Magento is built as a scalable eCommerce solution designed to help businesses grow and succeed online. However, even the best eCommerce website platforms face security issues. For the 150,000+ merchants using Magento, primary security concerns include fraudulent transactions and data security breaches (ie. cardholder data).
Magento has taken several steps to protect the eCommerce industry against credit card fraud and ensure PCI-DSS compliance. The liability and responsibility ultimately resides with the eCommerce merchants; they have to be proactive about their online security and make sure that they don’t leave their sites unprotected or vulnerable.
In the big picture, merchants must select an appropriate eCommerce website platform and hardware solution provider in order to ensure compliance and protect their sensitive customer information. Looking at the day-to-day, there are several simple steps that - when implemented accurately - decrease both the likelihood of a security breach and the long-reaching adverse consequences that accompany such events.
SEE ALSO: How An eCommerce Agency Created Brand Consistency for Franchise Sites
Fast Website Security Facts
Such major vulnerabilities occur at least once per year with an estimated cost in the hundreds of millions.
In 2015, 72% of all merchants that had instances of security breach resulting in the theft of consumer credit card data were small to mid-sized merchants with only an online presence. Overall security for the small to mid-sized online merchants can be vastly improved through the implementation of specific minimum security measures.
Website Security Solutions
There is no single precaution or silver bullet that will prevent any and all security threats, but we have compiled a list of security measures that will greatly reduce the security risk for most sites.
While many of these security measures only require a single effort to implement, others, like patch installations, will need to be tracked and monitored on an ongoing basis. Similarly, while the majority require minimal technical proficiency, there are some cases that may require a deeper understanding of Magento coding practices and solution implementation.
SEE ALSO: Why Having A Seal of Trust Improves Sales on eCommerce Sites
The larger part of the list requires little effort or expense to implement. In this sense, these recommendations can be considered high value “low hanging fruit.”
- Don't store credit cards
- In one instance, there was a merchant who would print out each of his orders, including customer data like name, billing address, credit card number, expiration date, and cvv code. He would then bundle these daily order sheets and place them in a box for monthly reconciliation. At the end of the month, he would place the box (with intact documents) in the publicly accessible dumpster behind the facility. Do not follow this merchant’s example - none of this information should ever be publicly accessible.
- Do use a secure payment gateway with the proper fraud settings in place
- In some cases, fraudulent transactions are approved simply because no one has configured the gateway settings to require address validation.
- Magento comes with Authorize.net and Payflow. Both services solve this problem by offering support and instructions.
- Do require https:// and SSL for your checkout and log-in pages
- Use an SSL checker, make sure you have a qualified technician and purchase your SSL certificate from a respected source.
- Don’t forget to upgrade your SHA1 certificate. This certificate is outdated and it is no longer supported by some browsers due to its weak encryption method.
- Don't forget to set your file system ownership privileges (Magento makes it easy)
- If you don’t know how to do this, please find someone to assist you. Make sure that only the right people have access to your online files.
- Don’t use “unsecure” passwords
- This article does a fine job of explaining the background and setting forth guidelines.
- Do ensure that your Magento patches are up-to-date
- Not sure if they are? Try Magereport
- If you are not up-to-date, raise the red flag and contact your Magento solution implementer. Magento releases patches for all supported versions and most are quickly implemented.
- Don't use FTP
- SFTP is the “secure choice” (Secure FTP)
- Don’t forget to change your admin path
- Your out-of-the-box path is www.mysite.com/admin and this is the default path for all Magento stores. This common point of entry can be locked down with little effort:
- Change the path to something like www.mysite.com/secretadminpath (create your own secure version)
- Limit access to the url by IP address. The methods vary between nginx and Apache.
- Do change downloader path
- Magento uses the very convenient /downloader as a means to install extensions using the Magento connect manager. The downside is that there can be unauthorized attempts to access www.mysite.com/downloader
- There are several ways to address this liability:
- If you aren't using this feature, simply delete the path
- Change the path i.e. www.mysite.com/securepassword (please create your own secure version)
- Limit access to the url by IP address. The methods vary if you are using nginx -v- apache. Either way, you can change your settings so that only traffic from safe IP’s can access this directory.
- Do at least consider using 3rd party real-time fraud prevention tools. Typically, these solutions bridge between Magento and the eCommerce payment gateway. In addition to native fraud detection methods found within the gateway, these services offer an incremental layer of protection in verifying transactions.
Keep in mind, all website security measures should be considered to as long-term, ongoing solutions. There are new developments in the world of online security threats every day, and if you do not consistently monitor your system and update, you will leave yourself open to serious vulnerabilities. Follow these 10 suggestions and rest easy knowing that your website platform is safe and ready to go.
