Ask your Question



Moradabad,  India

Jacobus,  United States

Software Developer

NOIDA,  India

Web Developer

Elkhart,  United States

PHP Developer

Noida,  India

Write to us

Ask Question

Security Best Practices for Magento

Ritu  Arora
Security Best Practices for Magento

Do you know that, if you are an owner of Ecommerce Business and your site is still compromised in terms of security practices, than it can really turn out to be a great blunder for you and your customers? These sites often require the payment information to complete an order and thus get more prone to hackers. They may reroute the processing to false page, thus causing the loss to both merchants and the users.

So, to avoid the things like financial loss, threat of lawsuits, changes in processing fees or the identity theft, we have come up with this simple guide that you can follow to improve the security of your Magento Installation. Let’s take a look-

  1. Choice of Hosting Provider- Choose only the ones those are found reliable after the research. The reliable company will have more strong approach towards the security.
  2. Safe Solution Integration- Just make sure that the opted SDLC (Software Development Life Cycle) works according to the safety standards of Industry and the ready code is pre-tested for all security issues.
  3. Embrace HTTPS for enhanced security- Use the securely encrypted HTTPs Channel for the enhanced security in existing as well as new websites. It is also being considered as a ranking factor by Google nowadays.
  4. Server Safety- You need to make sure that no unnecessary software should be running on the server. You can do this with the help of your hosting provider. In case of Magento with the Apache Web Server, there is an .htaccess file to protect system from unwanted harm.
  5. Periodic Updates- Make sure to always keep the system updated and use only unique periodically changed passwords.
  6. Unauthorised Access- Cron.php file should not be open to everyone. So, you can just limit its authorization by IP Address or can execute it directly through the system cron scheduler. The two-factor authorization can be deployed for secure Admin Login.
  7. Automated Deployment- Automating the process will make it secure that can be further more protected using the private keys for data transfer.
  8. Avoid Direct Installations- Do not install extensions directly on a production server and to avoid this practice, you can even disable the Magento Connect downloader on the production site.
  9. Clear all leftovers from the Development- The accessible log files, publicly visible .git directories, tunnels to execute SQL, database dumps, phpinfo files can prove harmful if used in an unauthorized way. So make sure to review all these before moving ahead after the development process.
  10. Limited Outgoing Processes- Use only limited and necessary outgoing connections and not the general ones to avoid interruption. For an instance, Payment Integration is a necessary part and thus we cannot just avoid that. But still using a Firewall can help us track any suspicious activity from the attackers.
  11. Avoid Vulnerable Software Installation- Just try not to run any other software on the same server as Magento. You can use some separate server for the same.
  12. Antivirus Software- Make sure that the updated antivirus software is installed on the system and is ON for the Malware Scan.
  13. Security Review- To check whether your site is compromised or not, periodic security review should be done. One can review Admin Action Logs using The specialized tools like Apache Scalp and implement an Intrusion Detection System (IDS) on network for detecting any unintended malware installation.


Things to Take Care While Magento Installation:

  1. Use Latest Magento as the fresh version will ensure that the most recent security enhancements are included in your package. And if not possible, just install all the security patches recommended by Magento.
  2. Use a Standardized custom URL to minimize the exposure of your Magento Site to external risks.
  3. Focus on the file permissions and make most of them as read only files. The other systems like testing, development or staging etc. should also not be given access for security enhancement practices.
  4. Magento Admin should always have strong password and it should not be disclosed to anyone.
  5. Extensions should be installed only from trustworthy sources and should always be reviewed before installation.
  6. Always have a backup plan in case of any disaster. You can even contact your hosting provider to have a professional database backup service.

Steps to Follow In case of Security Breach

If the case happens where security gets compromised than try to find the scope of such intrusion with the help of your IT security personnel, hosting provider and the system integrator and do the following things on the first note:

  1. Block each access to the site to avoid further loss of data.
  2. Backup the site from current state to gather the evidence of installed malware or affected files.
  3. Look into the scope of attack and how much it has affected the system.
  4. Review the changes in server log files.
  5. If there is much that has changed, just reinstall it all again. Reinstallation when done with the original distribution files from promise clean source, hence less chances of malware.
  6. After reinstalling just reset the credentials and payment information.
  7. Last but not the least, inform all your customers about the affected system and the attack. This way they will be save from the unauthorized transactions and it will increase your reliability in the market.

So, just follow this Magento Security Checklist and enjoy the robust ecommerce development solution!


Ritu  Arora

Please rotate your device

We don't support landscape mode on your device. Please rotate to portrait mode for the best view of our site