Every minute of every day your Magento site is being probed by some bot trying to find a hole in your defences. There are a number of steps you can take to secure your site and keep your customers safe.
Quick wins
1) Never use /admin as your Magento control panel home page. Simply changing this (by editing the obvious line at the bottom of app/etc/local.xml) will save you from many attacks. Lots of scripts are set to attack /admin as this is the default setting Magento ships with. If possible lock down access to your admin interface by IP address.
2) Never leave your downloader/ folder exposed. Either move it out of your Magento root folder (using ftp just drag it to the next folder up),rename it (using ftp) or password protect it.
3) Make sure your magento passwords are complex. As soon as an attacker has figured out your admin url they will start to brute force your password.. if it is a simple password it could fall in minutes.
4) Regularly check the list of admin users in the backend of your site. If you do not recognise any remove immediately. Then check that your paypal email address is still your paypal email address! ./n98-magerun.phar admin:user:list or ./n98-magerun2.phar admin:user:list
5) Remove any temp accounts you create for support purposes eg development ftp account or temp accounts in Magento.
6) Apply the latest patches to your site.. As soon as a security problem is exposed new scripts will be released that allow hackers to exploit that hole. Magereport.com will scan your site and alert you of any patches you are missing. Dx3webs will happily apply patches to your site free of charge on request.
7) Install an ssl on your site. It goes without saying that you should be protecting your customers data and reassuring them at every stage that your site is safe and secure. While your payment gateway (sagepay / paypal) will protect credit card data them names, addresses and passwords of your customers should be encrypted. Dx3webs offer ssl’s from £34.99 and we even offer free self-install Let’s Encrypt SSLs direct from your control panel.
8) Keep your local anti-virus up to date. If something can come in and read all your passwords it does not matter what other measures you take at the server end.
9) Keep other apps away from your Magento store. For example, do you really need that wordpress installation sat along side your ecommerce store. Wordpress is a massive target for hackers and should be isolated from your Magento installation.
10) Install a Commercial Magento Malware scanner. We strongly recommend Sansec Ecomscanner
Provided by Dx3 as standard
1) Fail2ban is an intrusion detection tool which scans log files for suspicious activity and then blocks offending IP addresses. It is a great tool to prevent brute force attacks when they are happening. This is installed by default on Dx3webs hosting packages.
2) Backup your site regularly. Your code base and your database should be backed up regularly and kept in a different location to your server. This is the ultimate fail safe in case all else fails and is vital. All Dx3webs packages provide a full 7 day rolling backup.
3) Run a secure firewall. A packet inspection firewall will actively scan traffic on your site and block suspicious behaviour as well as blocking ports that do not need to be open. They can also be configured to allow specific access to specific ports from specific IP addresses should you need to connect directly to your database from the office.
Fail safe.
1) on request we can also make all files within you site read-only to ensure that no files are changed by any 3rd party.