Magento security: what hacker attacks to expect and what safety measures to take
Just like people take health for granted until it is good, merchants may start taking Magento security seriously only when they face an issue and experience its dire consequences. That’s a bad example to follow, so we hurry with a preventive plan. With this article, we aim to show that the security of an ecommerce solution is the key to a business operating properly. While depicting a broad picture of Magento security, we will focus on:
- Hacker attacks likely for ecommerce companies
- Magento security patches as a must-have safety measure
- A set of techniques for enhanced security
- Magento security testing
To show potential outcomes of a weak security policy rather than to frighten, we start with a list of possible cybercrimes against online retailers.
For ecommerce companies, phishers represent a double threat. Firstly, they can target staff members with personal or work-related malicious emails to hack a company. All it takes is one employee installing malware negligently and it seamlessly spreads over the network. Alternatively, criminals can exploit the customer database a company stores to increase the “target audience” of their attacks. If they have managed to hack a webstore and steal customer data, they have thousands of new emails at hand for their ill-intentioned activities.
Administrator account takeover, data leakage, identity theft, and financial losses due to remedy activities are among serious consequences of phishing attacks for online retailers.
Ecommerce companies can’t risk the security and integrity of customer sensitive data they process and store. This makes them an appealing target for ransomware criminals who will likely have such a company pay a ransom to save reputation and customer trust. A typical scenario of a ransomware attack unfolds in three steps: malicious actors install ransomware, block access to information for users and demand a ransom. As a rule, the situation is aggravated with strict time limits within which the money should be paid.
A ransomware attack threatens retailers with disruption of web store operation, customer sensitive information at risk of destruction or disclosure, and financial losses resulting from ransom payment.
A Denial of Service (DoS) attack overwhelms the server with traffic so that it is not capable of processing a raft of requests and goes out of order. Though not involving information theft or unauthorized access to system control, this kind of intrusion comes at a high cost for merchants. While settling the issue they lose revenue as the web store is unavailable for customers.
Hacking an ecommerce admin panel
If hackers succeed in breaking into the admin panel, they get direct access to the information stored in there, which poses critical financial and identity theft risks for customers. Having taken over administrator privileges, they get illicit control over the store operation and can interfere into catalog management, pricing, promotions, customer communication, etc.
Hackers can exploit a malicious code to redirect visitors from an online store to a targeted website, thus grabbing traffic fraudulently. The problem might seem a minor one if compared, say, to data theft. However, it is rife with such serious consequences for ecommerce businesses as affected SEO rankings, loss of customer trust, and damaged reputation.
Cybercriminals can also jeopardize the reputation of a company if they hack its mail server and send spam emails on its behalf. As opposed to spoofing, when spammers just disguise messages as being from legitimate companies, in this case emails feel credible and are not identified by spam filters. It will be hardly possible to win customers back after the online store has compromised itself in such a way.
Providing the highest possible security level for an ecommerce platform is in the best interests of its vendors. The Magento development team does a good job here. They continually audit the security of the application and encourage the Magento community to report detected vulnerabilities. Once a system weakness has been identified, the team comes up with a security patch to fix it. The patch comes in the form of a self-installing script.
While the Magento team does their best to release security patches as soon as possible, installing them timely is a responsibility of an ecommerce company. In fact, the time is critical here as patch releases are publicly announced in Magento Security Center, so criminals can also monitor these updates and know what vulnerabilities are to be fixed. With this knowledge, they can start looking for unpatched Magento installations to target.
As Magento security patches address only detected vulnerabilities, they can’t ensure the highest level of protection. Merchants need a much more complex approach to stand guard over the security of their storefront. We have prepared a list of aspects one should focus on to stay calm about their Magento installation.
1. Safe environment. Prioritizing the security of the environment is one of the most valuable recommendations we can give.
- With the Apache web server, Magento uses .htaccess files to safeguard system files. Using a different server calls for additional checking of their protection. For example, the recommended Nginx configuration sample is available in Magento 2 codebase (nginx.conf.sample).
- Only secure communication protocols like SSH, SFTP or HTTPS are appropriate for managing the files.
- One needs to restrict access to cron.php file.
2. Protected file system. Magento allows limiting access to production mode to prevent unauthorized interference. Administrators should set file system permissions with umask.
3. Protected admin panel. There is a set of preventive steps ecommerce website administrators can take to cut off access to the admin panel of the web store. They should:
- Change the admin login path from the default “admin” or “back end” to a custom one.
- Set user permissions to personalize access to the information.
- Use a two-factor authentication extension to protect access with security code generated by the admin’s smartphone.
- Whitelist specified IPs.
- Generate a strong password and change it regularly.
4. Reliable extensions. Aiming to expand Magento functionality, merchants turn to ready-made extensions. The problem is that their quality can hit Magento security really hard. Merchants can save themselves from possible issues outsourcing Magento support services to a competent team who will audit and evaluate the quality of extensions.
5. Incident response plan. A good understanding of how to behave if a website was compromised gives merchants a head start in dealing with consequences. The first two steps they need to make before determining the nature of the attack are blocking access and backing up the website so that criminals could not continue the intrusion or remove the evidence.
Our security picture for Magento-based web stores would be incomplete if we didn’t mention the importance of regular security check-ups. Even with multiple security measures they take, retailers need expert assessment of how effectively their business is protected from cybercriminals. Here are the methods they can use.
- Security audits. Magento offers free Security Scan Tool to early identify potential vulnerabilities (like missing security patches or configuration issues). Not only retailers get a security status report for their website but benefit from suggested remediation actions.
- Penetration testing. This technique is an excellent opportunity for retailers to experience an intruder attack on their company and yet to avoid its negative consequences. A penetration testing team will attempt to attack a Magento application, the company server and network, and other potential points of exposure to detect possible security gaps and outcompete real hackers in exploiting them.
To sum it up
Staying responsible for customer private data, ecommerce players can’t afford being carefree about security. Magento does its best to promptly cover detected gaps with patches but only a multifaceted approach to security can prevent criminals from breaking into your web store. We hope that the outlined the plan on how to minimize the risk of hacking will help to keep your business out of danger.