When you prepare to launch your Magento 2 website, security is one of the primary areas of concern. Whether you plan to accept credit card data directly on your website, or on a payment provider’s pages – you are required to achieve PCI compliance.
Otherwise, you’ll find your business at risk of being banned from the use of payment gateways. And sure enough, that is simply a risk you can’t afford to take.
PCI compliance may seem a tricky subject because most of the material you can find online will lack concrete measures you have to take on a given server. I’m here to fix this 🙂
Let’s go through a quick security checklist for Magento 2 servers to give them the ultimate security lift without compromises.
1. Use a VPS or dedicated server
It is common knowledge that the shared hosting type is not secure. If you are hosted with Siteground, Bluehost, Godaddy, Dreamhost, etc. – there’s a big chance that you’re on a shared hosting plan.
Shared hosting plans are vulnerable to attacks coming from neighbor accounts on the same physical server. And of course, shared hosting is the worst thing for performance.
Transitioning away from shared to a VPS or dedicated server will yield security benefits and increased performance.
Recommendation: Linode VPS 4GB plan and plans above.
2. Run a secure OS with a minimal set of software
RHEL (or its free counterpart, CentOS) is great for running Magento 2. This operating system is known for its stability, and security fixes are backported to the stable versions regularly. What else to want?
Do not install any web panel like cPanel. This will ruin your performance and bring vulnerabilities. Running on the minimal stack is the most efficient and secure approach.
The de-facto standard stack for Magento 2 consists of this software:
- NGINX
- Varnish
- PHP-FPM 7.x/8.x (go with the highest your Magento 2 version supports)
If you run an older version of Magento 2 that only supports PHP 7.0, be sure to upgrade to the latest Magento. PHP 7.0 is “End of Life” and should be avoided.
2. Use ModSecurity
With the arrival of libmodsecurity, you can, and should, use the NGINX ModSecurity connector module. It is now easy to install ModSecurity to your existing NGINX installation.
This is your shield from incoming attacks.
3. Use Security Headers
Security headers are the ones present in the HTTP response of your website. They are typically used to protect from XSS attacks.
Recommendation: score at least B with SecurityHeaders test. Make sure to only add the necessary headers to non-HTML file headers. More info here. You can use ngx_security_headers module to do it.
4. Remove Software HTTP Headers
It is not enough to hide server version information. The best path is having no information disclosure done by HTTP headers.
Recommendation: remove Server
header and any other headers which directly report the software you use. The ngx_security_headers module mentioned earlier is up for the task as well.
5. pub
is your webroot
Setup your web server’s web root to point to the pub
directory of your Magento 2 installation. This will ensure that the only entry point PHP files required for running Magento will be accessible for public access:
Bad:
root /path/to/m2;
Good:
root /path/to/m2/pub;
6. Whitelist allowed PHP files
To complement the previous item, ensure that only a whitelisted set of .php files can be run from your web root directory.
Bad:
location ~ \.php {
...
Good:
location ~ ^/(index|get|static|errors/report|errors/404|errors/503|health_check)\.php$ {
...
7. Install and use CLI security scanners
If you happen to install a plugin with a vulnerable upload endpoint, software like Malware Detect is capable of finding the breach and quarantine the offending script.
This is your server’s “immune system”.
Additional scanners are recommended for Magento 2:
- Magento Vulnerability Database
n98-magerun2
module
8. Run Magento 2 under special user
Follow the basic principles of the proper NGINX and PHP-FPM permissions model.
You have to allocate a special Linux user account on your server that will own and “run” Magento files. That same user account will be the one that the PHP-FPM pool runs under.
Bad /etc/php-fpm.d/some.conf
:
listen.owner = nginx
listen.group = nginx
Bad /etc/php-fpm.d/some.conf
:
listen.owner = www-data
listen.group = www-data
Good /etc/php-fpm.d/some.conf
:
listen.owner = magento2
listen.group = magento2
All files of your Magento website have to be owned by that user.
Bad listing (ls -al /path/to/m2
):
-rw-rw---- 1 nginx nginx 1370 Nov 7 2018 index.php
drwxrwx--- 4 nginx nginx 4096 Oct 25 2018 lib
-rw-rw---- 1 nginx nginx 10376 Oct 25 2018 LICENSE_AFL.txt
-rw-rw---- 1 nginx nginx 10364 Oct 25 2018 LICENSE.txt
Good listing (ls -al /path/to/m2
):
-rw-rw---- 1 magento2 magento2 1370 Nov 7 2018 index.php
drwxrwx--- 4 magento2 magento2 4096 Oct 25 2018 lib
-rw-rw---- 1 magento2 magento2 10376 Oct 25 2018 LICENSE_AFL.txt
-rw-rw---- 1 magento2 magento2 10364 Oct 25 2018 LICENSE.txt
9. Secure Magento 2 admin area using IP whitelisting
NGINX allows you to easily set up IP whitelisting for your Magento 2 admin area.
10. Work with trusted developers and set up Git workflow
It is crucial to work with trusted web developers. You also must:
- set up a Git workflow for pushing changes
- disallow any allow direct changes on the live website by developers
Otherwise, you may end up with developer-made malware like magento1-core-observer.