Security online is a seriously hot topic. Your store needs to be secure and reliable for both you and your customers. Why? Well, for starters, you have access to sensitive data. Everything from your customer’s name, and email address to their bank details and shopping preferences. This is data that needs to be managed sensibly, safely and with sensitivity.
We’ve rounded up a few common Magento security failures, how you can avoid them, and maintain a safe eCommerce business.
1. Ancient software
There’s nothing useful or cool about vintage software when it comes to security. The fastest way to make sure your site (Magento or otherwise) is to keep it all up-to-date and running on the latest version with the latest updates. That’s because developments made to the software are made in line with updated security patches.
Magento is pretty active when it comes to patching, and these can take place every three months. That means you really need to keep your eye on the ball. Stay current with Magento updates to avoid Magento security failures and keep your site running at optimum performance and maximum safety.
2. Secure your admin URL
Securing your admin URL is crucial in preventing hackers from gaining access to your Magento site. A standard Magento admin URL is pretty easy to guess (usually it’s a /admin or index.php/admin), and that makes it an equally easy target for hackers looking for vulnerabilities in your online store. With access to your admin URL, the wrong people can see your store platform and file structure, and use that to gain access to some of your more sensitive details. Hackers are primarily looking for account information and credit card details. Luckily you can combat this Magento security fail by securing your admin URL behind the scenes. This means making the ‘admin’ invisible to anyone scoping the internet. You want an address that only you and your team know. In Magento 2, you can change your URL through the Admin Panel. Go to Configuration, then Advanced and click Admin. You can then customize your path.
3. Playing with passwords
Just as your customer account details are prime targets for hackers, so too are your admin users. If you have multiple logins, then chances are any old passwords and guessable usernames can leave your Magento site vulnerable. Remember to change your admin passwords frequently. You can do this manually or use password generators to create and long and complex passwords. Alternatively, utilize password managers to both create and store multiple passwords. Online password managers are useful should you have a large team, who all need access to your site, yet you still want to ensure high security and password protection. With Magento (both 1 and 2) there is also the option to add an extension that generates a two-factor authentication – locking your security down even more effectively.
It goes without saying that the more complex your username and password, the better you’ll be able to prevent a Magento security fail.
4. An eye on all your updates
You may have the latest version of Magento, and all your security patches in order, (remember Magento 2 is an open-source site, and so patches and updates are frequent) however it’s just as important to keep your Magento Extensions up to date. These too can have security failures and affect your Magento store.
In fact, according to the latest research, Magento Extensions, or modules, are the main source of Magento security failures. This is perhaps one of the most frustrating things about a Magento security lock-down for your site, simply because, if you have multiple extensions, keeping them all up to date can be a real headache. This is when having your own developer, or an experienced expert, onboard can pay dividends. They know what to look for and how to keep your site running at its most secure, no matter how many extensions you’re running.
5. Review and remove
A good spring clean of your site to clear out old API access accounts and admin accounts does more than keep things tidy, it keeps your site security up to scratch. Check that existing admin accounts are systematically reviewing their passwords (as mentioned above) and clear out anything that is not being used.