It is important to stay on top of Magento security practices to protect your website and customer data against cyber intrusions. Below we’ll cover some tips for hardening your Magento website and web server.
- Initial Setup
- Hardening Magento Security
The following tips should be done during the Magento installation. However, there are still ways to implement them on existing online stores.
Create an Unique Admin Panel URL
During Magento installation you will specify an URL for the backend dashboard. Softaculous will use the admin path “admin123” by default. Change this to something longer and harder to guess. Experienced system administrators can password protect the admin directory with cPanel or a .htpasswd file. To change the admin URL in Magento 2.4:
Although this is the recommended method, it may cause issues as it did during our testing in version 2.4.2-p2 version. Only proceed during slow customer activity and if you have SSH access to troubleshoot possible issues. Otherwise, contact live support for further assistance.
- Select Stores > Configuration.
- Under Advanced, select Admin.
- Select Admin Base URL to show custom admin URL options.
- Deselect Use system value for Use Custom Admin URL. Select No to view the drop-down menu and select Yes. Deselect Use system value for Custom Admin URL and type the full Magento admin base URL with a trailing slash (e.g. https://example.com/supersecreturl/).
- Deselect Use system value for Use Custom Admin Path. Select No to view the drop-down menu and select Yes. Deselect Use system value for Custom Admin Path and type a file path.
- Select Save Config at the top. You’ll be redirected to the new admin URL.
Install an SSL Certificate
Many site owners want customers to be able to access their Magento catalog via HTTP protocol but switch over to HTTPS (secure) for cart checkouts. However, it is highly recommended to install an SSL on Magento and force site-wide encrypted connections.
cPanel and Softaculous make it extremely easy to ensure there’s a valid SSL installed. Unmanaged server users can use Certbot to install a free SSL.
- After installing an SSL on your web server, log into the admin dashboard.
- Select Stores, Settings, and Configuration.
- Under General, select Web.
- Change the unsecure base URL to “https” and select Save Config. You may need to edit the .htaccess or other web server configuration file and redirect the unsecure URL to “https.”
Hardening Magento Security
There are plenty of security improvements to be made on existing eCommerce sites, starting with user credentials.
Anyone can create a unique username and password. “Admin” and “Root” are too common. Switch it up. Adding numbers and additional letters in your username can derail user enumeration efforts by potential cyber attackers.
Instead of a password, use a strong passphrase with over a dozen alphanumeric and special characters. Save the user credentials in a solid password manager like KeePass or LastPass, not your web browser.
Two or multi-factor authentication (TFA/MFA) makes brute force password attacks more difficult as hackers also need access to your email address or mobile device to access your account. Within Magento:
- Select Stores > Settings > Configuration.
- On the left, select Security and 2FA.
- Select an authentication app: Google, Duo, Authy, or U2F Devices (Yubikey and others).
You can install the Bypass 2FA extension by PHP Studios if you need to whitelist users without a smartphone.
Magento Security Extensions and Backups
Stay up to date with Magento security updates. Remember to create and verify a website backup before upgrades.There are official Magento backup extensions available but they cost a lot. Check with your web hosting provider to learn how to backup Magento with server software – cPanel, Control Web Panel (CWP), etc. If you’re comfortable with the command-line interface (CLI), you can use cron job to schedule zip or tar backups.
Magento Server Hosting
There are no official Magento firewall extensions at this time. However, your web hosting plan likely includes a server-side web application firewall (WAF). VPS administrators can choose between many reputable, free WAFs such as ModSecurity, Fail2ban, and ConfigServer Security & Firewall (CSF).
Magento works best on VPS or dedicated server hosting where more system resources are available compared to shared hosting plans. Integrating a cloud-based WAF like Cloudflare or Sucuri can further protect your data against denial of service (DoS) attacks.
Security HTTP headers prevent malicious code from displaying on your website. The CSP & Security Headers extension can help you generate a Content Security Policy (CSP). Advanced users can develop HTTP Strict Transport Security (HSTS) and Permissions Policy headers within their web server configuration file. We have articles explaining how to create these headers in Apache and NGINX.
An insecure web server can undercut best security practices within your Magento store. Contact your hosting provider for additional options that may not be mentioned above.
Let us know if you have additional questions about Magento security.