Six steps to prevent your Magento store from being hacked.

It’s common place for a hacker to target the biggest and the best and there is no exception here. Magento is the largest open source Ecommerce platform in the world. This article is to show the store owner, Ecommerce manager, marketing manager and so on, that there are more ways of making your store more secure. Everything included below is either free or ultimately a necessity.

It’s strength in this respect is also its weakness.

On one hand there are more people developing on it, using it, solving common issues and creating fantastic extensions for us all to benefit from. On the other hand as its reputation grows so does the eco system, the amount of Magento stores and therefore opportunities for people with malicious intentions.

The steps below are not guaranteed to make your store impenetrable. If the Pentagon can be hacked by one individual in his bedroom, any online store arguably is at threat. I don’t believe it would be unfair to assume that the Pentagon has a stronger line of defense than the majority of Ecommerce stores.

Where the below steps will help you is with the more run of the mill hackers, rather than a targeted attack by a specific individual. The most common practice is by crawling the net looking for known weaknesses. If you know what you are doing it’s quite simple, a crawler queries hundreds of thousands of sites and scans for Magento stores, then known weaknesses at which point the hacker has a list of stores to target specifically.

Here are your six steps for making your Magento store more secure.

1 – No simple text passwords.

There are ways of cracking passwords and as you would expect “Password123” is a bit easier to crack than “98Jjfu!@99u” (this is an example not my password). Too many people use the same passwords that conceal sensitive information such as your Magento admin panel. It may seem time consuming creating encrypted password but it really isn’t. There are plenty of services out there that will allow you to easily store sensitive passwords for your Magento store and beyond. A couple of examples are last pass or keypass they will store all your passwords in neat folders and you can copy and paste straight from them.

Action points

  • Change your user name to something other than your “name” or “admin”
  • Install (and use!) a password vault like Keypass, lastpass or another.
  • Update all passwords to encrypted passwords
  • Set up a calendar reminder in your diary to change your admin password.
  • Make sure everyone else is doing the same – you are only as strong as your weakest link.

2 – Check your admin user permission regularly.

In order to get into your Magento admin panel they will to need create an admin user. If you see anyone in the list that should not be there then it is likely your Magento Admin panel has been breached. Check with your team, if anyone knows about it, delete the account and inform your developer.

Action points

  • Set up a calendar reminder check your user permissions here every few weeks System->Permissions->Users.
  • Be vigilant if it look suspicious delete the account inform your developer/ whoever is looking after your store.

3 – Change the URL of your admin panel and the Magento connect Manager.

This can be done by an administrator, by your developers or potentially by your hosting provider. When the shop lift Magento security patch came about you could check if your store was vulnerable by using one of the many online sites that scanned your store. I probably don’t need to say that this is how simple it is for a hacker to do the same thing… You can also protect your Magento store by changing the access to the Magento Connect Manager. If you change the name of the Connect manager file name it protects that point of entry as well.

Action points

  • Before you go and make any changes, make sure you know what you are doing. If not ask, this is not a large task to someone who knows what they are doing.
  • Change your URL from e.g. “” to something unique.
  • Change your Magento Connect Manager file name.

4 – Always install the security patches.

I can appreciate why this seems like a waste of money to many people, it is seen as a dead cost. The reality is it could be the best investment you make, the true value of having the Magento security patches installed is based on how much damage someone could do if they gained access to your store. In order for Magento to tell the community where to install the patch they are also telling people where the vulnerability is. This means anyone with malicious intentions that did not know where the vulnerability is, does at the same time you know if not before. Whilst many of the patches arguably were found by Magento it cannot be assumed that a community that does not have your best interest at heart didn’t know about it before. Make sure whoever is installing the patches is also checking the store for anything suspicious.

Action points

5 – Whitelist known IP addresses.

Arguably this is the best way to protect your Magento admin site. However this will require some work from someone who knows what they are doing and should be cleared with your hosting partner. By whitelisting a select group of IP addresses you are saying you will only allow access to the admin panel from the group of machines accessing the site using that IP. The downside of doing this is if you need to access your admin panel somewhere apart from say your office you will not be able too. You will not be able to whitelist your IP address if you have a dynamic IP address (your IP changes). However if you do have static IP’s and you can live with accessing your admin panel from set locations then in my opinion it should be considered.

Action points

  • Consider pros and cons.
  • Check that you have static IP addresses in the location you want to access the Magento Admin panel.
  • Speak to your developer and or host about whitelisting (restricting the IP’s) that can access the admin panel.

6 – Consider other points of contact with your store e.g. a WordPress blog.

Many people have a WordPress blog attached to their Magento store for a variety of reasons. You came from WordPress site, there was not a Magento blog available at the time of the build, the task of migrating posts was daunting etc…. WordPress arguably is not as secure as Magento, but not necessarily because of the platform. As WordPress’ primary function is for content based and it is not holding the sensitive information that Magento holds. Many choose not to upgrade WordPress as it becomes an afterthought and is not considered a security risk our don’t understand the threat.

It has been well documented that hackers have used brute force to get into Magento stores via WordPress by compromising the blog and obtaining access to the server. If you have a WordPress blog attached to your store you should be mindful that if on the same server access could be obtained to Magento via WordPress. The same goes for any other system or third party solution that shares space on the server.

  • Be aware of all points of contact.
  • If you are running a WordPress blog, do not forget about it, keep it up to date as it will include important security updates.
  • Consider a fully integrated Magento blog.

Lastly although it didn’t earn a place as number 7… Be kind and be nice. You never know who you are dealing with or what they are capable of, it could be a disgruntled customer, an ex-employee or even a random stranger. In fact, the majority of attacks are scripted and in no way personal – they are mindless, malicious and damaging. It is, however, better not to have an emotive attack, so remember keep safe and keep smiling.

James Hyett
Commercial Director
Vortex Commerce (Magento Specialist)