Does your business rely mostly on the online shopping site?
Are you sure it’s secure?
Nearly 6000 Magento sites worldwide were infected with a malicious skimming code already in September 2016. They were manipulated in such a way that customer data and payment information are passed on to online criminals during the ordering process. According to current findings, this attack has not been removed by many operators until today, or the servers have been compromised again. – For example, while in September there were several hundred affected sites in Germany, now there are more than a thousand (more about it – here). The shop owners who use CMS Magento in outdated and acutely attackable versions may be affected. There are several critical security gaps, through which the attackers can insert malware code into the shops.
Our team gathered practical tips based on the years of experience to help you protect your Magento eCommerce website from online fraud and skimming.
Yuri, our CEO, has suggested the following:
- Using an SSL certificate and safe https protocol instead of the unprotected http one;
- Installation of security patches for the current Magento version;
- Updating Magento version (as of Feb 16, 2017, the current Community Edition is 18.104.22.168 / 2.1.4 and the existing Enterprise edition is 22.214.171.124 and 2.1.4);
- Change link to log in to the admin panel (instead of exampleshop.com/admin put something like exampleshop.com/myshop4happyclients);
- Put firewalls on the server or hosting (whitelist developers);
- Close the RSS and downloader folders from remote access;
- Put IP limiter to server login (block unauthorized IP and allow entry by IP only for trusted addresses).
Anton, our project manager, gave the following recommendations:
- Use complex passwords and access points (for instance, as stated above, http: //../admin is not suitable);
- Put a password on the entry point in the admin area with htaccess authentication;
- For banking operations – require the CVV (read the recommendations of Payment Card Industry Data Security Standard (PCI DSS));
- Prevent the appearance of detailed information about possible mistakes on the site (stack-trace) on the screens of users;
- Pay attention to the software of the device that you use to enter the website control panel, as well as the software environment on the server site;
- Do not forget to update software – it helps 😉
Michael, our backend developer, suggested that the following things should be done:
- Secure login and password to the site (FTP, SSH, MySQL, etc.);
- Close folders from being viewed (through htaccess);
- Filtration of SQL queries (protection from SQL injections);
- Access to individual server IP;
- Sometimes file extensions substitution is used.
Misha has also underlined the need to hide mistakes once again (sometimes, this makes it possible to see the directory tree).
Serhiy, another backend developer, added the advice:
- don’t use one password for everything.
Kate, our front-end developer, suggested:
- To have a regular admin password (mix of uppercase and lowercase letters, alphanumeric combinations, extra symbols, and
- To change it periodically, such as once a month.
The protection of your site is an important task that needs ongoing support and needs much knowledge and experience. A wise decision could be to outsource technical maintenance to a specialized agency. WebMeridian team is willing to help you with that. Send an email to firstname.lastname@example.org or via the form, and we will check your site for vulnerability issues and suggest all the improvements needed. Keep your business safe, together with the WebMeridian team.