Merchants worldwide put the Magento platform to work for their eCommerce solutions, from small business owners to large corporations. The leading platform comes equipped with out-of-the-box security features that help combat common security issues like data breaches, malware attacks, and more. However, that doesn’t mean that your site isn’t at risk; a report by Foregenix found that a whopping 55% of Magento 2 websites are considered at a high or critical security risk level.
Two key elements should be considered here; first, the more famous a platform becomes, the more attractive it is for bad actors, simply because of the large user base of clients. Second, open source software, such as Magento, involves distinct advantages and disadvantages. The readily available source code offers flexibility, in-house control, and a chance to easily customize and innovate your solution. On the flip side, it also means that you are liable for the safety of your site, as per Magento’s Shared Responsibility model.
To help you narrow down your choices, we’ve rounded up a list of our recommended minimum security requirements and tools that will help boost your security standing on the Magento platform. Our guide will also share why they’re important and beneficial to your solution.
Install the Latest Version
It’s extremely important to ensure you are running the latest version of Magento for a few reasons. First, being up to date with your platform and your software is essential for regulatory and compliance purposes; even if you experience a security incident unrelated to the version, it’s simply best practice to keep it up to date in order to prove you are being responsible with your private customer data. Second, once a new version or security patch is released, the information about the vulnerabilities is publicly available. This means that if a bad actor is checking out your site and notices you are running an outdated version, they literally have a list of vulnerabilities that they can use to try and access your site. This also applies to software you are utilizing on your site.
Use a Web Application Firewall (WAF)
A Web Application Firewall (WAF) is an easy solution to implement and provides a good level of protection against many well known attacks. In simple terms, a WAF helps safeguard web applications by filtering and scanning the HTTP traffic traveling from a web application and the internet. PCI compliance and ISO compliance both require the usage of a WAF, so it’s a no-brainer to (easily) install a WAF in order to follow best practice methods. Our favorite solution, the Cloudflare WAF, offers enterprise-class protection, with DDoS protection included.
Configure Magento Properly
Magento is considered a safe platform when configured properly; however, even the most robust safe is useless if you leave the door wide open. Similarly, if you don’t configure Magento along the minimum baseline for security, your web application is not safe. A great example of this is the admin path; the admin path of Magento by default is /admin. This is, of course, the control panel where a merchant creates users, removes websites, adds new pages, and manages the entire eCommerce solution behind the scenes. If you keep the default admin path, hackers can easily locate this because it's a known path. Instead of /admin, change it to just about anything else. By altering this simple element, you are making the life of hackers much more difficult.
Log Application, Infrastructure and Security Events
This is another PCI compliance requirement, and an obvious one: by logging all security events, someone is always accountable. It also makes troubleshooting easier, in case you notice unusual activity on your website. If you don’t practice logging, you are essentially blind when irregularities occur. For example, if you see an admin login from a country where none of your employees are located, you can investigate and understand the situation quickly. If you don’t keep a log, you wouldn’t even see the incident. Our favorite tool for logging comes from Sumo Logic, a platform that offers many use cases around logging.
Don’t Use Generic User Accounts
A generic user account is an account used by more than one person, which means that if a problem occurs with this account, it’s difficult to conduct troubleshooting because you cannot link it to a specific user. It’s best practice to have personal login details for each employee, not only to keep everyone accountable, but also to be able to easily deactivate the account once the employee leaves.
Use a Malware Detection Tool
While this is not a minimum security requirement, using a malware detection tool or a data leak detection tool is highly recommended. This is a tool that identifies when data leaves your system without your authorization, which means you will know instantly if you experience a data leak. Lokte’s own Data Breach Monitoring alerts on irregular activity so you are immediately made aware of strange behavior on your web application. This means that you won’t discover a data leak a week, a month, or several months after the fact - you will know in real-time, and you will have time to act on the breach before it becomes a bigger issue.
Conduct a Security Audit and a Penetration Test
Lastly, it’s highly beneficial (though not a minimum requirement) to conduct a security audit and a penetration test annually, or after major changes to your project. A security audit assists you in understanding the security needs of your web application, but it also pinpoints the strengths and vulnerabilities of your current security setup, along with high-risk elements that require immediate attention. Lokte’s Security Audit service is made for web applications on the Magento platform specifically, with the aim of helping your business stay ahead of potential threats by exposing weaknesses in your system. Being unaware of data leaks in your eCommerce solution doesn’t make you any less liable for the incident - that’s why it’s vital to detect vulnerabilities in your system before bad actors find them. We also provide you with recommendations for improving your security setup and processes.
Lokte’s Penetration Testing service features a safe, simulated attack on your web application to assess the security standing of your web application and expose any vulnerabilities, such as database deficiencies, missing tools, controls or patches, and more, depending on the scope of the test. Our penetration test allows you to understand how your website would hold up in the face of a full-scale web attack, and empowers you to stay ahead of attackers.
Get in touch with us today to learn more about our security services!