Magento Security Practices And Precautions
Security is the key component of any website, especially when it comes to the eCommerce industry, where you have customers’ personal details, credit card details, and more. There are many issues that a website owner and the customer can face during the life cycle of the eCommerce website. As we know, Magneto is one of the most popular eCommerce platforms, which is one of the biggest reasons it is a prime target for security exploiters and hackers.
Magento and its developers continuously work on the solution for fixing and enhancing the security issues and continually release security patches to let the Magneto platform be more secure and healthy.
But yes, it is also one of the important responsibilities of the site admin or the development team to keep the store safe and secure from these attacks. In this article, we will give you some advice that can help you make your store secure.
Precaution 1:
Change Your Admin Password Regularly
It would help if you kept changing the admin password regularly to ensure that it is not leaked to anyone and is new. Also, try to make it a strong password with the combination of alphabets, numbers, special characters, and upper and lower case. It should be tough to guess. Not like your wife’s name: marry123.
Change Password in Magneto 1:
In Magneto 1, you have to follow these steps to change your admin password
Step 1. Log into your Magento admin panel
Step 2. Navigate to System > My account tab
Step 3. On Account Information Tab type a new password and click on the Save Account button
And that’s done. You have changed your password successfully.
If you cannot do the above step via the admin panel, then there is an alternative way to do it. We can do it from the database but not recommended if you are not a database admin.
Step 1. Open database
Step 2. Find and open the table “admin_user” table
Step 3. Click edit for the user you want to edit.
Step 4. Enter a new password, choose MD5 from the dropdown for the password, and click the “Go” button.
Your password has been saved.
Change Password in Magneto 2:
In Magneto 2, you have to follow these steps to change your admin password
Step 1. Open admin panel.
Step 2. Go to System > All Users (Under Permission)
Step 3. Click on User from the list
Step 4. Fill new password and Save User.
And done, the admin password has been changed.
Precaution 2:
Admin URL:
As a security best practice, you should use a unique, custom Admin URL instead of the default “admin” (that is magneto 1) or admin_XXXX (in Magneto 2) or the often-used “backend,” Although it will not directly protect your site from a determined attacker, it can reduce exposure to scripts that try to break into Magento sites.
How to change admin path in Magento 2
There are many ways to change the admin URL path in Magento 2. You can do it through CLI, through the admin interface, or by modifying the env.php file on the server. I am explaining each of these here:
Changing through CLI:
It is not recommended to change it directly from app/etc/env.php, always prefer the CLI:
php bin/magento setup:config:set –backend-frontname=”admin_path”
Do not add the first / in the admin_path as it will result in an invalid parameter exception.
Once done, update this in the admin.
Through Env.php:
This can be done via the admin under Store > Advanced Tab > Admin Base URL section
Changing through env.php (Quick method)
Edit this file:
app/etc/env.php file
Change frontName equal to what url value you want to put,
'backend' => array 'frontName' => 'admin', //keep your custom url name here )
After changing your URL, you must remove your var directory from the Magento root.
Now, the admin url should look like this, http://your_website.com/admin
Through Admin:
Go to magento >admin>Store>Advance>Admin Base Url>
Use Custom Admin URL field change value =YES
Then make Custom Admin URL as per your wish.
Note: Make sure that the base URL ends with ‘/’ (slash), e.g. http://your_website.com/magento/
This will use If you want to change admin full URL
If you want to change admin path then
make:Use Custom Admin Path =Yes and make Custom Admin Path as per as your wish
Other Precautions:
Safe Protocol: Your website or storefront should use “https” instead of “http”. This grants your website additional security.
Keep Checking the Signs of Attacks:
You should constantly check the sign of attacks on your site. This allows you to take appropriate action when needed to secure your Magento platform.
You can achieve this by
- Reviewing any suspicious activity by checking the server logs
- Using the file and data integrity checking tool to get notifications for any potential malware installations
- Audit the core files of Magento as core file should not be edited.
- Using tools such as automated review tools such as Apache Scalp
- Monitoring and keep eyes on all system logins.
Keep upgrading Security Patches or upgrade your store to latest version:
In Magento 2, the internal development of the Magento application, timely update on security patches, new features etc all are on very regular basis. You should look for these updates and whenever it releases, you should upgrade your store to that version.
If you are using Magneto 1 than our suggestion would be to upgrade and migrate your site to Magento 2, as Magento is going to discontinue the security patches or any future updates on Magento 1 after June 2020.
The latest release of Magento 2.3, the all-new version of Magento brings along with it a bucket-load of new features which promises to fill up the gaps and enhance its performance abilities and tighten security. Below we are going to discuss some new security features which is all new loaded in the latest Magento 2.3.0.
Magento 2.3 New Security Features:
1. PHP 7.2 Support: The Magento 2.3 version is having the support of PHP 7.2. This will enhance the performance and add new features to Magento 2.3. It also enhances security related to PHP.Google reCAPTCHA:Google reCAPTCHA is a free service offered by Google to protect a website. It can be used on admin and user login page, registration page, contact form and forgot password page. It has a built-in tool for detecting malicious and spam activities.
This feature is now default in Magneto 2.3 version, while with previous magento versions we have to include it explicitly. So, this is one more enhancement which is provided by Magneto 2.3 , i.e the latest version of Magneto 2.
3. Cache management ACL : Cache management is an important aspect and the latest update of Magento 2 series have got you covered. Its cache management ACL provides fine-grained admin control through which you assign access to view and delete your store caches and thus prevent any kind of accidental changes from affecting the performance of your Magento store.
4. Two-factor authentication: Apart from the Google reCAPTCHA, Magento 2.3 has another layer of protection known as the two-factor authentication. To use it, a user will have to enter their username and a passphrase. Then, they will need to provide another information supplied by the Google Authenticator app to gain access to the website.
It has three methods i.e. Google authenticator, Duo security and Auth. It helps to protect your website from malicious attempts to gain access to your Magento admin panel.
5. All new encryption and decryption: All new encryption and decryptionwill now be handled by the sodium library in which, we will remove the PHP encryption module ‘mcrypt’ and migrate to Libsodium for password hashing.
So, with all these things, keep in mind we must say that with all new version Magento 2 is going to be more secured and we need to update our store continuously for creating secure environment. If you have store in magneto 1 then either upgrade to security patches which are provided by Magento, however, as we already mentioned that the support of Magneto 1 will be ended by June 2020, It is wise to upgrade store in latest Magento 2 version.