Does your business rely mostly on online shopping site?
Are you sure it is secure?
Nearly 6000 Magento sites worldwide were infected with a malicious skimming code already in September 2016, and were manipulated in such a way that customer data and payment information are passed on to online criminals during the ordering process. According to current findings, this infection has not been removed by many operators until today, or the servers have been compromised again (for example, while in September there were several hundred effected sites in Germany, now there are more then a thousand) (more about it – here). Affected may be the shop owners who use CMS Magento in outdated and acutely attackable versions: there are critical security gaps, through which the attackers can introduce malware code into the shops.
Our team has gathered practical tips based on the years of experience to help you protect your Magento e-commerce site from online fraud and skimming.
Yuri, our CEO, has suggested the following:
- The use of an SSL certificate and safe https protocol instead of the unprotected http one;
- Installation of security patches for the current version of Magento;
- Updating Magento version (as of Feb 16 2017, the current Community Edition is 22.214.171.124 / 2.1.4 and the current Enterprise edition is 126.96.36.199 and 2.1.4);
- Change link to log in to the admin panel (instead of exampleshop.com/admin put something like exampleshop.com/myshop4happyclients);
- Put firewalls on the server or hosting (whitelist developers);
- Close the rss and downloader folders from remote access;
- Put IP limiter to server login (block unauthorized IP and allow entry by IP only for trusted addresses).
Anton, our project manager, gave the following recommendations:
- Use complex passwords and access points (for instance, as stated above, http: //../admin is not suitable);
- Put a password on the entry point in the admin area with htaccess authentication;
- For banking operations – require the CVV (read the recommendations of Payment Card Industry Data Security Standard (PCI DSS));
- Prevent the appearance of detailed information about possible mistakes on the site (stack-trace) on the screens of users;
- Pay attention to the software of the device that you use to enter the website control panel, as well as software environment on the server site;
- Do not forget to update software – it helps
Misha, our backend developer, suggested, that the following things should be done:
- Secure login and password to the site (FTP, SSH, MySQL, etc.);
- Close folders from being viewed (through htaccess);
- Filtration of sql queries (protection from sql injections);
- Access to individual server ip;
- Sometimes file extensions substitution is used.
Misha has also underlined once again the need to hide mistakes (sometimes this makes it possible to see the directory tree).
Serhiy, another backend developer, added the advice
- not to use one password for everything.
Kate, our front-end developer, suggested:
- To have a normal admin password (mix of uppercase and lowercase letters, alphanumeric combinations, extra symbols, and
- To change it periodically, such as once a month.
Protection of your site is an important task that needs ongoing support, and takes lots of knowledge and experience. A wise decision could be to outsource technical maintenance to a specialised agency.
The WebMeridian team is willing to help you with that. Send an email to firstname.lastname@example.org and we will check your site for vulnerability issues and suggest all improvements it may need.
Keep your business safe.
Together with WebMeridian team.