Recently , i have been working on security aspects of Magento and Server (centos,ubuntu ..) to help my clients secure their webshops, so i have prepared a security plan . perhaps you can find useful information here .
Part 1. Integrity Check
– Core code check : check to make sure core files are similar to default Magento installation core files .
– Lib directory check : Lib directory contains Varien libraries, Zend Framework and other 3rd party stuffs
– Lib directory check : Lib directory contains Varien libraries, Zend Framework and other 3rd party stuffs
– Git log check : if you are using git, then reviewing git log regularly is a good idea.
– Public accessible directories : Check for big files in /media and /var , check file type to make sure they’re not fake (imagemagick to check images, ffmpeg to check video files, qpdf to check pdf files , etc..) . Hackers often extract content to these directories so they can download easy later , that’s why we do this type of checking. i have a script for this type of work and i will post it in another post soon 🙂
Part 2. Magento Tunning
A – Tighten up security
– Change admin login path : /index.php/admin is a well known path, Hackers always try this first to find login path, this should be changed into something else.
– Lower Admin session life time : With this changes, you can reduce risk from cookie thief by XSS or someone use your computer to login backend.
– Use Long & complex admin user/password : This one is solution for password brute force attack
– Enable captcha : you can enable it from backend . So bot or script won’t work anymore.
– Install Admin Logger extension (this is a feature from Magento EE). http://www.magpleasure.com/admin-logger.html
– Check for Security Patch weekly : Magento often release patches to fix security vulnerabilities , it’s good to have your code up-to-date.
– Lower Admin session life time : With this changes, you can reduce risk from cookie thief by XSS or someone use your computer to login backend.
– Use Long & complex admin user/password : This one is solution for password brute force attack
– Enable captcha : you can enable it from backend . So bot or script won’t work anymore.
– Install Admin Logger extension (this is a feature from Magento EE). http://www.magpleasure.com/admin-logger.html
– Check for Security Patch weekly : Magento often release patches to fix security vulnerabilities , it’s good to have your code up-to-date.
– Setup 2-factor authentication , there are extensions for this from Magento marketplace.
– Use HTTPS/SSL for all login pages.
– Disable Magento Connect Manager tool : this utility is not really necessary and it is another way to get in your website.
– Stop using untrusted Magento Extensions
B – Prepare for disaster
– Use Magento extensions that allow export orders/customers/products/categories and encrypt them for recovery purposes.
– Design a better ‘Store undergoing scheduled maintenance’ page to use it when we’re going to do disaster recovery. Stop using Magento default maintenance page.
– re-design error reporting page : remove trace of Magento error reporting file and turn make it match your webshop design.
– Design a better ‘Store undergoing scheduled maintenance’ page to use it when we’re going to do disaster recovery. Stop using Magento default maintenance page.
– re-design error reporting page : remove trace of Magento error reporting file and turn make it match your webshop design.
Part 3. Server Tunning
A – Data Base
– Grant minimum access previledges to database users : do not use root credentials for your database.
– Use different user/password for different databases : with this setup, other website will be safe if one of your websites is compromised.
– setup firewall to limit only internal access. disable public access : database should only be accessible from your server, never open it to public.B – Apache & PHP
– Use production mode for error reporting : with this setup , you won’t see error throwing on your live environment. There are a lot of website that leave error reporting for live site, so once error happen, people will see error and path to your website on server.
– Use correct file permission , it should be 644 or 664 for source files : do not use 777 permission for your files unless it’s cache or temporary files
– Limit file upload : file upload will be exploit a lot, so you will need to validate file upload carefully.
– Limit access to development environments : if you have dev site or staging site, remember to set .htpasswd for them, so web scraper like google , bing or your customer won’t see content on your development sites.
– Grant minimum access previledges to database users : do not use root credentials for your database.
– Use different user/password for different databases : with this setup, other website will be safe if one of your websites is compromised.
– setup firewall to limit only internal access. disable public access : database should only be accessible from your server, never open it to public.B – Apache & PHP
– Use production mode for error reporting : with this setup , you won’t see error throwing on your live environment. There are a lot of website that leave error reporting for live site, so once error happen, people will see error and path to your website on server.
– Use correct file permission , it should be 644 or 664 for source files : do not use 777 permission for your files unless it’s cache or temporary files
– Limit file upload : file upload will be exploit a lot, so you will need to validate file upload carefully.
– Limit access to development environments : if you have dev site or staging site, remember to set .htpasswd for them, so web scraper like google , bing or your customer won’t see content on your development sites.
B1 – Increase security via .htacess file
– turn off server signature
– disable directory listing
– force index.php as directory index
– deny access to protected server files and folders : htaccess, htpasswd, errordocs, logs ..etc..
– add request methods filter to prevent these request types : HEAD, TRACE, DELETE, TRACK, DEBUG
– only allow internal file request from internal server/website
– deny browser access to php.ini, xml files, config files and readme files
– turn off server signature
– disable directory listing
– force index.php as directory index
– deny access to protected server files and folders : htaccess, htpasswd, errordocs, logs ..etc..
– add request methods filter to prevent these request types : HEAD, TRACE, DELETE, TRACK, DEBUG
– only allow internal file request from internal server/website
– deny browser access to php.ini, xml files, config files and readme files
B2 – Nginx
– make sure you have the same security or better as described above. there are some tools online that support conversion between Apache config and Nginx config.
C – Server & Scripts
– Use VPN to connect to main server (limit ip address to VPN server only) : this is a strong approach to secure your server, it gives you complete control to users who are allowed to work with your server.
– Daily database backup
– Daily media backup (incremental backup)
– Daily check for website integrity.
– Setup Antivirus software : it’s important for Windows server. if you’re using Linux, you can use ClamAV which is also good for scanning bad files and scripts on your server.
– If FTP is required, use SFTP for file transfer
– Update server software, kernels regularly
– Use VPN to connect to main server (limit ip address to VPN server only) : this is a strong approach to secure your server, it gives you complete control to users who are allowed to work with your server.
– Daily database backup
– Daily media backup (incremental backup)
– Daily check for website integrity.
– Setup Antivirus software : it’s important for Windows server. if you’re using Linux, you can use ClamAV which is also good for scanning bad files and scripts on your server.
– If FTP is required, use SFTP for file transfer
– Update server software, kernels regularly
Part 4. Coding principle – this one is for developers
– Never trust user input, always check, validate and escape if you’re working on feature that contain input fields/upload fields.
– Test code properly to make sure it won’t display error log on front-end . the error log
– notify/update to latest version of Magento
– Never trust user input, always check, validate and escape if you’re working on feature that contain input fields/upload fields.
– Test code properly to make sure it won’t display error log on front-end . the error log
– notify/update to latest version of Magento
Part 5. Admin Tips
– never use admin username/password for anything else
– don’t save password on computer or notes
– use Private/company email address for admin instead of gmail/hotmail/etc..
– request for PCI compliance tests
i hope this article will help you to enhance your website security. Please post your comment if you have any question
