A few years ago, the eCommerce world reeled in shock when investigators discovered that hackers had compromised more than 500 online stores and had installed credit card skimmers that stole customers’ sensitive personal data when they attempted to make a purchase. Known as Magecart, a network of criminals spent years infecting websites with malicious code, and their operations created major security faults across thousands of eCommerce websites over the course of several years. The batch of 500 compromised sites uncovered in 2022 was the largest group uncovered up to that point. Magecart had redirected their payment services to their own criminal domain, a website called Natural Fresh.
“The Natural Fresh skimmer shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form,” researchers investigating the crime posted to social media. One key vulnerability turned out to be rooted in the Magento plugin Quickview, but fortunately the problem was largely confined to the obsolete Magento 1 and could be corrected simply by upgrading to the latest version of Adobe Commerce, the current name for Magento.
There kinds of threats are far from rare, even if they are not usually so widespread. As the owner of an eCommerce site, it’s vital that you make use of all the tools at your disposal to keep your site safe. If you are using Magento, there are a few key steps you should be taking.
In this article, we’ll take a look at best practices to secure your Magento eCommerce site and protect your online store.
Keep Magento and all your extensions up to date
The 2022 skimming scandal, as we mentioned above, revolved around sites that were running an obsolete version of Magento. To avoid the vulnerabilities of old, out-of-date software, make sure you are running the latest version of Magento and regularly update your plugins and extensions.
The regular updates Magento pushes out are designed to inoculate you against the newest threats and vulnerabilities. Similarly, be sure that the extensions you deploy come only from trusted publishers—hackers have been known to create fake plugins to attack stores from within.
To ensure your site is always up to date, you can get help from an expert Magento developer located near you. A Magento agency, UK users or US users alike agree, can put you in touch with an exceptional developer.
Utilize two-factor authentication for admin accounts
Use two-factor authentication to ensure that only authorized users are able to make changes to your eCommerce site. That way, even if cyber thieves compromise a password, they will not have access to your site’s code.
Regularly change your passwords
As we mentioned, passwords can be compromised, and one way to minimize the risk of this is to use strong passwords and to change them regularly. Strong passwords, involving a mix of upper and lowercase letters, numbers, and special characters should be used for all admin accounts, FTP, and database access. You can create a system that requires passwords to be changed at fixed intervals (say, three or six months), and you should be sure to require changes after an employee leaves the company or you detect a security incident.
Deploy a Web Application Firewall
To insulate your site against common attacks like SQL injection, cross-site scripting, and DDoS, deploy a Web Application Firewall to block malicious traffic before it reaches your Magento store. You can do this directly through your own servers, or you can engage a cloud-based WAF such as Sucuri or Cloudflare, which specialize in protecting eCommerce sites.
Regularly back up your store
If the worst were to happen and your store became hopelessly compromised, how would you get back to normal? The answer is that you would need a backup copy that you could deploy at a moment’s notice.
To protect your Magento eCommerce site, make a regular backup of your site and test it on a fixed schedule to make sure the newest backup is working and can be brought online quickly in the case of a disaster.
Protect your admin panel
By default, your admin panel is assigned an “admin” URL. Move your admin panel to a custom URL to make it more difficult for malicious actors to locate and infiltrate.
Educate your team
Beyond these basic security steps, the best practice you can institute to protect your site is to educate your team. Training them on security procedures, best practices, and how to report suspicious activity will help protect you from attacks since human users are often the most vulnerable link in the security chain.
