10 tricks to improve Magento admin security

Magento is a world leading e-commerce platform. Magento as BuiltWith says is powering over 22% of the top 100,000 eCommerce websites. This is for building reliable and highly functional websites. Magento is true provider of security. How many times have you heard it already?

That&rsquo's why this post is not about how we love Magento. Listen more about admin security issues like what happened recently. There was a number of brute force attacks exploiting /RSS/catalog/notify stock, /RSS/catalog/review, /RSS/order/new in Magento. These events have nudged us to remind you about best practices to prevent Magento security issues.

We’ re going to review the most common types of the online security breach. Spend your time to evaluating some approaches to protect your admin panel and get rid of hacking a site.

1. Choose complex admin username and password

Don’t ignore the warning of changing the password. Increase your password security by using following tips:

  • Don't use a common admin username, such as admin, administrator or root.
  • Use smart and hard to remember username and password. You can try out the LastPass service in order to generate highly secure password.

  • The password should include uppercase, lowercase letters, numbers and a few symbols from the keyboard.
  • Create a password with at least eight characters long.
  • Try to avoid using the company name. You can use the abbreviated form of the name that is clear only for you.
  • Overall we recommend you to change passwords every 3-5 months.

2. Avoid using your Magento password for anything else

In order to avoid compromising your Magento backend please use different passwords for separate accounts. There is always a threat of hacking third-party websites, so your Magento password might be vulnerable. Do not reuse Magento password for anything else.

NOTE: when you are dealing with outside developers you would better to create a separate account with unique credentials.

3. Don’t save the password on your computer

Are you sure you can trust your browser with passwords? Not an easy question. Browser password-saving functionality is a weak spot. It would be better to not store a password on your computer. Thereby we recommend using third-party password-management services. Feel free to review https://www.consumeraffairs.com/internet/password-managers/ and choose the right for you. We’ve chosen Passpack manager for our own data. It provides the easiest way to organize passwords and high-security level.

4. Request HTTPS/SSL connection

This is one of the most important security technique for Magento website. As you may know, web pages transported by HTTP:// are not encrypted. Conversely, when page URL starts with HTTPS:// means it is using Secure Sockets Layer. Using SSL standard you protect online transactions with your customers and prevent your site from hacking. Moreover, https at the beginning of the URL will help you to boost credibility to your store. We find modern visitors to be knowledgeable, so you can see they would be more prone to deal with you.

There are four easy steps to get HTTPS:// connection:

  • Go Admin Panel > System > Configuration > General > Web > Secure.
  • Change the Base URL setting from “http” to “https”
  • Enable using secure URLs in Frontend
  • Enable using secure URLs in Admin

Before changing from http to https on your website, please ask your admin to set-up SSL encrypted connection in Apache. Please make changes in Nginx server configuration as shown in Nginx documentation before enabling the HTTPS in magento.

5. Change the default admin base URL to custom path.

You can use one more approach to fight with brute force attacks. We often hear about accessing Magento admin page through admin URL. Hackers tend to think that the admin path is the easiest way to start guessing your username and passwords. Therefore we recommend you to change the admin path to something that is not easy to break. You can change the admin path in one of the following ways:

  • Go Admin > Stores (System for Magento1) > Configuration > Advanced > Admin and work with Admin Base URL fieldset. Look at “ Use Custom Admin Path” field. Set it to YES. Now specify the custom more complex name for your admin path. After saving you have to log out and log in again.

NOTE: Skip the “Use Custom Admin URL” field. We do not recommend to set it to Yes if you decided to achieve a security goal. Conversely you are at higher risk for getting 404 Page not found. You can change custom admin URL in case you’re running multiple sites from one backend or simply want to get your admin on a subdomain.

  • If you don’t have settings mentioned above in your magento configuration, you can change the admin path via xml file. Please open /app/etc/local.xml file. Find <![CDATA[admin]]>. This the admin path. Now replace 'admin' with the path you’d like to use. Don’t forget to refresh cache.

We’d like to remind you about an important detail that you should consider. Don’t forget to install security-related patches for your store. Otherwise your admin path could be compromised. Pay special attention to SUPEE-5994 Patch Bundle Admin Path Disclosure and SUPEE-6788 Patch Bundle Admin Path Disclosure.

6. Test your store for open security issues

In order to improve the security of your Magento site you have to implement magento Security patches. All patches are available to be downloaded from the official website. Once you’ve patched your store you can test the correct installation of the patches by using free services. Here you can use online vulnerability scanner for patches: SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482 & XML XXE vuln 2012.

You can also use another scanner for checking whether your store is still vulnerable to the most recent security issues.

7. Keep on backing up your store files.

Create your backup strategy and add another layer of security. We strongly recommend you to backup your store files on a server completely different than your Magento website is hosted. Better to do multiple backups kept in different locations. There are some ways to back-up the website database:

  • First you can use Magento built-in functionality. Go Admin > System > Tools > Backups. You are provided with a function of System Backup, Database and Media Backup, and Database Backup. Make a decision what to backup, complete it and finally find your backup files inside Magento directory inside the var/backups/ folder.
  • You can use FTP or cPanel to download files from your host. From hosting cPanel navigate to File Manager, select all Magento files. After the file archive has been created, you can download and save to hard drive or to a cloud storage service
  • It would be useful to know how to do a manual backup. If you have access to phpMyAdmin, you can proceed with the Magento database backup process. Go cPanel>phpMyAdmin. In order to find the database you need, open app/etc/local.xml file by using cPanel or FTP. You can see the database name, username, and password here. Once you check the database name is correct, please navigate to phpMyAdmin and click on your database name. Then press the Export button in the top navigation menu and complete the process with Go command. Now you’ve got the database generated.
  • Generally it would be better to use a backup service for your website. Find a provider that will be completely open and flexible. One thing is certain - you have to trust your provider. There are some backup services you can get for free. Interested in discovering more about online backup providers? Learn more here.

8. Use Two-Factor Authentication.

Sure-up your admin security with 2F authentication. Two-factor authentication is based on Google Authenticator application. Once admins scan QR code they get a random six-digit number that is generated and changed every 30 seconds. Only after entering the verification key along the user and password fields admins could access magento admin panel.

This method is not available in magento by default. However the activating this for login page is highly recommended. So, you can use trusted extensions to implement this security functionality. Try out the Improved Admin Security to manage security across magento website.

With the module you’ll get get extra protection by setting two-factor authentication for specified admin users.

9. Use the latest Magento version for your website.

One more important thing in security strategy is the using the latest Magento version. We highly recommend you to update your Magento versions for new releases. Each upgrade comes with new available features, the fixed functionality problems and with security patches related to the latest attacks. Once you' ve applied security patches for your website you walk a step higher in a security. Stay informed about the latest versions and never get Magento site cracking.

10. Secure Magento backend, Magento Connect Downloader, and RSS feed with IP whitelisting.

Another tip to prevent Magento admin hack is IP whitelisting. If you got used to accessing the admin login page from the same computers, this could be good security decision for you. Make sure that only desired users get access to your Magento admin.

Thus we highly recommend restricting admin access to allowed IP addresses. There are three main sources which can be used to compromise a security of your website:

  • Magento Connect downloader is known as the entry point for brute force attacks in recent times. It would be very useful to change the Connect manager URL. You can specify the completely different path in order to confuse hackers. In addition, you can limit the access to /downloader/ location by IP address through the .htaccess file.
  • RSS feeds has been exposed to brute force attacks seeing to have the same admin credentials. If you do not need users to access the RSS feed, you can use the restricted access feature. After you created IP whitelisting you can set the redirect of the requests from restricted visitors to the main page.
  • It&rsquo's extremely important to lock down your Magento admin panel. We' ve been met some people who have blocked IP addresses from all other countries. This truly works if you are certain that your consumers are fellow citizens.

In order to restrict access to the IP addresses you have whitelisted, you may proceed in two ways. First is listing the permitted IP addresses in Apache .htaccess file or in Nginx server.

If you’re using an Apache server

Add the following lines to the .htaccess file:

RewriteCond %{REQUEST_URI} ^.*/ADMIN_PANEL_LOCATION [OR,NC]
RewriteCond %{REQUEST_URI} ^.*/DOWNLOADER [OR,NC]
RewriteCond %{REQUEST_URI} ^.*/RSS/CATALOG [OR,NC]
RewriteCond %{REQUEST_URI} ^.*/RSS/ORDER [NC]
RewriteCond %{REMOTE_ADDR} !^YOUR IP
RewriteRule ^(.*)$ http:// %{HTTP_HOST}/ [R=302,L]

If you’re using Nginx server

You have to work with your hosting provider in order to block the admin locations. You can also restrict the access by your own using Nginx instructions.

Another great way to you will be using professional Magento extensions with appropriate functionality. If you want to block unwanted access to your admin panel, you may rely on Improved Admin Security extension. It will help you to prevent admin login attempts from restricted users. Via the module configuration, you can set allowed and disallowed IP addresses. This module is very useful for stores with multiple admins. You will be able to track recently seen pages and last changes.

Here's a look at the most frequent security improvements. Why not implement mentioned above tools in order to avoid unintended access to your Magento password or data.

Have you experienced security-related problems? If you have effective new solutions to these issues, please share with us. It will be very valuable for all of us.

Let's secure the Magento admin panel together.

Popular Magento Extensions

One thought on “10 tricks to improve Magento admin security”

Leave a Reply