When it comes to eCommerce, the safety of you and your customers’ data is a top priority. The Magento team is constantly updating the platform to ensure your eCommerce security. However, there are some best practices that you as the owner of a Magento store can follow to improve the security of your eCommerce website. Have you completed all the steps on the Magento security checklist?
- Upgrade from Magento 1 to Magento 2
- Keep your Magento updated
- Unique username and password
- Secure email
- Activate two-factor authentication
- Boost Magento security with CAPTCHA
- Change your admin URL
- HTTPS or SSL
- Remove unused components
- Backup your Magento store
- Keep the production mode on
- Search your website for threats
1. Upgrade from Magento 1 to Magento 2
Back in 2018, Magento announced that they would no longer support Magento 1 as of June 2020. That date might have seemed far away then, but now it is right around the corner. If your eCommerce store is still running on Magento 1 it is very important that you upgrade to Magento 2. If you need help, there are experienced developers that can ensure a smooth transition.
With Magento 2 your eCommerce store will continue to be protected and improved for years to come.
2. Keep your Magento updated
Once you are running your eCommerce website on Magento 2, you still need to make sure that it is up to date. The Magento team frequently updates their product to provide the best security possible. Installing the latest Magento security patches and updates is an important step to ensure that your eCommerce website is secure. If you are uncertain how to install updates and patches, consider reaching out to a developer.
3. Unique username and password
A lot of people have perhaps a handful of passwords that they use on a range of websites. This is not a very secure system – all it takes is one compromised website and several of your accounts are easy pickings.
The next step on the Magento security checklist is to use a complicated password to access the admin panel that you use nowhere else. The password should also include at least:
- One upper case character
- One lower case character
- One special character
- One digit
It should also be at least ten characters long. Additionally, you should change your username from the standard ‘admin’ to something more unique. Having both a unique username and complex password will make it difficult for bots to brute force their way past your eCommerce security.
4. Secure email
If a hacker gains access to your email account, they can request to reset the password of your admin panel. To prevent this, the email connected to your Magento must also have a unique password that follows the guidelines mentioned above.
Furthermore, the email that you use should be set to private and not be available publicly.
5. Activate two-factor authentication
To further improve your Magento security, use two-factor authentication to log in. Magento has a built-in two-factor authentication extension which you can activate. When logging in, it sends a security code to your smartphone, which you are required to type in to access the admin panel. This second step increases the difficulty for hackers who wish to access your account.
6. Boost Magento security with CAPTCHA
Another way to keep the bots away is to use CAPTCHA on the admin login page. It is an effective way to separate humans from bots and prevent the latter from attacking your eCommerce store. Magento has a CAPTCHA feature that you can easily activate to protect your account.
7. Change your admin URL
By changing the URL to something unlikely you can improve your Magento store security. Magento allows you to change the URL of your admin panel to something unique. While this will not stop a dedicated hacker, it will keep bots from finding the URL to begin. Consequently, the bots cannot brute force their way through your security measures.
8. HTTPS or SSL
If you run your eCommerce store on an unencrypted connection, there is a risk that the data being sent is intercepted. To protect the login credentials and other sensitive data of you and your customers’, it is important to set up a secure HTTPS/SSL URL.
With Magento it is easy to set up an encrypted connection in the store settings configuration menu.
There is another advantage to adopting HTTPS: it is one of the many ranking factors that Google’s search engine uses. As such, this part of the Magento security checklist is also something that you need to do to improve the search engine optimization of your website. Two birds, one stone!
9. Remove unused components
The Magento marketplace offers an impressive range of extensions, templates, and the like. You may install one, try it out, but decide that it’s not a good fit for your store. At that point, you may be tempted to merely disable it and forget about it. However, it is important to the security of your eCommerce website to remove unused components. The fewer components, the lower the risk of your website becoming compromised. It is also important to ensure that the addons that your Magento store uses are up to date.
10. Backup your Magento store
One of the most important steps in your Magento security checklist is getting into the habit of regularly backing up your Magento store files. If something were to go wrong, these backups can prevent interruption of service and data loss.
You should regularly backup your server and database to an external location. Avoid hosting backups on your server as hackers can exploit these and compromise your website. Talk to your hosting provider about offering a database backup solution, preferably one that keeps copies of your data on multiple locations.
11. Keep the production mode on
Although there are several modes that you can keep your Magento website in, each serving their own purpose, it is highly recommended to keep it in the production mode. In this mode, your website users will not be able to see error and exception messages if the system encounters some problems. These messages can include chunks of code as well as information about access, logs, etc., so it’s important that it is not visible to anyone but you.
12. Search your website for threats
Finally, to ensure your Magento store’s security you must also keep an eye on the website itself. There are multiple scanning tools that can help you, including Magento’s own free security scanner. The scanner can help you identify any known vulnerability on your website. It also lets you know if you have missed any Magento security patches.
Furthermore, you should periodically perform a Magento security check of your own. This includes looking for unauthorized admin users and suspicious activity in the admin actions log.
When it comes to your website security it is important that you are proactive. By following this easy Magento security checklist you improve the odds of preventing a security breach, which is infinitely better than cleaning up after one. If you want help to improve the security of your eCommerce store further, do get in touch.