Although Magento is the safest e-commerce platform , there are still additional security tricks , which make it even safer. Thousands of Magento web sites have been hacked during the last few years. Luckily, there are several useful methods developed to fix all the major problems. Below, we’ll tell you about the most important security tips. You can check whether your storefront is secure and unaffected on MageReport.com .

1. Name & Password

   You should make all your Magento passwords unique and strong. The same is true about an admin name. This simple step will help you improve the security of your web site. Just create a password which is longer than eight characters, and to some extent you will prevent your store from being hacked. Note that passwords should combine numbers, letters, and special characters. Indeed, do not use weak usernames such as ‘admin’ or ‘administrator’. If you are using an insecure name and password, you can always change them in “System > My Account.”

2. Custom Path for Admin Panel

   A default path to an admin panel has the following construction: “http://storename.com/admin .” Everyone knows it, consequently it is among Magento’s security vulnerabilities. By changing it to a more complex path, for example “http://storename.com/superadmin ,” you push the security of your e-commerce web site to a new level. This small step is the best defense against Broken Authentication/Session Management Attacks.

   You can always change the Magento admin path in the “app/etc/local.xml” file. Find the line which contains “<![CDATA[admin]]>” and create a new string instead of admin, for instance “superadmin.” The new code should look like the following: “<![CDATA[superadmin]]>”.

3. Two-Factor Authentication

   Another reliable security technique is a two-factor authentication. It adds an additional security layer to an existing one. The system requires two separate authentications to provide users with access. Thus, your Magento web site becomes two times more secure. You can provide your admins with the two-factor authentication solution using Two-Factor Authentication by Xtento¹.

4. Encrypted (HTTPS/SSL) Connection

   One more essential security improvement is the usage of the HTTPS/SSL secure URLs. Being HTTPS/SSL-encrypted, your e-commerce web site will be PCI-compliant as well. It means that you will get a secure data transfer between your site and server. Otherwise, there is a risk that data (database information and login details) will be intercepted by hackers.

   To enable the HTTPS/SSL secure URLs, you should go to “System > Configuration > General > Web.” Then, it is necessary to change ‘http’ to ‘https’ in the Base URL, and enable the “Use secure URLs for both Frontend and Admin” feature.

5. File Upload with Secure FTP

   In addition to the HTTPS/SSL secure URLs, you can also take care of the FTP connection with your server. Use SFTP, since it provides an additional encryption of user credentials. This protocol uses a private key file for authentication. Make sure that file permissions are not set to 777. Otherwise, anyone will be able to rewrite them.

6. Predefined IP Addresses for Administrators

   Magento provides an opportunity to set predefined IP addresses for accessing the admin panel, which is a robust security enhancement. You just have to create a list of IPs; thus, users with other addresses won’t be able to access the admin panel of your web site.

   To implement this security feature, find your “.htaccess” file and enter the following code into it:

   1   AuthName "Protected Area"
   2   AuthType Basic
   3   <Limit  GET POST>                
   4   order deny,allow
   5   deny from all
   6   allow from 172.161.132.13
   7   allow from 153.119
   8   </Limit>                

   Hence, you will implement a permission to access your admin panel for the user with the ‘172.161.132.13’ IP address, and for everyone whose IP address starts with ‘153.119’. This technique supports an unlimited number of IP addresses .

   Then, you should go to Magento root directory and create a new folder called ‘admin’. Copy the “index.php” file of your Magento and paste it there. Now, you have to change relative paths to the “config.php” and “Mage.php” files. Change the lines below:

   1   $compilerConfig = '../includes/config.php';
   2   $mageFilename = '../app/Mage.php';

   You should only add ‘../’.

   Now go to the “.htaccess” file and enter the following lines:

   1   Redirect permanent /index.php/{admin_path} /admin/index.php/{admin_path}
   2   Redirect 301 /index.php/{admin_path} /admin/index.php/{admin_path}

   Therefore, you will direct users coming to our admin to a new directory. ‘{admin_path}’ indicates a new admin path manually changed before.

   This security step works only with static IP addresses. If your ISP assigns dynamic IP addresses, you shouldn’t implement this technique .

7. Malicious PHP Functions

   There are malicious PHP functions that should be disabled. You can use more secure alternatives instead of them. To disable these functions, find your “php.ini” file, open it, and add the following code:

   1   disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escap
   2   eshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw,
   3   ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, p
   4   assthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, pos
   5   ix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_unam
   6   e, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_e
   7   ntity_decode"

   Take into account that you can disable other functions in your “php.ini” file, as well as omit important functions from the code above .

8. Directory Listing

   Directory listing is among common server loopholes. It provides everyone with the ability to see the directory structure and location of all its files by simply entering a web site’s URL. Therefore, you should disable directory indexing by adding the code below to your “.htaccess” file:

   1   Options -Indexes

9. MySQL Injections

   Since every Magento web site has lots of form fields for user data input, hackers can easily steal this data by injecting MySQL statements. To protect your store from such a threat, you should use web firewalls (several apps are described below).

   To solve this problem, update your Magento to the latest version, as it always provides lots of improvements, bug fixes, new features, and security enhancements. At the same time, there is a possibility of popping up new undiscovered problems related to the latest update.

10. Create backups of your Magento store regularly. It will help you decrease every hack damage level, and you will be able to restore your Magento web site faster.

11. Fix all e-mail loopholes . Keep in mind that your e-mail should not be widely known. It should be protected by a unique and secure password as well.

12. And don’t forget to check the security of your Magento web site regularly. This will help you find all issues at early stages.

13. Always update your antivirus software , since its older versions are not able to protect your store from the latest threats.

14. Find out where your browser comes from, as it stores lots of necessary information about your Magento web site. Try not to save passwords in it because, with the access to your computer, hackers will easily get your credentials.

15. The “local.xml” file contains such sensitive data as database information and encryption key. Hide it from public access. You can do it by changing file permissions for “local.xml” to 600(-rw) or blocking a web access to the entire app directory.

16. Upgrade your OS to the most recent version. It should provide new security improvements.

17. Your hosting provider should be reliable and secure. Note that some hosting providers are not prepared for hacker attacks.

18. Provide limited permissions for files and documents. For downloadable documents set only read permissions, thus no program will be able to modify them.

19. Disable Magento Connect Manager after having installed extensions in order to prevent any random changes.

20. Use only trusted Magento extensions from reliable sources, such as Magento Marketplace.

21. Change passwords for outside developers . You can set your ordinary passwords back after work is done.

22. Check web server logs for errors or suspicious activities . Thereby, you will be able to detect threats at early stages.

23. Block unwanted countries if you are not shipping worldwide.

24. Check this PDF² for more tips. Although it was written for Magento 1, you will find a lot of information useful for Magento 2 there.

25. And don’t miss the first Magento 2 security extensions³.