E-Commerce websites are a goldmine for hackers since it contains sensitive information, along with financial details. To protect your E-Commerce website and customer data from potential theft, it is crucial for the retailers to step up their security measures. Magento, one of the popular Open source E-Commerce platforms with more than 2 million customers worldwide, has a secure framework which protects the data from potential hackers.
Even though the platform is secure, there are a few loopholes which can be exploited. Listed below are the top 5 methods to increase the security measures in your Magento E-Commerce website.
1. Correct Permissions To The Folder:
Providing the correct permission to the Magento folder structure is the basic necessity to secure the website from an external force. A majority of the hacked E-Commerce websites do not follow proper folder permissions, thereby inviting trouble. In the folder structure:
- Don’t use extensions that require 777 permissions.
- Always use 644 permission for js, css, html files.
- Don’t provide execute permission to Java Script files. Java Script files are the most vulnerable files for hackers.
If you are not aware of the folder permission number, the below table will help you.
|(r)ead||(w)rite||e(x)ecute||User or Group
|0||NO||NO||NO||--- 0+0+0 = 0|
|1||NO||NO||YES||--x 0+0+1 = 1|
|2||NO||YES||NO||-w- 0+2+0 = 2|
|3||NO||YES||YES||-wx 0+2+1 = 3|
|4||YES||NO||NO||r-- 4+0+0 = 4|
|5||YES||NO||YES||r-x 4+0+1 = 5|
|6||YES||YES||NO||rw- 4+2+0 = 6|
|7||YES||YES||YES||rwx 4+2+1 = 7|
2. Allow Admin Access From Specific IP Address:
Magento Admin access forms the backbone of the entire E-Commerce website. To protect it from a potential attack, it is recommended that only specific IP addresses should be allowed to access the admin module.
The .htaccess code given below will allow the admin panel access from a specific IP address
</i><i> <LocationMatch "admin">
</i><i> Order Deny,Allow
</i><i> Deny from All
</i><i> Allow from <ip address>
3. Create a Customized Admin URL.
Many Magento websites use the default admin URL which is yoursite.com/admin. This increases the vulnerability for hackers to get on to the admin log-in page and start detecting the passwords. This can be prevented by replacing “/admin” with a customized term.
Follow these steps to have a customized URL for admin access.
<b> Locate /app/etc/local.xml
</b><b> Find <![CDATA[admin]]>
</b> Replace the term <b>“admin”</b> with your desired word
Change in Magento Backend
<b>System >> Configuration >> Admin >> Admin Base Url Section
Change <b>“Use Custom Admin URL”</b> drop down to <b>“Yes”
</b>In the “<b>Custom Admin URL</b>” text box enter your customized URL term and click on “<b>Save config</b>”
These settings will create a customized admin URL instead of the default one.
4. Set A Strong Password For Your Magento Backend
Always set strong passwords for the admin module. Use one which has a mix of upper and lower case alphabets, numbers and special characters. Furthermore, set a different Magento admin password from the rest of the other passwords.
5. Moving File Using Only SFTP
While moving files to the live server, it is recommended to use SFTP (Secure File Transfer Protocol). Additionally, a Virtual Private Network (VPN) will provide complete security during the file transfer.
One of the major challenges that E-Commerce retailers face these days is to win the trust of the customer, who is willing to pay his or her money for the product. To achieve that, it is inevitable that E-Commerce companies follow these simple protocols to ensure foolproof security.
DCKAP is an end to end E-Commerce solutions provider specializing in building Enterprise E-Commerce store fronts in Magento. You can reach us at firstname.lastname@example.org (or) 1-877-872-3252 (US) (or) +44(0) 144 250 6383(UK)