All the data that passes between this link remains private. SSL is especially important for all websites that deal in online transactions.

    Hence, adding SSL certificate to your Magento 2 store helps protect the private information of your users like login credentials, credit card information, and other sensitive data. To add this layer of security, you have to purchase an SSL Certificate and then configure it your Magento 2 store to force the store pages to load on HTTPS.

Create a Backup

  • In the unfortunate case where your store is hacked, it’s important that you have a full backup of your store that restores your Magento 2 to working conditions. In a technologically advanced world where even the hackers are smart, you have to have backups of your Magento 2 store files as well as your Database. You can create backups by downloading all the files using FTP. You can get also get the database by going to PHPMyAdmin.

Use Reliable Sources for Magento 2 Extensions

  • Extensions are essential for a Magento 2 store. Before installing any Magento 2 extension, ensure that it has been developed by a reliable developer, the reviews are good, and that it has a good tracking record. To be on the safe side, always get extensions from a reliable and authorized third-party extension maker!

Enable Admin Login Captcha

  • Enabling CAPTCHA prevents hackers and even bots from your Magento 2 store from attackers. You have to enable this awesome Magento 2 feature.

    Go to Stores → Configuration from the Admin Panel of your store and then click on Admin under the Advanced Tab.
    Now unfold the CAPTCHA section and select Yes from Enable CAPTCHA in Admin drop-down menu. Then select Admin Forgot Password from the Forms option and set all the remaining values according to your need.
    At last, just click on Save Config from the top of the page. Click on save config

Configure Action Log

  • If you use Magento 2 Enterprise Edition, one of its great features is the configuration of Action Log. The feature helps you track administrator activity and to view all the log history. Not only that, you can also check the source of all the activities in your admin panel and even view the IP of that resource. For community edition, you have to install a third-party extension to add this feature.

 

--
If my answer is useful, please Accept as Solution & give Kudos

Re: any tips to make magento more secure?

Your website has been hacked. If your Magento store was hacked or you were under a denial-of-service attack, these are very real pain points for eCommerce merchants.

 

High-profile cyberattacks have destroyed businesses from small retailers to multi-national banks. Even businesses as large as Yahoo have been hit by a series of hacks leaving them with the task of rebuilding trust amongst loyal customers.

 

Small businesses put so much faith in Magento to run their stores smoothly. Who can they trust if even the security of the platform isn’t guaranteed?

 

Read our guidelines on how to secure a Magento store?

 

Thank you!