Blog

Ten Tips for Keeping your Magento Store Secure

Ten Tips for Keeping your Magento Store Secure

Are you worried about the security of your Magento store? Magento has a number of built-in security features aimed at keeping you safe, but there are some steps you can take to make your site even more secure. Follow this ten-point security policy to protect your site from hackers and security breaches.

1. Choose a secure password

When you're choosing your Magento site's administrator passwords, choose wisely. Depending on your configuration and permissions, this password may give access to customer information and credit card data. This is probably review for most readers, but here are some guidelines for creating a really secure password:

  • Bigger is better. Use at least 10 characters
  • Mix upper and lower case, punctuation, and numbers.
  • Making your password phonetic can make it easier to remember and type quickly.

2. Require HTTPS/SSL for all pages with logins

Each time you send data over an unencrypted connection you run a risk of this data being intercepted by an unwanted third-party. Login credentials are no exception. To minimize the risk of your username and password landing in unscrupulous hands, always send it over a secure connection. By always sending your login information over an encrypted connection, hackers are limited to expensive and extremely difficult brute-force attacks.

How to require HTTPS/SLL in Magento
In Magento you can require secure logins by selecting "yes" for both "Use Secure URLs in Frontend" and "Use Secure URLs in Admin" by going to the "Secure" section of the "Web" tab in the system configuration. In order to access the system configuration, go to the "System" menu and select "Configuration."

Magento Web Configuration Screenshot
Set "Use Secure URLs" to "yes" for both the frontend and admin

3. Don't use your Magento password for anything else

Do not use your Magento password with any other web services (such as email) or any other sites (such as Twitter, Facebook, Flickr, etc.). Third-party sites may not require or even support HTTPS/SSL to login, breaking rule number two. In the event that a third-party website is hacked, your password may be vulnerable.

4. Use a custom admin path

By default, you access your Magento admin panel by going to your-site.com/admin. Having the path to your admin panel path easily guessable means that someone or something (i.e. a password-guessing robot) can snoop around and try to guess your password. By having your admin path be a secret code word instead of the default /admin, you can prevent users from guessing your password or using it if they do somehow get a hold of your password.

How NOT to change your Magento admin path
Tucked in the "admin" section of the system configuration, the "Admin Base URL" setting looks like it offers the ability to set a custom admin URL and choose whether to use that custom URL or not. But BEWARE: this setting will break Magento by preventing you from accessing the admin panel (I've tested this and found this to be true as of Magento 1.4.0.1 and earlier).

Magento Web Configuration Screenshot
BEWARE: Do not use the admin base URL settings; it will break your site.

How to change your Magento admin path
Although the setting does not work, there is an easy way to change your Magento admin path.

  1. Locate /app/etc/local.xml
  2. Find <![CDATA[admin]]> and replace 'admin' with the path you would like to use

So if your local.xml file says <![CDATA[drawbridge]]>, your admin path will be /drawbridge.

5. Close email loopholes

Magento has a really convenient feature that allows administrators to reset their password if forgotten. In order to reset your password, you need to know the email account associated with the account. Then you need access to that email account to retrieve the new password. First, choose an email address that is not publicly known. Second, make sure the password for your email account is secure. Third, make sure that if your email account has a security question that allows you to reset your password, you choose a question and answer that is so obscure that it would be impossible to guess.

6. Use secure FTP

Guessing or intercepting FTP passwords is probably one of the number one ways sites get "hacked." In order to prevent unauthorized access to your site's FTP, use secure passwords and use SFTP (SSH File Transfer Protocol) or FTP-SSL (Explicit AUTH TLS). With SFTP, you can use Public Key Authentication to increase security even more by requiring a private key file and an optional de-encryption password to authenticate the FTP access.

7. Limit unsecured FTP access

If you do have to connect through regular (non-secure) FTP for some accounts (i.e. to upload photos), limit access for these accounts to a narrow set of directories. You can then use .htaccess and httpd.conf files to prevent scripts from running in these directories that can change other files and directories on the server that should not not be accessible through that FTP account.

If you have access to the httpd.conf file on your server, this is the best method to preventing scripts from running in a specific directory. Place this code in your httpd.conf file:

<directory /path-to-directory-you-want-to-restrict>
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
</directory>

If you don't have access to httpd.conf, you'll have to use .htaccess. Include the following code in the .htaccess file of the directory you want to restrict:

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Because .htaccess does not support the tags, the .htaccess file must be placed in the directory you want to effect. Because of this, you need to set the permissions of the .htaccess file to 444 (read-only) to prevent modifications to the .htaccess file. You may also want to chown the file so the permissions cannot be changed. This method isn't fool-proof, but it's a good start to preventing naughty scripts from wreaking havoc.

Important: placing this code in a directory's .htaccess file will prevent scripts from running in that directory and all sub-directories.

8. Don't save passwords on your computer

Most modern computers and browsers offer the option to save passwords as a convenience so you don't have to enter your password every time. This is great most of the time, but can be a security problem because often saved passwords can be easily revealed in plain text. Anybody with access to the computer has access to the sensitive data. Even worse, someone could steal the computer and then use the saved passwords to access the sensitive data. To avoid unintended access to your Magento password or data, simply set your computer or browser to never save it— this might be a bit inconvenient, but it's a great security policy.

9. Keep up-to-date anti-virus software

Computer viruses and trojans can steal your data and log your key strokes. To minimize the risk of this happening, be sure to invest in reputable anti-virus software. Free anti-virus software like AVG may be great for home and personal use, but if you want indemnification or a warranty, you may want to look at commercial anti-virus software.

10. Restrict admin access to only approved IP addresses

You can use .htaccess to limit access to your admin area. In the .htaccess file for your admin directory (details below), place the following code in order to block access to all IP addresses except those specifically listed:

AuthName "Protected Area"
AuthType Basic 
<Limit GET POST>
order deny,allow
deny from all
allow from 11.111.111.11
allow from 22.2
</Limit>

"allow from 11.111.111.11" allows the specific IP address 11.111.111.11
"allow from 22.2" allows a range of IP addresses beginning with 22.2

Now for the admin directory. Magento's admin URL path is not a physical directory, it's just a symbolic link. To get started, create a directory with the same name as your admin path. The presence of this new physical directory will override the symbolic link, rendering your admin area inaccessible. To solve this, you need to copy your index.php file into your new admin directory. Then you have to change the paths within index.php to two files (includes/config.php and app/Mage.php) to account for the fact that the relative path has changed as a result of the new duplicate index.php file in the admin directory. Assuming your admin directory is just one level down from your root directory, the two lines you need to change will look like this:

...
$compilerConfig = '../includes/config.php';
...
$mageFilename = '../app/Mage.php';
...

Once you've done this, you can drop your .htaccess file in your new physical admin directory and access your admin like this:
http://www.[your-site].com/[your-admin-directory]/index.php/[your-admin-path]

There's one more step, though. The admin URL can still be accessed through /index.php/admin. You need to disable this so that anybody who knows you're running Magento can't exploit this fact. Here's how I did this:

Add this code to your site's root .htaccess file:

Redirect permanent /index.php/admin /admin/index.php/admin
Redirect 301 /index.php/admin /admin/index.php/admin

There is a downside to restricting access based on IP: if you travel a lot you may find this method very inconvenient as you'd have to manually add each new IP address or IP range to the .htaccess file in order to gain access.

Posted in:
DiggThis

Comments

Dave's picture

Very good information, thanks for sharing. Do you have a recommended client to use for SFTP on Windows?

Isaac's picture

Dave, I've found Filezilla to be a good (and free) choice.
http://filezilla-project.org/

Dave's picture

For #10, since the admin directory is dynamic, do you have to actually create the folder for your admin directory and put the .htaccess file in there?

Isaac's picture

You'd have to create the directory with the same name as your admin path, and place the appropriate files in that directory (index.php) to make it work. I haven't checked, but you might need to edit the contents of admin.php to refer back to the base install up one directory.

Dave's picture

Yeah, definitely not as easy as creating the directory and just putting .htaccess in it as I've just learned. If you have a more step-by-step way of doing it, make sure to update the article :)

Isaac's picture

Dave, I updated the instructions in item 10 to include how to create a physical admin directory.

Dave's picture

I followed your direction, though when I create the admin folder, put index.php in there and update the paths...when I go to domain.com/admin It just goes to the store homepage, rather than the admin. Is there a step I'm missing?

Isaac's picture

You're not missing any steps; you're just using the wrong admin URL. You'll want to use this:

domain.com/admin/index.php/admin

Dave's picture

Right so I was able to access through admin/admin, but then the .htaccess IP deny doesn't seem to go into affect for the admin.

Btw, really appreciate your guidance and quick responses :)

Isaac's picture

Hey Dave,

It's working for me, but I did leave one detail out. See the comment in response to the anonymous comment below.

Anonymous's picture

"blocks the specific IP address 11.111.111.11"

shouldn't this read:

"allows the specific IP address 11.111.111.11"

?

Isaac's picture

Sorry about that, it's fixed now. The code is correct, but I meant to say "allows" as you pointed out. My bad!

Anonymous's picture

Regarding #10:

1. It doesn't work as far as I can tell (and I've rechecked the steps involved).

2. If the hacker knows you're running Magento and you haven't renamed your admin folder to something more obscure, then they can still enter through /index.php/admin.

3. I can't see how this protects scripts generally as they're not all within a real directory protected by .htaccess authentication. The hacker could go direct to the script if they're familiar with Magento's file structure, bypassing the "admin" folder entirely.

Isaac's picture

1. It's working for me - I get a 403 error when trying to access the site from a proxy.

To be sure, access the admin panel from /admin/index.php/admin rather than /admin/admin. If you can access /admin/admin, that's a problem. Start with a blank .htaccess file in the admin directory and then add only the code that limits the IP addresses. Magento's root .htaccess file allows you to access all pages from /page rather than /index.php/page, which is really clean and convenient for most uses. You could disable this behavior manually in your admin directory's .htaccess file, but you shouldn't need to since your admin directory's .htaccess (which omits this rewrite declaration) will override your root .htaccess file, rendering it impossible to access anything without including index.php in the URL.

Make sure you start with a blank .htaccess file in the admin directory. There is code in Magento's admin directory that allows rewrites to use /admin rather than the usual index.php/admin.

2. I forgot to include the bit where you disable access to this. I accomplished it by rewriting that path to the admin directory. Check the updated post above for details.

3. Item 10 does not protect against scripts; it protects against brute-force attacks or authorized access in uncontrolled locations. Items 1, 2, 3 and 6 protect against unauthorized FTP access, which is often used to install the types of malicious scripts you mentioned. Item 7 is aimed at preventing malicious scripts from running by disabling scripts in FTP access points unrelated to the Magento installation (such as a file-sharing directory).

Restricting admin access by IP address can be useful for a number of reasons. First, it prevents a computer from using brute-force attacks (trying sequential username/password combinations) to gain access to sensitive information available through the admin panel such as names, emails, and credit card numbers. Second, it allows administrators to control access to a physical location. This can be important for PCI compliance because PCI compliance demands that all access points be secure (for example, have up-to-date anti-virus software or are physically secure from theft). Certain measures can be taken in an office such as requiring anti-virus software on computers or physically securing the computers in the office with surveillance or locks that cannot be ensured on random computers with internet access. For example, an employee with authorized access to a username and password might access the site from his personal computer at his home without antivirus software on his personal computer. A key-logger could then steal this data, opening a security hole. By restricting access to specific locations (i.e. IP addresses), you can prevent access to the admin panel from unsecured computers.

Vishnu's picture

I have tried to add the IP block as you described in the post. But after doing that, I couldn't save any settings from the admin panel. When I change something and click the save button, it shows the green bar which says that the config changes are saved successfully, but when I check back I see the old settings.

I removed the redirection to /index.php/ and accessed the control panel using index.php/ everything works fine. So I think I'm missing something in the physical directory settings. Please help.

Isaac's picture

Hi Vishnu,

I just tested what you described but was unable to replicate your problem. Is this true of all settings or just one particular setting? This sounds like this could be an issue with your database.

If you'd like me to take a closer look, please fill out the quick contact form.

Will's picture

Can we set ip restriction for our frontend?

Isaac's picture

Yes, you could, but why would you want to? You would be blocking customers from accessing your website.

Will's picture

some competitors want to copy my site, i can block them with htaccess, is this the only method?

Isaac's picture

Hey Will,

Blocking ranges of IPs is best done through .htaccess or PHP. For example, I use PHP to block all IPs but my own when the site is down for maintenance.

I wouldn't worry about trying to block your competitors. It is virtually impossible to prevent certain people from accessing your public website if they have their mind set on doing so. If you block via IP address, your competitor could just use a proxy or VPN to circumvent that. Or they could go to Starbucks or some other place with public WiFi.

Anton's picture

To restrict access to your admin, it is simpler to user the Apache directive LocationMatch, instead of adding directories and copying files.

<code>
<LocationMatch "admin">
	Order Deny,Allow
        Deny from All
        Allow from 10.10.10.0/24
</LocationMatch>
</code>
Isaac's picture

Hi Anton,

Thanks for the contribution— this is a very good point. This is actually the method I use to block access to the site while in maintenance mode.

Izzy's picture

Hello, Really helpful article.
So would you say Anton's suggestion is just as good as your #10?
If so where would this file be placed?

Thanks!

Isaac's picture

Yes, Anton's method is just as good, if not better than the original method in my blog post.

Isaac's picture

I am the original author of the content. I guess I shouldn't be too upset they stole my entry... they say imitation is the most sincere form of flattery...

john's picture

Hi, for #4. Use a custom admin path. I broke it before I read your post. Is there a way to get it back. I cannot access my admin pages now.

Isaac's picture

Hey John,

Sorry to hear your admin path isn't working. I had the same frustration when I discovered this bug. You can fix the issue by searching within your database for the admin URL. Then simply change it in the database. You may need to flush your browser and/or Magento's cache. To delete Magento's cache, delete the contents of /var/cache.

Izzy's picture

Thanks Again.

I tired #10. At first it seemed to work fine - but actually the admin utility was not returning results properly - taking a long time to load.

Any ideas?

Thanks,
Izzy

Isaac's picture

If you're having trouble with my method for #10, try Anton's above.

dustin's picture

Hi Isaac,

thanks for this nice article. we have a special import script called fullprodsimport.php which is actually placed on the server root folder and we just execute it without even logging into the admin. So wanted to know how to ensure that only if a person who has logged into the magento-admin can run this script else it should not run?

thanks.

Isaac's picture

Hey Dustin,

When you say you've placed it in the server root folder, do you mean the actual server root folder, or the web root folder (aka there your Magento installation is located)?

If your php file is placed in the true server root, it cannot be accessed by anyone via the web and must be run via shell, etc. This would be the most secure option, although perhaps a bit inconvenient, especially if you're not familiar with shell.

If you've placed it in the web root directory, then depending on the file permissions, the script can be run by anybody who loads the php script in their web browser. This is potentially dangerous, depending on the contents of the script.

Magneto's file structure and permissions protect the contents of many of the directories containing scripts from executing via HTTP requests. For example the /app directory results in a "403 Permission Denied" error.

If you want to protect a script file, the simplest way to setup Apache authentication for the file, or place the file in a directory that is password-protected. This is easy to do via cPanel if your host has cPanel installed.

Finally, you should know that some recent version of Magento already have a product import feature built-in. The one I've used in version 1.4.x isn't the most intuitive as it requires creating CSV files with product details, but it can save a lot of time if you have to import a lot of products. I've heard the 1.5.x version of Magento has a brand new product import feature, but I haven't tested it out.

Good luck,

-Isaac

James's picture

Hi Issac,

Thanks for this tutorial. I'm however a little stuck with number 10. I've noticed that index.php/admin is still showing the admin page like you mention. I've tried the .htaccess redirect trick you mention but now when I try to visit any pages on my Magento installation all I get is a 500 error popping up. It seems this redirect might be conflicting with the "RewriteRule .* index.php [L]" comment? Please could you help?

Instead of the IP address block, I'm using a password protect of the admin folder but it should work the same.

Thanks,

James

Isaac's picture

Hi James,

Sorry to hear you're having trouble implementing this. Without look at your full .htaccess file, I can't really give you much advice on what might be wrong.

One piece of advice I do have though is that password protecting the admin folder via .htaccess and .htpasswd doesn't protect against brute force attacks. The goal of IP-based blocking is that potential hackers can't even connect to your website to test passwords.

Donny's picture

Great find, thanks for the article, this was the last set of things I needed prior to setting the site free.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account associated with the e-mail address you provide, it will be used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
The following question helps us prevent spam submissions.