Security Checklist - File Permissions in Magento 2 - A store website always consists of finance information which hackers want to steal and make use of. Once these types of information are taken, There will be a huge damage to both merchants and customers. When what customers lost are their personal and payment information, merchants may suffer hundred times more. For instance, a customer clicks on any location on your website and is directed to another link which contains viruses, thief, and immediately break into their bank accounts. This absolutely causes the decline in your store reliability and you can even stand on the risk of being threatened with lawsuits.
To eliminate the unsafety of your website, we suggest the list of methods to strengthen your security and avoid being a potential spot for hackers. This list properly seems to be a bit long to read for modern people with the harried treadmill of life. However, the more you do, the more secure your business is. Moreover, we have made the list as easy to follow as possible so, let’s get started together!
It is important to back up your Magento store to save your store database and rebuild Magento website if necessary. You can backup Magento system by using Magento control panel or back up manually through online backup tools. Below is the instruction to back up your Magento store with Magento backup tool in the admin.
System > Tools > Backups.
System Backupto backup entire files included in your store website,
Database and Media Backupto take the database and media folders contents or
Database backupto backup the database only. In the System Backup section, you can choose to except media folder by marking with a tick on Exclude media folder from backup.
Changing your Admin URL is one of the methods to keep your store admin site harder to be found by the wandering internet users and less attracting to the hackers. Therefore, Magento 2.0 allow you to modify backend URL by configuring in Magento store admins. And here is the guidance of reforming the backend URL through Magento system.
Store > Settings > Configuration.
Advanced > Admin.
http://yourdomain.com/magento/to adopt new Admin URL.
Save Configwhen you are done.
Log in your account when using a public hotspot and saving your account information across an unencrypted connection make you face the risk of being intercepted by hackers. Once this situation happens, you may suffer losing all store data with a broken store website. To eliminate this threat, we suggest you to requiring HTTPS/SSL in Magento to secure the connection.
To get secure HTTPS/SSL URL:
Store > Settings > Configuration.
General > Web.
Using a strong password for your Magento store is definitely the easiest method to strengthen your website security. To know if your password is strong enough, check the list below.
The new version of Magento is released to fix the bugs, update new features and other essential upgrades. Mostly, your security risks will be discovered and limited in the new version. Therefore, upgrading your Magento system to the latest version is totally necessary. This not only helps you save time dealing with problems occur during the last version, but also helps strengthen your security.
Two-Factor Authorization Extension ensures that only trusted devices can access your Magento backend. The extension enhances your security by requiring a time-based passcode when logging into Magento. With this second security layer, a stranger can not break into your Magento store even if they know your password. To hack your Magento store, a hacker will need a unique admin login page, a secure username and password and your smartphone in their possession which is quite impossible to do. Therefore, the double secure process of Two-Factor Authorization Extension makes an absolute anti-theif tool for your Magento admin.
Looking for suspicious activity in logs is recommended to regularly check web server logs and look for errors or suspicious activity. This action will help you detect the danger from hackers and prepare your Magento security to deal with new threats. All unusual errors such as trying to log in with fail passwords manytimes, log in from a strange location, or log in fail because of entering a wrong passcode should be noticed and banned. You can also integrate a Look for errors or suspicious activity in Admin Actions logs Extension to identify and manage the suspicious log in.
If your Magento has many stores with many adminitrators for managing in the backend, a whitelist which conclude of authorized IP Addresses should be created. Other IP addresses will be banned from acessing in the admin page. This can be achieved via .htaccess or you can use the Apache directive LocationMatch.
The reason and the approach for using a private and secure email address is similar to the process for having strongs passwords for your Magento store. An email address itself has contain many personal information and can be connected with a lot of other website accounts. It is undoubtable that the more difficult one email can be found, the more secure your private information can be. Moreover, you also should configure your email security well to safeguard your Magento store.
We recommend you to use and update for the latest anti-virus software to protect not only for your computer, but also for entire your working online process. Newest anti-virus version will detect the most recently released viruses and minimize the risk of being attacked for your Magento system. Hackers do not rest so do not let them take advantage of your distractions.
Magento 2 requires certain permissions which are different from ownership on the file system. Ownership determines who can perform actions on the file system; permissions determine what the user can do. To make sure that other user can not mess up your files and folders, File Permissions should be set when you login your Magento server.
Unless your Magento store sell products worldwide, You had better block user from other countries to ensure that nobody would wandering around your pages. In addition, this action also assist you on better recognizing the hackers information as their locations are eliminated. To configure unwanted countries, you have to intergrate the extension that have block undesirable countries feature.
You have to prepare additional method to protect your store beside the features Magento supplies. For that reason, Preventing MySQL injection with third-party is necessary though Magento provides great support to outmaneuver any MySQL injection attacks with its newer versions and patches. Extra web application firewalls effectively keep your site and your customers safe.
To avoid exploitation of the PHP functions that can be dangerous, be sure to add the following rule to your php.ini file: disable_functions = proc_open,phpinfo,show_source,system,shell_exec,passthru,exec,popen.
As the development of softwares and security methods, hackers also find new technique to steal your information. Besides, It is really difficult to cover all bugs through hundreds of files. Therefore, let give a scan to check your Magento security and repair the secure holes. There are several reliable websites which provide free service to give you a quick insight in the security status of your Magento shop and how to fix possible vulnerabilities.
There is a forum for Magento users to communicate and share knowledge at
https://community.magento.com/. You can ask and answer questions related to Magento in this forum. This forum is actually the Magento society which can help you a lot when facing security problems. After all, Do not forget to update the information that people post in the forum.
A Magento extension is actually dowloaded from the internet and integrated directly into your Magento system which can cause many problems if the extension is unsafe. When your firewall is disable, your Magento security is not strong enough and you do not have an anti-virus software, your total system can break down in seconds.
Therefore, we recommend you to choose to use only extensions from trustworthy providers which are well tested. Furthermore, you should also update your extensions regularly as new versions always fix the bugs as well as complete the extension security.
Moreover, Despite being a quite new Magento developer, Mageplaza has been reviewed as one of the best of Magento Extension providers not only for the great features of the modules, but also for the reliability of the security and support team. Hence, you can always be comfortable when using extensions from Mageplaza.
It comes to the end of tutorial: Security Checklist in Magento 2.