Looking at the global trend, the number of ecommerce stores are increasing as people find it comfortable to shop online from their computer and phone. However, this convenience comes with a certain security risk done by irresponsible parties looking to steal from the ecommerce stores. Similar to a brick and mortar shop, we have to be responsible and lock any security holes. If in physical store it might be a door lock or security tag on goods, security prevention of an online store is a bit different. These are 10 best practice or tips to keep your Magento store secure:
1. Setup non-default admin dashboard URL
Instead of using the default admin dashboard URL: admin, you can change it to a custom one where people cannot easily guess and brute force your admin login.
2. Setup and Enable 2FA for admin
Two-Factor Authentication (2FA) is a widely used procedure to ensure that if someone guessed or stole your admin password, they cannot easily log in to your user account because you have an extra layer of protection where the user has to enter another code.
3. Upgrade to the latest version of Magento or install the latest security patches
Attackers are always trying to find a crack in your security wall. Adobe and Magento community always try to prevent and handle any known vulnerabilities as they are known. In order to minimize the potential breach, it is important to update your source code to the latest version. If you are not ready to upgrade the system, it might be feasible to only update the security holes by applying security patches. You can take a look at this link on how to apply security patches.
4. Consider to lock your environment variable in the file and prevent unwanted variable change
In case of admin access breach, it is possible to prevent the changes of system values by locking the environment values in the source code (app/etc/env.php).
5. Run security scan periodically
Adobe offers a periodic scan of your Magento store for known security risks and to receive updates and security notifications. Follow the instructions on this link to run security scan on your Magento 2 store. It is recommended to have it truned on to scan your store periodically and take action as soon as vulnerabilities are discovered.
6. Review admin user role access
In order to prevent unwanted setting change, you need to limit access of the dashboard for certain users and do not use administrator level access for all employees / admin users. For example sales team do not need to have access to user role and system menu; HR team do not need access to sales menu.
7. Remove old or unused admin and server users
If you have old users that were used by ex-employees or ex-developer, you might want to remove them to prevent unwanted access and system changes. Sometimes after doing a task on the admin dashboard we did not deactivate or set a certain active time for the users, this might become a security hole in the future.
8. Audit and change your password and SSH keys periodically
It is recommended to review and delete unsused password or SSH Keys to your server / hosting.
9. Scan over your error and access log for suspicious connections and attack attempt
Periodically skim over your log and you might notice a disporpotionate amount of access from certain source that might be suspicious.
10. Use reCAPTCHA
Defend your storefront from attacks and spam by implementing reCAPTCHA; one way to block your Magento store from abuse and attackers by making sure the actions are done by real person and not computer scripts or bot. You might have seen reCAPTCHA on other websites before as it is quite common. There are various types of reCAPTCHA and on some type people might think that it is funny that customers are only asked to tick a button to determine whether the user is bot or not. However there are background process, such as mouse movement, scrolling or clicking behavior that help the reCAPTCHA to determine bot.