Magento, an eBay product was earlier known as Varien. It is one of the most preferred eCommerce platforms and is being used by almost 30 percent of eCommerce websites. Magento combines the best features of MySQL database and Zend PHP. It offers amazing flexibility through the modular architecture. The scalability feature makes it fast loading and it has brilliant features that e-Commerce developers appreciate.
By Gunjan Tripathi
(via OpenSource4u)
Magento, an eBay product was earlier known as Varien. It is one of the most preferred eCommerce platforms and is being used by almost 30 percent of eCommerce websites. Magento combines the best features of MySQL database and Zend PHP. It offers amazing flexibility through the modular architecture. The scalability feature makes it fast loading and it has brilliant features that e-Commerce developers appreciate.
Magento
Features
Magento offers
all the desirable features to an eCommerce website.
Product
Management
- Add the product catalog with multiple product images,
- batch updates,
- manage inventory,
- order management and
- integrate various payment methods
Customer
Service
- Customers can create user accounts,
- track shopping history,
- custom forms for customer service,
- Multi currencies, and
- Multilingual
Brand,
Marketing and Sales Management
- Integrate Google Analytics account and analyze consumer behavior
- Advanced SEO friendly options
- Integrate marketing promo applications and tools (Coupon codes, promotional offers, etc.)
You can choose
and add from 1700 varied functionalities through the Magento-Connect interface.
With free
Magento themes, it is easy to set up an online store. However, the prominent
question here is, “Will the ecommerce store on Magento platform need security
and protection?”
Wondering
why Ecommerce Store on Magento Platform Needs Security and Protection?
Though Magento
platform offers some brilliant features, it is equally true that repeatedly
there have been news of bugs that can lead to serious security breach. Being
built on open source code, the platform may have several vulnerability.
Popularity of Magento has made it a favorite of hackers and attackers as well.
Earlier the
attackers used ‘phishing’ to get breach the security of the eCommerce site.
Since the web developers have become aware of the phishing attacks, the hackers
now use malvertising as a way to attack the sites that seem secure.
In a latest
update, it was revealed that attackers could misuse quite a few vulnerabilities
in Magento platform. The leak eventually allows attackers to insert PHP codes
on the web server. This flaw is known as remote code execution (RCE). It is
inbuilt flaw in the core code of Magento platform. Though a patch for the RCE
flaw has been released, yet, over 50 percent of the Magento sites have not
updated their sites.
Via RCE flaw,
not only the shoppers’ credentials but also the site owners’ privacy is at
stake.
11 Ways to
secure eCommerce Store on Magento Platform
Though the
platform has security functions, they are not enough to discourage the cyber
attacks. An eCommerce website needs to take care of their customers’ safety and
privacy. Here are a few additional options that you must consider if you
believe that your eCommerce store on Magento platform needs security and
protection.
1. A Unique
Admin Path
Change path of
your admin page. It will help your core information stay safe. Instead of
keeping your admin login at the default yoursite.com/store/admin make a unique
login path such as yoursite.com/store/27AgJ47X
- Access /app/etc/local.xml
- Find “<![CDATA[admin]]>”
- Change word [admin] to [27AgJ47X] or as you prefer
NOTE: Do not
ever alter the “Admin Base URL” or its settings stored in admin section. If you
alter the Admin Base URL, Magento will not let you access the admin panel.
2. Unique
Login Details
With the Brute
Force software, the hackers can guess 8 million different combinations of
usernames and passwords. Can you beat that? You must have to beat them.
- Keep a unique username and a super complex password.
- Alter your password on regular intervals.
- Do not use the same username and password elsewhere.
It is your
duty to keep the attackers at bay and keep the data of your site and visitors
safe.
“With websites
comes responsibility; with e-commerce websites comes great responsibility.”
Impact of Hack
on Magento website
3. Remember
your password
Do not store
your password in your password manager. The password manager services use the
cloud based servers or software. If the attacker hacks your cloud, then your
store may be at stake. After all it is on a third party space that you can
never ever be a 100 percent sure of.
Risk of theft
of the mobile devices i.e. laptop and tablets enhances the risk of
vulnerability of the passwords stored in excel sheets as well.
If your
eCommerce site can be hacked, your desktop or laptop can be hacked as well.
The best way
to keep your passwords safe is to memorize them.
4. Two Step
Authentication
Enable a
two-step authentication extensions. It will ensure only trusted and registered
devices will be able to access the backend of your Magento platform. The
two-step authentication generates a random password every 30 seconds. The code
is sent to a pre-registered device only. A complex username, a unique password
and a code that is sent only to your phone make the window of breach is next to
impossible.
5. Static
IP Address
Enforce a
restricted access to your static IP address. First, ensure that have a static
IP and not a dynamic IP. The restriction can be enforced and it requires coding
in .htaccess or alternatively, you can use an Apache directive of LocationMatch
as mentioned hereunder:
Use the admin
name to match your admin login page like “admin”, “27AgJ47X” or whatever you
have chosen.
If you ever
need to access your Magento backend, from a different IP address, you will have
first update the LocationMatch directive. It is a bit of extra trouble, but is
absolutely worth it.
6. Comply
with Latest Version Updates of Magento
Enroll to
receive updates about security patches and version updates from Magento. Do not
wait to implement the patch or updates. As soon as a new update or patch is
rolled out, implement it immediately. Also, update all the additional tools
that you use with Magento platform.
7. Updated
Anti-Virus Software
Backup and
update must be a part of your security checksum. However, if you are lousy in
updating your antivirus software, it may cost your ecommerce platform. Schedule
your paid antivirus software to update itself every day.
8. HTTPS/SSL
Mandatory for Login Pages
Use encryption
to on all login pages in Magento with SSL certificate. Enable eCommerce
security with trusted SSL certificate and use always-on SSL on every page.
9. Secure
Your Email Access
To hack your
site, if all the attacker needs to do is obtain your email id mentioned on your
LinkedIn profile or hack into your email account to get access of your site, it
should be not such a big deal for a processional attacker.
Just make a
unique User-name and password, similarly use a distinct and secure email id to
access your Magento site! Make an email id knottier that is impossible to
guess and NEVER use it elsewhere.
10. Use a
Secure FTP
Many hackers
decode the FTP access and hack the site. Use SFTP along with a Public Key
Authentication for utmost secured FTP access.
11.
Developers Access
When you need
help from outside developers and have to hand over your access to them. Change
your access passwords and FTP password. Again, change your access details as
soon as the job is over. Do not handover the access to unknown developers. Use
trusted organizations with credible background.
A bunch of
other things to keep your eCommerce store secured can be taken care of as well.
Do not forget to keep yourself in touch with the latest updates. If the need
be, hire professional helps if your ecommerce store on Magento platform needs
security and protection.
About The Author:
Gunjan
Tripathi works with CheapSSLShop.
He is passionate about technology, web security and the online industry.
Working in online environment, Gunjan is well versed with digital marketing
challenges and different targets being completed in aggressive deadlines along
with client satisfaction.