Security Checklist in Magento 2

Security Checklist - A store website always consists of finance information which hackers want to steal and make use of. Once these types of information are taken, There will be a huge damage to both merchants and customers. When what customers lost are their personal and payment information, merchants may suffer hundred times more. For instance, a customer clicks on any location on your website and is directed to another link which contains viruses, thief, and immediately break into their bank accounts. This absolutely causes the decline in your store reliability and you can even stand on the risk of being threatened with lawsuits.

To eliminate the unsafety of your website, we suggest the list of methods to strengthen your security and avoid being a potential spot for hackers. This list properly seems to be a bit long to read for modern people with the harried treadmill of life. However, the more you do, the more secure your business is. Moreover, we have made the list as easy to follow as possible so, let’s get started together!

• Secure your Magento 2 store with easy
• Download Securty module on Github
• Install Magento 2 Security Patches

Security Checklist in Magento 2

• 1. Backup your Magento store frequently
• 2. Change backend URL
• 3. Use HTTPS/SSL for backend
• 4. Use and keep your passwords strong for your Magento store
• 5. Upgrade to the latest Magento version
• 6. Use Two-Factor Authorization
• 7. Look for errors or suspicious activity in logs
• 8. Restrict Admin Access To Only Approved IP Addresses
• 9. Always Use A Private and Secure Email Address
• 10. Use antivirus software latest version
• 11. Change Your File Permissions
• 12. Block unwanted countries
• 13. Prevent MySQL injection
• 14. Disable Any Dangerous PHP Functions
• 15. Get a Magento security review done
• 16. Get in touch with the Magento Community
• 17. Only Use Magento Extensions from trusted sources

1. Backup your Magento store frequently

It is important to back up your Magento store to save your store database and rebuild Magento website if necessary. You can backup Magento system by using Magento control panel or back up manually through online backup tools. Below is the instruction to back up your Magento store with Magento backup tool in the admin.

• On the admin sidebar, choose System > Tools > Backups.
• Click on System Backup to backup entire files included in your store website, Database and Media Backup to take the database and media folders contents or Database backup to backup the database only. In the System Backup section, you can choose to except media folder by marking with a tick on Exclude media folder from backup.
  • Enter a name to save the backup in the Backup Name field. Notice that only letters (a-z or A-Z), numbers (0-9) or spaces are accepted.
  • You should choose the Maintenance mode to maintain your store during backup.
• Click Ok to start.
• After finishing, the backups can be found in the var/backups/ folder.

2. Change backend URL

Changing your Admin URL is one of the methods to keep your store admin site harder to be found by the wandering internet users and less attracting to the hackers. Therefore, Magento 2.0 allow you to modify backend URL by configuring in Magento store admins. And here is the guidance of reforming the backend URL through Magento system.

• On the admin sidebar, choose Store > Settings > Configuration.
• In the panel on the left, click Advanced > Admin.
• Expand the Admin Base URL section and set options.
• In the Use Custom Admin URL field, select “Yes” then fill in the Custom Admin URL field new Admin URL in the format of http://yourdomain.com/magento/ to adopt new Admin URL.
• In the Use Custom Admin Path field, select “Yes” then fill in the Custom Admin Path field new Admin Path to adopt new Admin Path.
• Click Save Config when you are done.
• Log in to the Admin using the new Admin URL and Path after saving.

3. Use HTTPS/SSL for backend

Log in your account when using a public hotspot and saving your account information across an unencrypted connection make you face the risk of being intercepted by hackers. Once this situation happens, you may suffer losing all store data with a broken store website. To eliminate this threat, we suggest you to requiring HTTPS/SSL in Magento to secure the connection.

To get secure HTTPS/SSL URL:

• On the Magento Admin sidebar, choose Store > Settings > Configuration.
• In the panel on the left, click General > Web.
• Expand the Base URLs (Secure) section and set “Yes” for the Use Secure URLs on Storefront and Use Secure URLs in Admin fields.
• Click Save Config.

4. Use and keep your passwords strong for your Magento store

Using a strong password for your Magento store is definitely the easiest method to strengthen your website security. To know if your password is strong enough, check the list below.

• Your password includes upper and lowercase alphabets, numbers, and special characters.
• Password length is 10 characters at least.
• Make sure that your password is not related to your birthday or any special events which are noticeable in your profile.
• The password should be arranged in a random order. If you can not remember it, use a password management tool.
• Your password for your Magento website should be different from other ones because the more usual a password is used, the more easily your Magento website is hacked.
• Do not leave notes of your password at easy-to-see places.
• Do not save or store passwords on your computer to avoid password being stolen when you lose your computer/laptop or your window system has viruses which could take your personal information.
• Change your password after every 3-6 months.

5. Upgrade to the latest Magento version

The new version of Magento is released to fix the bugs, update new features and other essential upgrades. Mostly, your security risks will be discovered and limited in the new version. Therefore, upgrading your Magento system to the latest version is totally necessary. This not only helps you save time dealing with problems occur during the last version, but also helps strengthen your security.

6. Use Two-Factor Authorization

Two-Factor Authorization Extension ensures that only trusted devices can access your Magento backend. The extension enhances your security by requiring a time-based passcode when logging into Magento. With this second security layer, a stranger can not break into your Magento store even if they know your password. To hack your Magento store, a hacker will need a unique admin login page, a secure username and password and your smartphone in their possession which is quite impossible to do. Therefore, the double secure process of Two-Factor Authorization Extension makes an absolute anti-theif tool for your Magento admin.

7. Look for errors or suspicious activity in logs

Looking for suspicious activity in logs is recommended to regularly check web server logs and look for errors or suspicious activity. This action will help you detect the danger from hackers and prepare your Magento security to deal with new threats. All unusual errors such as trying to log in with fail passwords manytimes, log in from a strange location, or log in fail because of entering a wrong passcode should be noticed and banned. You can also integrate a Look for errors or suspicious activity in Admin Actions logs Extension to identify and manage the suspicious log in.

8. Restrict Admin Access To Only Approved IP Addresses

If your Magento has many stores with many adminitrators for managing in the backend, a whitelist which conclude of authorized IP Addresses should be created. Other IP addresses will be banned from acessing in the admin page. This can be achieved via .htaccess or you can use the Apache directive LocationMatch.

9. Always Use A Private and Secure Email Address

The reason and the approach for using a private and secure email address is similar to the process for having strongs passwords for your Magento store. An email address itself has contain many personal information and can be connected with a lot of other website accounts. It is undoubtable that the more difficult one email can be found, the more secure your private information can be. Moreover, you also should configure your email security well to safeguard your Magento store.

10. Use antivirus software latest version

We recommend you to use and update for the latest anti-virus software to protect not only for your computer, but also for entire your working online process. Newest anti-virus version will detect the most recently released viruses and minimize the risk of being attacked for your Magento system. Hackers do not rest so do not let them take advantage of your distractions.

11. Change Your File Permissions

Magento 2 requires certain permissions which are different from ownership on the file system. Ownership determines who can perform actions on the file system; permissions determine what the user can do. To make sure that other user can not mess up your files and folders, File Permissions should be set when you login your Magento server.

12. Block unwanted countries

Unless your Magento store sell products worldwide, You had better block user from other countries to ensure that nobody would wandering around your pages. In addition, this action also assist you on better recognizing the hackers information as their locations are eliminated. To configure unwanted countries, you have to intergrate the extension that have block undesirable countries feature.

13. Prevent MySQL injection

You have to prepare additional method to protect your store beside the features Magento supplies. For that reason, Preventing MySQL injection with third-party is necessary though Magento provides great support to outmaneuver any MySQL injection attacks with its newer versions and patches. Extra web application firewalls effectively keep your site and your customers safe.

14. Disable Any Dangerous PHP Functions

To avoid exploitation of the PHP functions that can be dangerous, be sure to add the following rule to your php.ini file: disable_functions = proc_open,phpinfo,show_source,system,shell_exec,passthru,exec,popen.

15. Get a Magento security review done

As the development of softwares and security methods, hackers also find new technique to steal your information. Besides, It is really difficult to cover all bugs through hundreds of files. Therefore, let give a scan to check your Magento security and repair the secure holes. There are several reliable websites which provide free service to give you a quick insight in the security status of your Magento shop and how to fix possible vulnerabilities. We also have a “Magento site audit checklist” article that guides you through checking your website’s security holes.

16. Get in touch with the Magento Community

There is a forum for Magento users to communicate and share knowledge at https://community.magento.com/. You can ask and answer questions related to Magento in this forum. This forum is actually the Magento society which can help you a lot when facing security problems. After all, Do not forget to update the information that people post in the forum.

17. Only Use Magento Extensions from trusted sources

A Magento extension is actually dowloaded from the internet and integrated directly into your Magento system which can cause many problems if the extension is unsafe. When your firewall is disable, your Magento security is not strong enough and you do not have an anti-virus software, your total system can break down in seconds.

Therefore, we recommend you to choose to use only extensions from trustworthy providers which are well tested. Furthermore, you should also update your extensions regularly as new versions always fix the bugs as well as complete the extension security.

Moreover, Despite being a quite new Magento developer, Mageplaza has been reviewed as one of the best of Magento 2 Extensions providers not only for the great features of the modules, but also for the reliability of the security and support team. Hence, you can always be comfortable when using extensions from Mageplaza.