Written by Giles Bennett
In the first post in this series on Magento security we look at a specific hack attack and outlined some immediate steps to ascertain whether your site had fallen foul of it.
In this second post we're going to focus on some more general steps which all store owners should consider implementing to harden their site's security. Some cost a little bit of money - but in the words of the old TV Licensing advert, it's cheaper than a big fine!
Change your admin panel location
By default the admin panel for Magento is at www.yoursite.com/admin - but that latter part of the address is configurable. By changing it (in a specific file on the site) then you immediately increase the security of your site, even if you don't implement any of the other recommendations of this post - if hackers can't find your admin panel, it's a little difficult for them to try and get into it.
Implement browser authentication on your admin panel
No matter what platform your webserver is running, it'll be possible to add 'browser authentication' to the admin panel area of the site - this only permits users to view the login page and login if they can provide a username and password (distinct from their admin panel username and password) which are then stored in their browser for a period of time. As with the first suggestion, if hackers can find your admin panel but can't get to see the login page, then they'll struggle to hack their way in.
Use secure passwords
Really, this is Security 101. Brute force attacks against any store will run through the 100 or 200 most popular passwords as a first step, and then maybe look at dictionary words.
Use the website howsecureismypassword.net to work out how secure your password is, and if necessary choose a more secure one. Use a mix of punctuation marks and numbers as well just letters - adding an additional letter to an insecure (11 minutes to crack) password will take the time to crack to 7 hours, but adding a punctuation mark will take it to 6 days.
When it comes to passwords, 'secure doesn't have to mean 'hard to remember'. Our standard style of password here at HummingbirdUK would take 5 quintillion years to be cracked on a desktop PC, but are simple enough to remember, and once you've used it a few times, it won't take significantly longer to input when you log in.
Use two factor authentication
Two factor authentication relies on the combination of (a) something you know - like your password, and (b) something you have - like your mobile phone. So as well as logging in with your username and password, you also have to input a time-sensitive code generated by an app on your mobile. Without your mobile, you can't login.
There are modules available which add this functionality to Magento using Google's Authenticator application, which mean that they can be used in conjunction with numerous iOS and Android apps such as Authy, or our personal favourite, Authenticator Plus, which allows you to sync your codes across multiple devices for ease of use.
Note that this shouldn't be used instead of a secure password, but as a complement to one.
Use specific user permissions
Magento helps you out on this one - as well as creating admin users, you can create a system of permissions for admin users. If you've someone working for you who only needs to be able to edit the descriptions of products, then the admin permissions systems allows you to only give them access to that area of the admin panel - they don't even see the other areas. By restricting accounts to only have the ability to enter areas of the admin panel that they need to access, if those accounts are subsequently hacked then the damage that can be wrought is correspondingly restricted.
In summary
None of the above are unduly difficult, costly or time-consuming, nor do they have to significantly complicate matters. We'll happily advise you on putting one or more of them in place, so feel free to get in touch.
In a world where digital security is an ever-growing concern, and not a week goes by without another company being outed as having lost their customers' personal data, do you want to risk being the next in line?
