This topic can no longer be replied to because it has been locked.

Magento Security best practices
Joined: 2012-02-22
Posts: 238

Unpatched Magento versions and bad security practices have led to a number of malware and hacking activities being reported in the community lately.

Running a secure and healthy Magento store needs periodical checks, installing patches is not enough, human errors can lead to hacking as well. One of these errors has to do with credentials sharing, in many cases when customers work with third party extension providers, or outsource development work, there is a need to send credentials to access Magento servers. Although most customers revoke credentials after support actions are completed, we found that some customers never do, which is not considered to be security best practice, so we strongly recommend that you revoke all access credentials you might have sent us (or to any other 3rd party) once support actions are completed.

Here are some good security measures you should take to keep your Magento stores secure:

- Run the latest Magento version. If possible, make sure you run the latest Magento version available, CE v1.9.2.4 / EE v1.14.2.4 (July 2016)

- Make sure your Magento instance is updated with all security patches including:
-- SUPEE-7405
-- SUPEE-6788
-- SUPEE-5994
-- SUPEE-5344

- Running a patched, but old Magento version? Besides applying all patches, if you are running an old Magento version, still check for this CSRF vulnerability via Adobe Flex

- Run only trusted code. Make sure that you are only using trusted source extensions and custom code.

- Check your setup periodically. We encourage you to run some automated security checks over your Magento websites, there are several options to do that, one of them being which we’ve found to be quite comprehensive and accurate.

- Protect your Magento installation from password guessing. Magento put together a very comprehensive article on this matter, definitively worth to check.

- Check for credit card hijacks. Check for this Malicious JavaScript Credit card Hijack malware, or a different version of it, as it has been reported to be present in a number of websites. We encourage you to check source code of your website homepage and payment screen page for the Hijack malware and compare all your production deployed code against your git/subversion -or any version control system you use- periodically.

- Password and credentials management. Make sure you do not have:

-- Working FTP, SFTP, SSH or Magento Admin credentials that are no longer needed or used.
-- Ex-employees with active credentials that are no longer in the organization
-- Credentials that have been sent over insecure methods like email or note sharing apps
-- Password reset policies. Make sure to change sensitive account passwords periodically and use strong and different passwords for each online service you use.

Last but not least, Magento has a dedicated section for security information which is great help and should be checked periodically. They also offer a Newsletter that alerts about security issues, we strongly recommend subscribing to this service.

ebizmarts Customer Support.


Subscribe to our newsletter to receive emails and useful news articles