Magento Security Practices and Precautions
Security is the key component on any website and specially when it comes to ecommerce industry where you have customers personal details, credit card details and more. There are many issues that a website owner and the customer can face during the life cycle of the ecommerce website. As we know Magneto is one of the most popular ecommerce platforms which is one of the biggest reasons, it is a prime target for security exploiters and hackers.
Magento company and their developers continuously work on the solution for fixing and enhancing the security issues and release security patches continually to let Magneto platform be more secure and healthy.
But yes, it is also one of the important responsibility of the site admin or development team to keep the store safe and secure from these attacks. In this article we are going to give you some advice which can help you to make your store secure.
Change Your Admin Password Regularly
You should keep changing admin password regularly to make sure that it is not leaked to anyone and it is new. Also, try to make it a strong password with the combination of alphabets, numbers, special characters and upper and lower case. Should be tough to guess. Not like your wife’s name: marry123
Change Password in Magneto 1:
In Magneto 1, you have to follow these steps to change your admin password
Step 1. Log into your Magento admin panel
Step 2. Navigate to System > My account tab
Step 3. On Account Information Tab fill new password and click on Save Account button
And that's done, you have changed your password successfully.
If you are not able to do the above step via admin panel, then there is an alternative way to do it. We can do it from database but not recommended, if you are not a database admin.
Step 1. Open database
Step 2. Find and open the table “admin_user” table
Step 3. Click edit for user you want to edit.
Step 4. Enter new password and choose MD5 from dropdown for password and click “Go” button.
Your password has been saved.
Change Password in Magneto 2:
In Magneto 2, you have to follow these steps to change your admin password
Step 1. Open admin panel.
Step 2. Go to System > All Users (Under Permission)
Step 3. Click on User from list
Step 4. Fill new password and Save User.
And done, admin password has been changed.
As a security best practice, you should use a unique, custom Admin URL instead of the default “admin” (that is magneto 1) or admin_XXXX (in Magneto 2) or the often-used “backend,” Although it will not directly protect your site from a determined attacker, it can reduce exposure to scripts that try to break in to magento sites.
How to change admin path in Magento 2
There are many ways to change the admin url path in Magento 2. You can do it through CLI, through admin interface or by modifying the env.php file on the server. I am explaining each of these here:
Changing through CLI:
It is not recommended to change it directly from app/etc/env.php, always prefer the CLI:
php bin/magento setup:config:set --backend-frontname="admin_path"
Do not add the first / in the admin_path as it will result in an invalid parameter exception.
Once done, update this in the admin.
This can be done via the admin under Store > Advanced Tab > Admin Base URL section
Changing through env.php (Quick method)
Edit this file:
Change frontName equal to what url value you want to put,
'backend' => array 'frontName' => 'admin', //keep your custom url name here )
After changing your url, you must remove your var directory from the Magento root.
Now, the admin url should look like , http://your_website.com/admin
Go to magento >admin>Store>Advance>Admin Base Url>
Use Custom Admin URL field change value =YES
Then make Custom Admin URL as per your wish.
Note: Make sure that the base URL ends with '/' (slash), e.g. http://your_website.com/magento/
This will use If you want to change admin full url
If you want to change admin path then
make:Use Custom Admin Path =Yes and make Custom Admin Path as per as your wish
Safe Protocol: Your website or storefront should use “https” instead of “http”. This grants your website additional security.
Keep Checking the Signs of Attacks:
You should constantly check the sign of attacks on your site. This allows you to take appropriate action when needed to secure your Magento platform.
You can achieve this by
Reviewing any suspicious activity by checking the server logs
Using the file and data integrity checking tool to get notifications for any potential malware installations
Audit the core files of Magento as core file should not be edited.
Using tools such as automated review tools such as Apache Scalp
Monitoring and keep eyes on all system logins.
Keep upgrading Security Patches or upgrade your store to latest version:
In Magento 2, the internal development of the Magento application, timely update on security patches, new features etc all are on very regular basis. You should look for these updates and whenever it releases, you should upgrade your store to that version.
If you are using Magneto 1 than our suggestion would be to upgrade and migrate your site to Magento 2, as Magento is going to discontinue the security patches or any future updates on Magento 1 after June 2020.
The latest release of Magento 2.3, the all-new version of Magento brings along with it a bucket-load of new features which promises to fill up the gaps and enhance its performance abilities and tighten security. Below we are going to discuss some new security features which is all new loaded in the latest Magento 2.3.0.
Magento 2.3 New Security Features:
1. PHP 7.2 Support: The Magento 2.3 version is having the support of PHP 7.2. This will enhance the performance and add new features to Magento 2.3. It also enhances security related to PHP.
Google reCAPTCHA: Google reCAPTCHA is a free service offered by Google to protect a website. It can be used on admin and user login page, registration page, contact form and forgot password page. It has a built-in tool for detecting malicious and spam activities.
This feature is now default in Magneto 2.3 version, while with previous magento versions we have to include it explicitly. So, this is one more enhancement which is provided by Magneto 2.3 , i.e the latest version of Magneto 2.
3. Cache management ACL : Cache management is an important aspect and the latest update of Magento 2 series have got you covered. Its cache management ACL provides fine-grained admin control through which you assign access to view and delete your store caches and thus prevent any kind of accidental changes from affecting the performance of your Magento store.
4. Two-factor authentication: Apart from the Google reCAPTCHA, Magento 2.3 has another layer of protection known as the two-factor authentication. To use it, a user will have to enter their username and a passphrase. Then, they will need to provide another information supplied by the Google Authenticator app to gain access to the website.
It has three methods i.e. Google authenticator, Duo security and Auth. It helps to protect your website from malicious attempts to gain access to your Magento admin panel.
5. All new encryption and decryption: All new encryption and decryption will now be handled by the sodium library in which, we will remove the PHP encryption module ‘mcrypt’ and migrate to Libsodium for password hashing.
So, with all these things, keep in mind we must say that with all new version Magento 2 is going to be more secured and we need to update our store continuously for creating secure environment.
If you have store in magneto 1 then either upgrade to security patches which are provided by Magento, however, as we already mentioned that the support of Magneto 1 will be ended by June 2020, It is wise to upgrade store in latest Magento 2 version.