Note: Using Magento 2? Check our Magento 2 security checklist.
1. Proactively scan your store for Malware
Online scanners
You should always use Sucuri scanner to identify hacks to your site. MageReport is another great resource. You should really use both.
CLI scanners
Another freeware web scanner specific to Magento is magescan
. Can be installed using our repository:
yum install magescan
Additional CLI scanners are recommended for Magento 2:
- Magento Vulnerability Database
n98-magerun
module
2. Disable unused modules
Disable RSS
This is a good example on how to disable a core module. Create and open app/etc/modules/Zzz.xml
and paste in:
<?xml version="1.0"?>
<config>
<modules>
<Mage_Rss>
<active>false</active>
<codePool>core</codePool>
<depends>
<Mage_Catalog/>
<Mage_CatalogInventory/>
<Mage_Sales/>
<Mage_SalesRule/>
<Mage_Wishlist/>
</depends>
</Mage_Rss>
</modules>
</config>
3. Change name of admin panel
Edit file app/etc/local.xml
in your Magento installation and change the name in section admin -> routers -> adminhml -> args -> frontName.
4. Use adaptive request filtering
Fail2Ban is great. We set it up to secure all Magento installations.
5. Block or restrict to specific IPs /rss
and /downloader
If you don’t need Magento connect (i.e. using Composer / Git for installing plugins):
location ^/downloader/ {
deny all;
}
If you’re not using RSS (most likely), disable it via Nginx. This is an alternative method to disabling it using .xml
file:
location ~ ^/index.php/?rss/ {
deny all;
}
location ~ ^/rss/ {
deny all;
}
6. Admin panel. Whitelist admin IPs and block everyone else
We have the guide to protect Magento admin
7. Enable two-factor authentication
- Install and enable 2-factor authentication plugin (Google Authenticator, SMS, etc.)
- Use a VPN tunnel and block any other access to the services (you will need to work with your hosting provider to set up this method)
8. Ensure your chmod
is set right.
We have the guide to set chmod in Magento 1.x the right way
9. Eliminate core hacks using n98-magerun
n98-magerun is an excellent utility for managing your Magento using CLI. You can find if your developer (or hacker, to that question) has done any changes to core Magento files using n98-magerun.
10. Use EV SSL certificate
It is a common misconception that the security of EV SSL is better than regular certificates. It’s not.
The security depends largely on how any given certificate is installed and configured.
Once you have taken all the security measures above, it is a good time to tell your users that your business is trustworthy.
That’s where EV SSL certificates come in handy. You get the green address bar in some of the major browsers.
And your users know that they are dealing with a verified business entity.
Namecheap, for example, provides multi-domain EV SSL certificates.
11. Get rid of malware
Use Magento Malware Scanner to find malware in your website:
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install pip-safe
sudo pip-safe --system install mwscan
# fix up rules location
find /opt/pip-safe/mwscan/lib* -name ruleset.py -exec sed -i 's@mwscan.s3.amazonaws.com@www.getpagespeed.com/files@g' {} \;
mwscan /path/to/magento
Set up and use Malware Detect on your CentOS/RHEL server.
12. Work with trusted developers and set up Git workflow
It is crucial to work with trusted web developers. You also must:
- set up a Git workflow for pushing changes
- disallow any allow direct changes on live website by developers
Otherwise, you may end up with developer-made malware like magento1-core-observer.