How to Protect Your Magento Website from Being Hacked

Read about all of the different ways you can protect your Magento site from hackers. Peacock Carter are Magento experts with years of experience.

by Peter Wright.

One thing all ecommerce managers worry about is hacking. Hackers pose a huge potential danger to your website, as well as to your brand. And once trust in your brand is gone, it can be impossible to get back. As Magento is the most popular platform for ecommerce sites (over 250,000 retailers use the platform), we thought we’d write a helpful guide on how to protect your Magento site from hackers. Here at Peacock Carter, we’re Magento experts, and we’d like any of our clients and readers to benefit from this. If you follow our advice, your Magento website is much more likely to remain safe and secure from hackers.

Use well-known, trusted extension developers

One of the best features of Magento is that its extensions allow you to make all kinds of customisations to your site, and there are countless developers who make their living by making useful Magento extensions. However, there are so many different extension sources and some of them provide possible ways in for hackers. When you decide to add a new function to your site, look for trusted developers. If you’re unsure about whether or not you can trust them, look around for reviews or give them a call. Make sure that the developer uses interceptors or observers instead of class rewrites.

Create complex passwords and usernames that are impossible to guess

This perhaps sounds too obvious, but weak passwords and generic usernames are so often the reason why a website is hacked into. Often, with so many passwords to remember, it’s tempting t make them simple enough to remember. Do not do this. Instead, make complicated passwords with upper and lowercases, numbers as well as letters. If you make note of your passwords, then you won’t forget them – and the fact that you’re making a note will allow you to make your password complex enough that no one will ever guess it. The same goes for usernames.

Apply Magento core patches as soon as they are available

It’s important to always keep you Magento core up to date. If a new patch comes out, make sure you download it straight away. It’s also important that you are aware of any specific themes or extensions that need to be updated manually. Doing this will ensure that your core and extensions are fully up to date and that there aren’t any weak points for hackers to exploit.

Do not use ‘/admin’ for your admin URL

A hacker cannot even attempt to guess your usernames and passwords if they can’t work out your admin URL. So many Magento websites use /admin, i.e. website.com/admin. However, there is no reason for this to be the URL, and making it so just makes it as easy as possible for hackers to find it and begin trying out various passwords and usernames. It’s also a good idea to restrict your admin URL and other key areas of your site to a whitelist of trusted IP addresses. Obviously, this could make it awkward if you move around a lot and need access to your admin account when travelling, but it stymies any hackers trying to get in through your admin page. And even if they manage to figure out or find your admin URL, you’ve delivered a clear message to them: it is going to be VERY hard and take a LONG time to hack into my site; you might as well give up!

Lock down file permissions

 

We hope this blog post helps you protect your Magento site from hackers. If you have any worries about your Magento site’s security, you can use magereport.com. It gives you a security status report for your ecommerce site. However, if you’d like to take your website’s security to the next level, as well as work on customising it in other ways, then please get in touch with Peacock Carter today.