Equip Impervious Magento Security For Your Online Store

Equip Impervious Magento Security For Your Online Store

by admin

Nowadays, there is not strange to hear of the information that a website is hacked and penetrated. E-Commerce businesses, which are not equipped with vulnerable security, have become victims of data breaches and hacking. As a result, these companies may suffer irreversible reputation and lousy financial consequences.

As such, it is vital that eCommerce companies, Magento based website, in particular, be equipped with impervious security to avoid being stolen sensitive data and decrease threats to the sites.

In this first part, following are the first four out of eight effective methods, which are highly recommended to protect your Magento site:


1.Set secured Admin Name and Password on your Magento site

Creating an unpredictable username and password is the first step towards securing your Magento site. The rule is to keep a password longer than 8 characters instead of simple and easily guessable password strings such as “ABC” or “123”.

Just as important as the password, creating an unpredictable username should be seriously considered. Now that the usernames are almost easily guessable names such as “admin” or other similar names, most hackers are successful in accessing admin panel because hackers only have to guess the password.

As a result, it is suggested that you should use your last name, nickname, etc. which are non-generic ones to protect your accounts.

2.Create a Custom Admin Path

The unchanged admin path like http://mystore.com/admin makes it incredibly easy for the hacker to access to your admin Magento site. This is vitally dangerous because the hackers can steal your username and passwords within winks.

So what should you do?

DO NOT change the “admin Base URL” setting in the admin section of the system configuration for the case of being prevented from approaching the admin panel.

Instead, to modify your Magento admin path, go to app/etc/local.xml file, then find <![CDATA[admin]]>, and change the admin strings. For instance, if you want to change the admin panel URL to http://mystore.com/Sjcmw3N, change the CDATA code to <![CDATA[securedadmin]]>

3.Using Secure Sockets Layer (SSL) for Encrypted Connection

Enabling HTTPS/SSL is an effective way to create secured Magento connection. When data is communicated between customers and the server shall be encrypted and prevent the hackers from reading and stealing it.

With some easy steps, your website is well equipped: go to System > Configuration > General > Web. Then, what you need to do is turn “HTTP” into “HTTPS” in URL base, and enable Use secure URLs in Frontend and Use Secure URLs in Admin.

On the other hand, you can get the SSL offering from some top providers mentioned in the link: https://storify.com/Bsscommerce/secure-sockets-layer-infographic.

4.Equip VPS, Dedicated Server or Cloud Hosting

Virtual Private Server (VPS) hosting, Cloud Hosting Dedicated or Server hosting is suitable for your Magento eCommerce site security.

A good web hosting company will also provide a web application firewall to prevent MySQL injection. Web application firewalls, such as NAXSI, inspect incoming HTTP requests and check them against existing malicious pattern rules and prevent them from reaching the application running behind the web server.

magento-security-2 (1)

5.Disable Any Dangerous PHP Functions

Some PHP functions are more vulnerable with virus injections and are security risks. It is suggested to disable these malicious PHP functions initially. If your code depends on any such functions, you should use a better and more secure function. To disable such malicious functions, open and add the following code in the php.ini file:

disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”

If you already have the code, then append the functions given. If any of the mentioned functions are essential to your theme or module files, you do not require to find an alternative; you can omit them from this list.

6.Change Your File Permissions

Make sure that your files are not copied and writable by others except you by modifying your file permissions to 644 and folders to 755. If any are 799, fix them immediately. The quickest way to do this is by inserting the following snippet in SSH:

find . -type d -exec chmod 775 {} \;

find . -type f -exec chmod 664 {} \;

The only caveat to this is the media and var folders which should remain 775.

Remember that this process can be a little tricky as file permissions are dependent on your hosting and Magento version.

7.Use Two-Factor Authentication

Two-factor authentication extensions guarantee that only reliable devices can access your Magento backend. This extra layer of security works by forcing you to not only know your unique username and password but also type the security code that is randomly generated every 30 seconds.

Hackers find almost no way to access your Magento backend, because not only would they have known your unpredictable admin login page, your secure username, and password but also have your smartphone in their possession.

8.Restricting Admin Access to Only Pre-Approved IP Addresses

On the purpose of enabling the IP address restriction, you have to edit your .htaccess file with the following code to choose the IP address you want to allow:

1.    AuthName “Protected Area”

2.    AuthType Basic

3.    <Limit GET POST>

4.    orderdeny,allow

5.    deny from all

6.    allow from

7.    allow from 168.121

8.    </Limit>

Here the IP address ‘’ will be permitted, and next, all the IP addresses beginning with ‘168.121’ will be allowed. You can enable as many IP addresses as you require, following this format. All other IP addresses which are not mentioned shall be denied access.

What you need to do next is to create a new folder ‘admin’ in your Magento root directory. Copy your Magento’s index.php file into that folder, and change the relevant paths to config.php and Mage.php file by changing the following lines:

1.    $compilerConfig = ‘../includes/config.php’;

2.    $mageFilename = ‘../app/Mage.php’;

Notice, we have only added ../ in these file paths.

Now we have to enter these lines into your .htaccess file to direct the users coming to our admin paths to this directory:

1.    Redirect permanent /index.php/{admin_path} /admin/index.php/{admin_path}

2.    Redirect 301 /index.php/{admin_path} /admin/index.php/{admin_path}

Here {admin_path} indicates the new admin path we manually changed in step 2. For example, it can be a secure admin, as we defined in step 2.

Bear in mind that you should only carry out this security step if your ISP provides you with a static IP address.

. Some ISPs assign changing IP addresses to users each time they connect to the Internet. In such events, you should not carry out this security step because of your dynamic IP addresses.

Besides, one definite way to secure your Magento site is preventing Magento installation being out-of-date. It is always better and more secure owing to being supported by the excellent Magento team. Moreover, it is essential to secure your Magento associated email address, as anyone who can access that email can also access your Magento admin panel.

The Magento security vulnerabilities can easily be attacked, which forces Magento online shop owners to take action. Above are many ways to make your installation robust and secure, which will sustain most hacking attempts.

Do feedback about this article and share it with your friends if you find it useful.

Next Reading Suggestions

© 2019 BSS Commerce owned by THANH CONG INTER ., JSC. All Rights Reserved.
Business registration certificate no. 0106064469 issued by Hanoi Department of Planning and Investment on 19 December 2019.
Legal Representative: Mr. Nguyen Quang Trung.