0 Shares 2939 Views

13 Security Features That Your Magento Site Needs

Mubashir Ahmed Aug 26, 2016

The ecommerce world have evolved extensively in the last few months. Platforms and structure are changing drastically and incorporating newer and better features for better user experience. From WordPress to Woo Commerce everything has changed. Another of such platform that has gone major change because of ecommerce developments happens to be Magento. For now, Magento, is considered one of the most updated and secured platforms mainly because of its regular updates. Surveys not put the ecommerce platform on a substantial 26% percent in terms of webstores reliance. This means that every one of four webstores are developed on Magento, a number that makes it an impact making force.

There can be no denial of the fact that though with all the available security updates the ecommerce world still remains at a continuous threat, one that keeps on growing. Cyber criminals are always on the prowl to find any weakness in the code or any loophole left by the user through which they can wiggle in.

The most common type of activities that are staged by these cyber criminals in order to gain access to a webstore include.



->Stealing user data

Though Magento developers keep on rolling out security updates on regular basis there still remains a lot to achieve. There happen to be a lot of DIY Magento security best practices that website administrators should follow in order to keep their efforts protected. In the ecommerce store business it all comes down to Trust. These tips would help you in keeping your webstore protected and keeping the trust factor intact.

1) Go Latest

Well there might be a version you felt comfortable with. Assuming that you the have the best extensions and security updates, users normally avoid moving onto newer versions all because of their convenience. Magento has been continuously getting updated with security patches. Hence, it is very important to stay informed about the latest Magento version. Once a stable release is out, test it and get it implemented.

2) Two Tier Verification

As the famous saying goes, never put all your eggs in one basket. Either go for multiple basket or for multiple trips. Same is the case with Passwords. Either you need to keep on changing your passwords on regular basis with the most complex combinations or you opt for a two tier authentication. Two tier helps you discourage attacks more effectively. There are a few extensions that deliver two-factor authentications taking away your password worries and easing your Magento security risks.

Here are two of the leading extensions that can help you impose 2 tier system.

->With Rublon only trusted devices are only allowed to access Magento backend by using a smartphone app. The app that uses a layer of stealth is available for all popular mobile OS platforms.

->Another of authentication application that is available is TWO-FACTOR Authentication. The extension allows you to implement complex authentication mechanisms which include limiting log-in attempts.

3) Custom Path Admin Panel

Modifying your typical admin panel, a new modified version is made available. The typical admin panel that is accessed by going to my-site.com/admin, is very easy for hackers to get on to your admin log-in page and start guessing passwords.

You can change your Magento admin path by following these steps:

->Locate /app/etc/local.xml

->Find <![CDATA[admin]]>

->Replace the term “admin” with your desired word or code

4) Encrypted Connection (SSL/HTTPS)

Data flow always happens at a certain risk. Sending confidential information such as login details, across an encrypted connection exposes you to assailants, who can have this information and use it as an excess point for your website. To eliminate these issues, it is essential that you use a secure connection.

The method for getting a secure HTTPS/SSL URL is very easy on Magento. You simply need to click on the tab “Use Secure URLs” in the system configuration menu. This is also one of the key elements in making your Magento website compliant with the PCI data security standard and in securing your online transactions.

You can also get a SSL certification by StartSSL. This will alongside help you in becoming PCI compliant.

5) Secure FTP Connection

One of the common path that hackers these days use to gain access to a website is by guessing or intercepting FTP passwords. You can avoid this by simply using secured passwords and SFTP ((Secured File Transfer Protocol) that uses a private key file for decryption or authenticating a user.

6) Have a Backup Plan

You can have a NSA operated firewall and a team of world class experts protecting your webstore round the clock, yet you will always need a backup plan and cannot shy away from it. Your strict preventive measures for security can go all wasted if you are not using a proper backup. The process may well include hourly offsite backups and downloadable backups. In case of a website crash, a backup plan ensures the continuity of your services.

Data loss can also be averted by storing backup files off-site or simply outsourcing the job to an online backup provider. It is always wise to check with your hosting provider if it has a backup strategy.

7) Directory Indexing

Wandering in unchartered territory if you are not of being followed and don’t want to be exposed it is always advised to cover your trial. This is exactly what directory indexing helps you with. Hardening your Magento site, disabling your directory indexing helps you hide the obvious pathways via which the files of your domain are stored. This keeps away the cyber crooks from Magento-powered website’s core files. Be advised, this is not permanent solution and those who are interested can always access your files if they already know what the full path of your files is.

8) Having a Strong Magento Password

You can secure yourself with Magento strong passwords. Always have special focused when you are deciding upon a password. Use the standard password techniques that involve mix of upper and lower case alphabets, numbers, and special characters like ?, >, etc. (Use a password management service if you have a problem of remembering a difficult one.) Additionally you can protect your Magento password by not using the same combination anywhere else, while keeping it exclusive and complex.

9) No Email Loopholes

Though there is a great password recovering facility that has been incorporated in Magento, you yourself need to make sure that the e-mail address you use for Magento is not publicly known and it is protected with two-factor authentication. Email hacks can create a lot of trouble and your whole Magento store becomes vulnerable

10) Your Hosting Plan Matters

If you are a startup and cannot afford to have a dedicated hosting or more secure virtual private servers, it is advised you go for shared hosting, a cheap mean for hosting a website. This may involve a certain compromise on your Magento security but measure can save you from complete disaster. If you find yourself having problems with shared hosting you can shift to dedicated one, this limits your resources and if there is a sudden spike in your traffic, the website has a good chance of going down. Managed cloud hosting has its own advantage. Robust security with frequent patches at server-level saves you big time.

11) Say No to MySQL Injection

Complete reliance is never a good option. So, at a place where we are pitching you great Magento security features, ones that even involve support to outmaneuver any MySQL injection attacks with its newer versions and patches, it is not always an ideal approach to rely only on them. It is highly advised that additional web application firewalls such as NAXSI are even installed for customer safety.

12) Always Have Reviews

No one is perfect, not even the best of Magento security experts. Where many of them may claim themselves to be good at coding only few understand the intricacies of Magento site security. You are therefore suggested to have yearly (even semiannual) reviews of your website for apparent loopholes and security shortcomings. If properly done, these reviews help in further hardening of your Magento security measures.

13) Listen From Others

Magento has a thriving community of techies who are always there to help you in the time of need. You can search and post queries regarding any security issues of Magento or its features. The Magento Community members also release security reports on various versions of Magento, so look out for those as well.


There can be no doubt of the fact that Magento is a robust ecommerce development solution. Though these tips would help you come over a number of your issues there are complexities that require expert advice. It is always good to have consultancy from service providers that can help you bail out from such scenarios.

Mubashir Ahmed

Mubashir Ahmed

Magento Community Manager at Arpatech
Mubashir has served many clients in the domain of Web Development. He loves to work in Business Intelligence and Data-warehousing. He is engaged in latest eCommerce trends and also loves to Travel. You can follow him on Twitter @m_ahmdd or e.mail mubashir.ahmad[at]arpatech.com
Mubashir Ahmed