Does your business rely mostly on online shopping site?
Are you sure it is secure?
Nearly 6000 Magento sites worldwide were infected with a malicious skimming code already in September 2016, and were manipulated in such a way that customer data and payment information are passed on to online criminals during the ordering process. According to current findings, this infection has not been removed by many operators until today, or the servers have been compromised again (for example, while in September there were several hundreds effected sites in Germany, now there are more then a thousand) (more about it – here). The shop owners who use CMS Magento in outdated and acutely attackable versions may be affected: there are critical security gaps, through which the attackers can insert malware code into the shops.
Our team gathered practical tips based on the years of experience to help you protect your Magento e-commerce wesite from online fraud and skimming.
Yuri, our CEO, has suggested the following:
- Using an SSL certificate and safe https protocol instead of the unprotected http one;
- Installation of security patches for the current Magento version;
- Updating Magento version (as of Feb 16 2017, the current Community Edition is 18.104.22.168 / 2.1.4 and the current Enterprise edition is 22.214.171.124 and 2.1.4);
- Change link to log in to the admin panel (instead of exampleshop.com/admin put something like exampleshop.com/myshop4happyclients);
- Put firewalls on the server or hosting (whitelist developers);
- Close the rss and downloader folders from remote access;
- Put IP limiter to server login (block unauthorized IP and allow entry by IP only for trusted addresses).
Anton, our project manager, gave the following recommendations:
- Use complex passwords and access points (for instance, as stated above, http: //../admin is not suitable);
- Put a password on the entry point in the admin area with htaccess authentication;
- For banking operations – require the CVV (read the recommendations of Payment Card Industry Data Security Standard (PCI DSS));
- Prevent the appearance of detailed information about possible mistakes on the site (stack-trace) on the screens of users;
- Pay attention to the software of the device that you use to enter the website control panel, as well as software environment on the server site;
- Do not forget to update software – it helps 😉
Misha, our backend developer, suggested, that the following things should be done:
- Secure login and password to the site (FTP, SSH, MySQL, etc.);
- Close folders from being viewed (through htaccess);
- Filtration of sql queries (protection from sql injections);
- Access to individual server ip;
- Sometimes file extensions substitution is used.
Misha has also underlined the need to hide mistakes once again (sometimes this makes it possible to see the directory tree).
Serhiy, another backend developer, added the advice
- not to use one password for everything.
Kate, our front-end developer, suggested:
- To have a normal admin password (mix of uppercase and lowercase letters, alphanumeric combinations, extra symbols, and
- To change it periodically, such as once a month.
Protection of your site is an important task that needs ongoing support, and needs much knowledge and experience. A wise decision could be to outsource technical maintenance to a specialized agency.
WebMeridian team is willing to help you with that. Send an email to firstname.lastname@example.org and we will check your site for vulnerability issues and suggest all the improvements needed.
Keep your business safe.
Together with WebMeridian team.