i had customers messaging me that they weren't able to buy anything off of my site. When i go and check the backend, someone went into the PayPal credentials part and put their own in. How can i make my admin panel more secure? the password was impossible to find out and i never click on any strange emails. please help, i already changed the the email on the account and created another *impossible* password
First f all ... what version of Magento you're using and did you apply all the security patches released so far?
First of all hire a developer who can apply all the security patches to your site, if those are not applied.
And always revoke or change all the user credentials for the third party users once the work is finished.
If you use a static IP to connect to your site, you can IP restrict you sites's admin url.
You may also use two factor authentication extensions to make your admin login more secure.
You can find a trusted Magento developer from below URL
Apart from this, I would suggest taking care of below things while working with your developers:
1. Change the URL of admin panel to more secure and personalize that no one can guess.
2. Apply patches. You can check required patches on this URL (https://www.magereport.com/)
3. Check if you have any unwanted user account in your user's list and delete them if they exist.
4. Perform a full scan of you hosting(File system) to ensure you don't have any malicious script on your server.
5. Double check your API users and their access level with your developer that you selected in point1.
6. Add a free SSL and firewall in your system if required/ suggested by your developer.
There was a nasty security hole in Magento, discovered about two years ago and since then patched in newer versions. There's also a patch available to fix older ones.
Checkout this site:
Pay attention to this test: Security patch 5344 (Shoplift) is it's not green, you're in big trouble. Other tests should be either green or grey as well (this is a passive test, occasionally it's unable to determine without active intrusion attempt whether or not your system is safe, thus the grey status), but shoplift MUST be green.
You don't have to know anything about the source code of Magento, that's why you should hire a developer / solution partner. You can find a list of official Magento partners here: https://magento.com/partners/portal/directory/?par
Which partner suits you best is up to you. You should be able to filter to only see the ones in your area. Prices are hard to say, this depends on the partner you're working with. Be aware that if someone is really cheap, it might also be of low quality. And in the end, if you have a hacked Magento webshop, which is what this looks like, you'll end up losing a lot more money than you need to spend on security of your webshop.
Good luck finding a suitable Magento partner and hopefully your webshop will be patched and up-to-date again soon.
as @Pronto pointed out, it's important that all security issues are addressed and fixed ASAP.
It's also worth to start thinking about migrating to Magento V2.0 as Magento will only support Magento v1 until November 2018 and after that your website will become more vulnerable.
One other way to find a reliable developer is Magento certification directory https://u.magento.com/certification/directory/ .. This is where all of the Magento certified developers are listed. I suggest that you consider migrating to M2 sooner than later to avoid the hacking issues.