After watching the recent panorama documentary on the recent TalkTalk hack, it made me wonder how vulnerable many of the Magento sites where and what can be done to tighten Magento’s security.
Many opensource platforms are often hacked for example WordPress is a regular culprit , though it’s not as widespread that the core code has vulnerabilities it’s usually a rogue plugin or one that hasn’t been updated, with WordPress’s built in automatic updating it has a bit more protection.
Magento doesn’t have such frequent easy updating but recently the Magento team have released a flurry of patches, in what seems to be either that they have woken up to the fact that Magento in it’s previous incarnation had many exploits or that retailers have fed back to Magento. Whatever the case like any opensource platform continual updates are required especially in an ecommerce environment.
Magento and other ecommerce systems will be a prime target for hackers, thousands of un-encrypted customer details and in most cases it’s in-practical to encrypt them so your left with the only option of tightening up server security and the application itself.
So what steps can you take to secure Magento?
Patch/Upgrade
Install the most up to date patches
http://magento.com/security-patch
As of writing there are around 15 patches for community edition, depending on which version you have installed.
https://www.magentocommerce.com/download
Alternatively upgrade Magento to the most current release, as it includes all current patches 1.9.2.2
Upgrade to the next version 2.0
Probably not viable for most retailers just yet
PCI Compliance
Any ecommerce should be PCI compliant even if your taking payments offsite it’s worth having a PCI scanner in place. For that I would recommend using Trustwave some PayPal integrations require it anyways.
This will scan your site for common exploits, you might be surprised by what it picks up.
https://www.trustwave.com
Strong SSL
Ensure your using a strong cipher suite and your webserver is set up to use the correct protocols.
https://www.ssllabs.com/ssltest/
Run your site through SSL Labs for any recommendations, A or above rating is recommended.
Change the admin path
A simple yet effective change to move the /admin to somewhere else, edit your config xml including the following.
<admin> <routers> <adminhtml> <args> <frontName><![CDATA[admin]]></frontName> </args> </adminhtml> </routers> </admin>
If this isn’t an option as it can break some plugins, then request your server admin add (if not already installed) a rule to fail2ban to prevent attacks on the /admin folder.
Prevent access
To magento’s directories, see a complete list in the bottom example.
directly in the vhost (Apache):
LocationMatch ^/(app/|var/) >
Require all denied
Nginx:
location ^~ /app/ { deny all; }
location ^~ /var/ { deny all; }
Alternatively you could return a 404
location /app/ { return 404; }
location /downloader/ { return 404; }
location /errors/ { return 404; }
location /media/ { return 404; }
location /assets/ { return 404; }
location /images/ { return 404; }
location /skin/ { return 404; }
location /includes/ { return 404; }
location /lib/ { return 404; }
location /media/downloadable/ { return 404; }
location /pkginfo/ { return 404; }
location /report/config.xml { return 404; }
location /shell/ { return 404; }
location /var/ { return 404; }
Also make sure to include any external import/export tools e.g Magmi
Turn on SSL for the admin
Ideally you should have your entire site as SSL, this can affect performance on lower end servers.
Use strong passwords
Simple but obvious, this is probably the single biggest threat. Make it easy to remember but hard to guess, a password generator might not be useful here unless you use a password manager. Ideally use two-factor authentication
Through this extension: http://www.xtento.com/magento-extensions/two-factor-authentication-enhanced-admin-security.html
Restrict admin by IP
Ideally this would be better sitting in the apache/nginx config, but if you don’t have that kind of access or want GUI control there is a free module.
http://www.magentocommerce.com/magento-connect/et-ip-security.html
Use a more granular admin permission module
This allows you to control in a more detailed way what each admin user can do.
http://www.aitoc.com/en/magentomods_advanced_permissions.html
Even if it’s just you managing your site, you could have a master login and editor role, to limit the use of full access.
Advanced server side
More advanced server side implementations should include:
Install fail2ban
As mentioned above you can set it up to restrict the login attempts on /admin but more globally attacks on SSH and other services.
Use of hard/soft firewall
Any server should have a software firewall in place locking down ports that should not be open, ideally a hardware firewall gives more concrete protection.
Correct permissions on folders
Configuring which folders have read/write access ideally all should be read-only accept where required.
Anti virus installation
ClamAv or any other virus install a personal favourite on windows is ESET, it’s a worthy note you should have this on your personal/work machine’s too.
Code monitors
Use of products like CodeGaurd that alert you of code changes, there’s also sucuri, this would help spot simple iframe injections or other code injection attacks where the site is kept running with an unobtrusive line of malware injected into your index.php files or other index files.
DNS level protection
Use CloudFlare for DNS level blocking and DDoS protection.
Use a load balancer
Whilst not essential this can help prevent DDoS attacks and hide your main server IP, it also gives you lots of flexibility in changing/upgrading your server.
Change SSH port
This does cut out a lot of the attacks, there’s arguments for and against this as a hacker could easily find the port, but this will prevent the thousands of automated attacks.
Disable non secure FTP
It’s not enabled by default on most linux distro’s but if you have something like cPanel installed it may be.
Jail SFTP users & Jail Apache/Nginx
Effective in locking down what users can access, and possibly preventing further access to other parts of the system.
Remove .htaccess / disable AllowOverride and put the configuration directly in the vhost file. (Apache Only)
Moving the config further up the chain makes it harder for hackers to change the site configuration in combination with the jail it would be difficult for someone to make a change to the apache configuration for the site.
Disable Postfix and other mail services and use Mailgun/Mandrill instead
Recently a server I look after was compromised and was sending out spam emails via postfix. It’s best to disable these services unless you understand properly how to secure them. Mailgun and Mandrill both have limits in place that would prevent this kind of attack.