Almost everything in a Magento online store can be managed from the admin panel, and as such it is generally the first point of call for an attacker seeking to gain access to privileged information. Below is a series of guidelines for securing your site’s admin interface.
Configure a custom admin path
Many automated attacks written for Magento will specifically probe the /admin path of your site to try and guess at the admin credentials. If guessed correctly, the attacker can gain access to the site’s admin panel. Changing the backend URL from the default <yourshop.com.au>/admin to something unrelated or random is one way of defeating this approach.This path can be found in your <Magento webroot>/app/etc/local.xml file, defined as frontName. This should be a word that is difficult to guess, or randomly generated. Some examples of names you should not use would be ‘2016’, ‘backend’ or ‘office’.
An excerpt from your typical local.xml file, and what this change would look like:
<admin> <routers> <adminhtml> <args> <frontName><![CDATA[admin]]></frontName> </args> </adminhtml> </routers> </admin> |
<admin> <routers> <adminhtml> <args> <frontName><![CDATA[taters]]></frontName> </args> </adminhtml> </routers> </admin> |
Obscuring the backend URL itself is not enough, however, further measures should be implemented to properly secure your online store.
Use secure credentials
Having configured a custom admin path, it may still be possible for an attacker to find your admin panel URL. It crucial to have a strong password (and username) that is easy for you to remember, but difficult for an attacker to guess.Good credentials will adhere to at least the following guidelines. Passwords:
- should not be reused elsewhere.
- should not use dictionary words.
- should be of a reasonable length.
- should include special characters.
- should be changed at regular intervals.
Restrict Admin Panel access by IP address
An additional way to increase the security of your Magento back-end is to restrict access to specific IP addresses. This can be done with a simple modification to the site’s .htaccess file within your web root directory. Before implementing this measure it is recommended to confirm with your ISP that your home or office internet connection has a static (unchanging) IP address, otherwise you may lock yourself out.See below for an example of what this would look like in your .htaccess file. Change the bold text in the first line to reflect your admin backend URL, and change the second line to the remote IP to be granted access. You can then copy this line multiple times (updating the IP each time) to allow additional IP addresses through to the admin URL.
RewriteCond %{REQUEST_URI} ^/(index.php/)?adminPathHere/ [NC,OR]
RewriteCond %{REMOTE_ADDR} !^my.ip.addr.ess
RewriteCond %{REMOTE_ADDR} !^another.ip.addr.ess
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
Ensure your site has a valid SSL certificate
SSL certificates encrypt information as it is transferred between visitors and the server. SSL is required if accepting credit cards on site, and is advisable in all cases where clients enter information or log in to a store. You can read more on SSL itself in this Knowledge Base article: https://www.mdg-it.com.au/manage/knowledgebase/56/SSL-certificate-setup.htmlIf your site has a valid SSL certificate, you can ensure the security of your clients’ shopping sessions, meaning data sent to and from the server cannot be eavesdropped on by any potential third parties. With a simple configuration change you can, using this same certificate, ensure that your own sessions to the admin panel are properly encrypted.
Once the SSL certificate is installed on your site, this is a fairly straightforward process. From the Admin Panel, go to System > Configuration > General > Web.
Scroll down to the Secure section, and ensure that the URL in the Base URL field starts with ‘https’ as opposed to ‘http’. Scrolling down, make sure that both Use Secure URLs in Frontend and in Admin are set to Yes.
Keep Magento and all extensions up to date
Keeping Magento and any installed extensions up to date with official patches is one of the most important security measures; these security patches are vital to keeping your online store(s) safe from common code vulnerabilities, exploits, and automated attacks.M.D.G. IT attempts to automatically apply security patches to all stores on our shared hosting service. Due to the many individual configurations of Magento however, automatic patching is not always successful. You will receive notification from us when this is the case. If you do receive one of these notices, it is of utmost importance that you immediately follow up with your developers to ensure your site’s security. For VPS services, we can attempt to automatically apply specific security patches on request.
Magento security can be tested using the Mage Report tool here: https://www.magereport.com
Third party extensions should be especially scrutinised and actively kept up to date, as it is usually the vulnerabilities in these that are more often used as attack vectors into Magento files and databases.