8 Most Important Magento Security Tips

Online security can be complicated stuff. From keeping personal information private and your credit card information safe, to protecting your very identity, the age of the internet certainly presents its fair share of challenges. The stakes are raised much higher when you’re running a business with any sort of online presence.

If you, like more and more successful businesses around the world, are using Magento as your e-commerce website solution, you’ll want to stay on the cutting edge of online security to keep your business safe. In order to help you achieve this, we’ve put together a small list of the 8 most important tips and tricks for improving the safety and security of your Magento e-commerce website.

1. Stay updated to the newest version

Magento releases updates quite often, and they will patch you up with the latest security fixes and countermeasures. The developers do a very good job of watching for new holes in Magento’s security and fixing them promptly. By staying updated to the newest version of Magento, you can be sure that you’re getting the best security they can offer.

2. Implement two-step authentication

Unfortunately, a secure password does not always do the trick when it comes to keeping your website secure. Because of the various ways in which malicious software can compromise your login info, it is a very good idea to use two-factor authentication. There are many Magento extensions to do this (like Rubion), and this will drastically improve your security. It’s much harder for a hacker to use your login info if they don’t also have access to your phone, for example.

3. Utilize a custom admin path

Because the default admin path is the same for all Magento users, using the default admin path makes it easier for hackers to attempt to force your system by guessing passwords. It is therefore highly recommended to change your admin path. In order to do this, simply locate ‘/app/etc/local.xml’, then find the line ’<![CDATA[admin]]>’, then replace “admin” with a different word that will be harder to guess.

4. Never save your login info

This does not just go for Magento, but really any service you use online. Never save your account usernames or passwords locally on your computer. This makes it much too easy for a hacker or virus to find your info and use your account. Instead, try to memorize them or write them down on a physical note that you keep somewhere safe but accessible.

5. Keep your login info unique

For the sake of convenience, people often recycle the same usernames and passwords for multiple online services. This compromises security in a big way, because as soon as one service gets hacked the hacker now has access to multiple accounts. For something as important as your Magento login, use a unique username and password to avoid this disaster.

6. Use an encrypted connection

All you have to do to implement data encryption in Magento is to go to the system configuration menu and check the box that says “Use Secure URLs”. This will make sure that your data is encrypted and cannot be easily decoded if it is intercepted by a malicious program or individual. This is a necessary step for making sure your Magento website is in compliance with PCI data security standards for online transactions.

7. Use complex login info

If you’re worried about your login info being guessed or cracked, try using a very complex username and password. If you are able to write it on a sticky note, you can be sure not to forget it. Make both of them at least 15 characters long and use a combination of both uppercase and lowercase letters, as well as numbers and special characters. This will make them nearly impossible to guess, and make your infor very hard to crack.

8. Restrict admin access with whitelisting

One of the best things you can do for the security of your Magento page is to implement whitelisting to restrict admin access only to approved IP addresses. There are a couple of ways to do this, like through ‘.htaccess’ but most people prefer to use the Apache directive LocationMatch:

<code>
<LocationMatch “admin”>    Change ‘admin’ to your custom admin path.
Order Deny,Allow
Deny from All
Allow from 10.10.10.0/24    Change this to the subnet or IP address you want to allow.
</LocationMatch>
</code>