This may seem odd or out of place but let me assure you keeping your store safe is one of the best ways to help your sales and bottom line.
Several bad things happen when a website is hacked. Most of the time the hacker is stealing your customer’s credit card information.
Your customers will immediately see warnings from the antivirus software on their computers. This will cost you a sale and potentially a repeat customer.
Repairing a hack will be expensive. It is time consuming for developers to remove the hack, upgrade the Magento code, upgrade all of the extensions being used, secure the server, and find and remove the backdoor the hacker used to get in. It takes a skilled developer and a multitude of scanning methods to get the site clean.
If you have enough sales on your website or let the issue go on long enough Visa and Mastercard will shut down your website. You will be forced to go through time-consuming technical steps, complete lots of paperwork, and potentially move hosting servers.
All of this is bad. So here is how to make it happen.
Regularly Run Scans
- Login to https://account.magento.com/ and click Security Scan -> Go To Security Scan
- When the scan tool loads locate your website in the list, and under Actions select Run Scan to start the scan
- The scan may take several minutes to complete, when it’s finished you’ll be able to view the results by clicking on the View Report button
- If you want to scan the site at regular intervals you can choose Edit from the Actions menu and set the scan to run weekly or daily
If you’re infected you need to reach out to a qualified developer immediately.
Hide Magento version
Check your Magento version by logging into your store’s admin backend and looking down to the bottom right corner. If you’re on a version earlier than the latest Magento version you should hide the version you’re using.
You can do it from the command line by running:
php bin/magento module:disable Magento_Version
Change the Admin URL
Every Magento site starts with the admin URL at example.com/admin. A hacker can use a simple script to try millions of usernames and passwords to get in. Changing the URL makes it a bit harder.
You can do this by editing the file app/etc/env.php and changing the ‘admin’ to something more complicated to figure out.
Manage Admin Users
Remove inactive users
Many admin users can get added over time. They should be regularly monitored and removed or set to inactive. People come and go from your company, development companies go in and out and they don’t often manage their access, extension creators offer temporary support, and others. If you’re not careful and haven’t kept your code up to date, there might be an unknown user back there.
- Login to your Magento Admin dashboard and click System -> All Users
- Here you’ll see a list of all the site users. You can filter by name, email, user role, and if they are active or inactive
- Locate the user you want to remove and click on them, when the page loads you should see their user details displayed
- You can delete the user by entering your current password in the Your Password section and selecting Delete User in the upper menu
Remove Unnecessary User Permissions
It’s quick and easy to create a user with full permissions but most of your team won’t need access to everything. Create users with restricted permissions, notably restricting the Settings and Configuration areas for extra security.
- Login to your Magento Admin dashboard and click System -> User Roles
- Here you can view existing roles, to add a new role click Add New Role in the upper right
- Give your role a name and then navigate to the Role Resources menu
- Set the Resource Access drop down to Custom and then choose the access this role should have
- When you’ve finished click Role Info, enter your password in the Your Password section and select Save Role
- After saving the role you’ll be taken back to the User Roles screen, to add users to this role simply click on the role name
- After the role loads click Role Users and select the users who should be assigned this role. You can tell a user is assigned by the checkbox displayed next to their user ID
- When finished, navigate to Role Info, enter your password in the Your Password section and click Save Role to save your changes
BONUS: Amasty offers an extension that mimics the Adobe Commerce version (formerly Magento Enterprise) of logging users’ actions. This is great to see which user is doing what but it also can help management make sure their team is following the right steps and catch who is breaking things if it becomes a problem.
Admin Actions Log for Magento 2
Lock down the admin area
Add two-factor authentication
Magento comes with a Two-Factor Authentication capability (or 2FA) to help secure your admin panel. You can turn it on with the following steps.
- On the Admin sidebar, go to Stores > Settings > Configuration.
- In the left panel, click Security and choose 2FA.
- In the General section, select each Provider to use
- Adjust the settings
- Save
I prefer Authy because it’s easy to use. You simply download the app from their website and add the Magento site to it. You open the app when you’re ready to sign in and copy/paste the code that appears automatically. Unfortunately, you will need to sign up for a Twilio account to create the API key.
Use ReCAPTCHA
To prevent a brut force attack or bots from trying to sign into your admin over and over you can enable a CAPTCHA on the admin login page. Magento has simple instructions on how to add reCAPTCHA to your Magento admin login page.
Essentially, you will go to the Security -> Google reCAPTCHA tab and add and enable the keys that you obtain from the Google ReCaptcha site. It only takes about 15 minutes to get squared away.
Get Rid of Unused Extensions
Using an extension is a great way to accomplish something fast and save money. But you need to pay the extension company to keep up with the latest version and often a developer to update it. If you’re not using it just get rid of it.
To remove an extension like Amasty’s Affiliate you can do it like this
php bin/magento module:disable Amasty_Affiliate
composer remove amasty/affiliate
Add patches
Magento constantly comes out with security patches and bug fixes. Keeping your store up to date increases security and reduces errors your customers face when checking out and buying your products.
Magento offers a mailing list you can sign up here to find out when patches come out. We recommend using a developer for this because it’s technical but here’s an overview. You will log into your server, add the Quality Patches tool, and you can see and apply patches. Backing up your website and testing on a staging server before applying patches is critical because it is likely that it could break your website.
ssh username@yourserver
composer require magento/quality-patches
./vendor/bin/magento-patches status
This will install the Quality Patches tool and show you the status of all patches. The output will look something like this.
It tells us there are 121 patches available. You can see from the categories some of these may be highly relevant to your customer’s experience, such as Checkout, Shopping Cart, Shipping, Customer, etc.
You will be prompted for the number of the category. If you type 6 you can see all the patches related to email. Here is an example of a bug that this patch would fix.
We certainly don’t want old sales emails going out so let’s patch it.
./vendor/bin/magento-patches apply MDVA-32545
To check to see if the patch is applied we can run the Quality Patches tool with the –no-interaction flag and grep the output for our applied patch.
./vendor/bin/magento-patches -n status | grep 32545
Ideally nothing shows up. If you see the “Not applied” returned something went wrong.
If you need to revert the patch do it like this.
./vendor/bin/magento-patches revert MDVA-32545
Configure your server
Set Core Magento 2 Files and Folders to Read Only
A simple step for extra security is to set the file permissions to read only. Some directories need more accessible permissions so it is common for developers to unknowingly make the entire application fully accessible with read, write, and execute permissions. It’s not good when the world outside of your application and server can execute commands against your site’s files.
To get around this, lock down your files to read-only like this
find . type f -exec chmod 644 {} \;
find . type d -exec chmod 755 {} \;
Next let’s make sure Magento is in production mode
bin/magento deploy:mode:set production
The proper files and folders are writable and locked down
find app/code var/view_preprocessed vendor pub/static app/etc generated/code generated/metadata \( -type f -or -type d \) -exec chmod u-w {} + && chmod o-rwx app/etc/env.php
The Magento command line tool is executable
chmod u+x bin/magento
Setup Automated Activity Reviews
There’s a module that allows you to keep track of the following activities:
- Easily track every admin activity like add, edit, delete, print, view, mass update etc.
- Failed attempts of admin login are recorded as well. You get access to the user’s login information and IP address.
- Track page visit history of admin.
- Track fields that have been changed from the backend.
- Allow the administrator to revert the modification.
Setup a Monitor and Data Integrity Tool
Checking for files changed on your server is a great way to catch hacks as they occur so you can quickly remove them to keep your customers safe. There are a few ways to do this and it should be done by a qualified server administrator who understands Magento. But we’ll give you a few ideas.
You can use a bash script to monitor changes with a cron job (a fancy way of saying some server code that runs on a regular basis) and email your team when changes occur.
Git is a great way to monitor your file changes. Most likely you already have Git installed on your server and your code is in a Git repository. If this is the case you can use “git status” to see new or modified files. This comes with limitations since many of your files won’t be in Git.
Another route is to use the find command to look at files modified within the last day. Something like this
find store/vendor/ -mtime -1 -ls
To be thorough it should be more robust and a server admin would be needed. This method should work with your deployment plan to check against when things were pushed live to the server and check around or after that.
Restrict the server access
You don’t want anyone and everyone to be able to access the code or database on your server. The server should have a firewall to help you with this. To protect it restrict access by whitelisting only the IP addresses that need access.
Make sure that FTP access is disabled. FTP is insecure and should not be used. If you need access to the code you could enable SFTP.
The best approach would be to have no one accessing the server and use an automated integration tool to deploy. Then you can lock down your server to only be accessible with SSH and an SSH key. This limits access by the IP address and the specific computer of your developer or server admin.
Use a good Magento hosting company
A great hosting company will have some extra rules in place to lock down your admin area and restrict the code from doing certain things that it shouldn’t. Your host should have a reliable nightly backup system in case things go awry. They should also have the support to run scans and give you some ideas and help if you’ve been compromised.
An overly simplified example is if you run the command
find store/vendor/ -mtime -1 -ls
And you notice a file is modified you might run
history | grep filename-that-is-modified
If you see the file in your server’s bash history log you could have your server team check the SSH or Auth logs to see which IP address was in the server during the time the file was changed.
A good hosting company is irreplaceable. They will understand Magento and will help keep your website fast, help you debug basic things, and know what to look for when you have issues.