GoMage Updates

17 Magento Security Myths Exposed: What You Need To Know

Jan 25, 2018 7 min read 597 views
Listen audio
17 Magento Security Myths Exposed: What You Need To Know

Keeping your Magento storefront secure requires a bit of attention on your part. People shopping on Magento can quickly become victims of hackers.

Fortunately, once many of these concepts are set up you will not need to revisit the tasks again if done correctly.  Not only will this keep you from Magento security issue concerns, but your client’s data will remain protected as a result ensuring everyone’s peace of mind in the process.

This report is divided into 4 critically important sections for ease of referencing in the process.

1. Managing Security Updates

This part looks at various issues involved with why you should upgrade your site.  Everything from making sure to check Magento ® patches as the update becomes available to back up your Magento ® open source platform will be covered.

2. Eliminating Magento Security Issues Related to Access

You will find this section to be the most robust of the entire project and for good reason.  How you establish access to your Magento ® store can mean the difference between keeping hackers out and opening the door wide for their intrusions.

3. Handling Data Securely

Here we will look at various issues related to working with the files of your storefront and how to keep everything in line with new security concerns as they arise.

4. Keeping Ahead of The Crooks

In this final section, we provide timely advice on exactly what needs to be done to stay ahead of the curve when it comes to protecting you, your storefront and your clients secure data from the hand of thieves.

Managing Magento Security Updates

#1: Backup Regularly

MYTH:  Backups are unnecessary, this is the web.

We put this security concept at the top because of how important it is throughout your entire storefront.  Not only will you be able to easily bring your store back to a time before the attack but if someone makes an error on your site and then saves restoring can become a hassle without backups.

Check with your hosting provider as to what they “do” and “do not” do as it relates to backups.  Then make sure you have the best plan possible for your backup strategy.

#2:  Always Update to Latest Versions

MYTH:  Immediately updating when new releases become available causes unnecessary headaches.

In the early days of technology this might have been true but in today’s age, you are operating on the side of caution by taking advantage of new releases as quickly as possible.  This is even more so the case as it relates to quickly updating your storefront with major patches as they are released.

While one may think that simply installing Magento ® updates will solve their problem, the disadvantage is that your Magento ® store will quickly become outdated with this approach.

That is why it is much better to update to the latest version of Magento ® in the process of securing your store.

#3:  Apply Released Magento ® Patches ASAP

MYTH:  Upon updating to the latest full Magento ® releases no further security patch updates are required.

Yes, if you keep up-to-date with the new full releases you will receive all new patches without additional patch scan implementations being required.  However, making sure to install new patches as they are released is still highly recommended.

Here’s why.

Full release Magento upgrades don’t happen every day but rather when enough new updates have been released to warrant such an event.  In between these events separate patches can be released.  Waiting for the full release instead of taking care of them as they become known keeps your system configuration and its corresponding security up-to-date at all times.

Eliminating Security Issues Related to Access

#4:  Take Passwords Seriously

MYTH:  Hackers won’t attempt to break into your site until your store becomes successful.

While it may be true that successful stores need to take passwords even more seriously, the sad fact is that Hackers don’t care whose world they bring trouble into.  In fact, a case could be made for maliciousness being easier to inflict on newer eCommerce owners and as such, the fact that you are just getting going could make you even more vulnerable.

That said, here are 5 ways to make sure that your passwords remain safe from trouble.

  1. Use upper and lower-case letters.
  2. Use numbers
  3. Use symbols
  4. Frequently change passwords
  5. Keep passwords off your computer

#5: Exercise Password Wisdom

MYTH:  There is no harm in increasing access convenience by duplicating passwords.

Should someone hack into one of your accounts your entire Magento security framework is compromised if you have used the same password throughout.  This is where password aggregators like LastPass are handy.

HOT TIP:  Leaving yourself logged into your password aggregator from your computing device opens your entire framework to vulnerability should your computing device fall into the hands of an unscrupulous predator.

Not only should you have a different password setup for every platform but resist the urge to share your access details with others unless necessary (i.e. associates needing to work in your account).

#6: Implement Two-Factor Access

MYTH:  A strong password is all that is necessary to prevent Hackers from accessing your storefront.

Unfortunately, there are sophisticated tools that are created with the specific intent of breaking secure passwords.

Two-factor access goes beyond the password authentication into requiring a second way of authentication such as sending a code to a corresponding cell phone for access.  The obvious disadvantage is found in reduced convenience in accessing the backend of your Magento ® store.

However, that pales in comparison to the corresponding advantage of ensuring increased security from potential threats.

#7:  Eliminate eMail Security Risk

MYTH:  There is no trouble in using my standard inbox eMail with my storefront.

What if an unscrupulous person breaks through your standard eMail security check with a password decoder?

If you use the same email for your storefront these thieves are one step closer to hacking into your store through your compromised eMail vulnerability.  That’s why it is a mark of wisdom on your part to keep your Magento ® eMail separate and distinct from that of your normal eMail access to eliminate eMail security issue concerns.

#8:  Update Admin Panel URL

MYTH:  Two-factor authentication will keep the bad guys out of your Magento ® store.

Setting up such an arrangement certainly can help but the more steps you take to make sure that your store remains secure the better off you will be.  Given that this is a simple one-time update it is highly recommended to increase your own storefront security.

HOT TIP:  While blocking or changing access points be sure to do the same with your ‘/downloader/’ directory to further decrease your vulnerability to associated attacks.

All Magento ® stores come with a default admin URL which looks like:


Use these following steps to create a unique access URL

  • Locate /app/etc/local.xml in the backend of your Magento ® store
  • Find <![CDATA[admin]]>
  • Change the bracketed “admin” to whatever you would like displayed instead

#9:  Restrict Admin Access to IP to increase Magento Security

MYTH:  Admin access cannot be updated based on designated IP’s

It can be and should be.

Allowing only designated IP’s into admin access further ensures safety and security within your Magento ® store.  Sure, it may be inconvenient when new devices are used by real admins, but it will also further enhance the protection of your entire site by doing so.

#10: Eliminate User ID “Admin”

MYTH:  Your password is all that matters for security purposes.

By default, all Magento ® stores are set up with a user access for “admin”.  Keeping this user ID active gives the bad guys a step ahead in breaking into your account.  Therefore, it is highly recommended that this user access point simply is deleted while others are established.

#11: Remove Unused Accounts

MYTH:  Unused accounts cannot be accessed.

All companies go through an associate flux.  As people leave your organization so should their access ID’s.  Leaving these in place opens potential vulnerabilities which could even be from disgruntled workers who would be more than pleased to create trouble simply out of spite.

Handling Magento Security Data Securely

#12:  SFTP UpLoads

MYTH:  Hackers cannot gain access when I upload files.

In fact, this is one of the most common ways that breaches can take place.  This is especially true if you opt into unsecured FTP alternatives.  That’s why we recommend using SFTP with all your uploads.

HOT TIP:  To further prevent crooks from gaining access to your Magento ® store we all recommend disabling directory indexing.  The less information the crooks can work with the greater the chance that your eCommerce story will be one of success for a long time.

#13: Establish SSL/HTTPS Framework

MYTH: All websites are safe.

Google disagrees with this so much that it now favors in organic results those sites which have taken time to update to a secure HTTPS platform.

Further, your customers have a stronger sense of security in sharing their data when secure platforms are utilized.  Therefore, updating to a framework that keeps your buyers and Google simultaneously happy with what you are doing will lead to your own increased pleasure in the form of ROI results.

#14:  Setup MySQL injection Firewalls

MYTH: Magento ® takes care of all MySQL injection issues.

While Magento ® does have protocols in place to protect against such intrusions, increasing your storefront safety by your own firewall implementations is highly advisable.

Imagine dealing with purchases from clients that you never see or experience faulty account balances.  This is just a sampling of the trouble that MySQL injections can cause.  Not only will it lead to customer confusion but also out-right theft if not held in check correctly.  That’s why establishing firewalls to prevent MySQL injections are so critical.

#15:  Blog Separately

MYTH:  No issues exist in merging WP with Magento ®.

While integrating the two platforms is possible, doing so opens a host of potential issues that you would be better off avoiding.  This can be easily done by establishing a separate domain or sub-domain for your blog as compared to your Magento ® storefront.

Should an undesirable gain access to your WordPress blog they would still be locked out of your storefront especially if you altered password details as previously recommended.

#16:  Use IFrame Payment Gateways

MYTH:  Should I get hacked my payment gateway will be compromised.

This is true only if you have not implemented IFrame strategies within your payment processes.  However, with IFrame protection in place, customer details remain secure and away from the hands of crooks.

Keeping Ahead of The Crooks

#17:  Regularly Scan Your Site

MYTH:  With the above steps in motion I need no further Magento security check precautions.

We certainly hope that is the case.  Unfortunately, reality does not always bare the record well.  That’s why a regular Magento security scan for malicious malware or code that may have snuck into your Magento ® project is highly advisable.

Even if nothing is uncovered because of these updates it is more than worth the peace of mind to know that your storefront is fully protected.

HOT TIP:  Some recommend doing these scans for security alerts on a quarterly basis, but we recommend establishing a monthly or bi-monthly process on your calendar.  If something does take place, you want to know about it sooner than later.

Concluding Thoughts on Myths About Security within Magento ®

From updates to passwords and data to scans, we hope that following these security vulnerability alerts strategies will keep both you and your buyers safe.  When you consider that you are using confidential client details it is easy to see the importance of security when it comes to your Magento ® storefront solution.

Which of the above concepts have you implemented within your own storefront?

Which have you avoided?

It’s now your turn.  Share your experience with Magento ® security, the good, the bad and the ugly in the comments below.

That's where you contact us!

    By submitting this form you agree to GoMage's Terms of Use and Privacy Policy
    woo-hoo! Now its time to keep checking your inbox, as we will be getting in touch soon. Promise :)
    oops! Thanks. But it seems like some kind of technical issues stop you from meeting GOMAGE. Could you try again?
    Let’s book a call. *we can take only a handful of Magento projects at a time

      Now its time to keep checking your inbox, as we will be getting in touch soon. Promise :)
      OK, thanks OK, thanks
      Thanks. But it seems like some kind of technical issues stop you from meeting GOMAGE. Could you try again?
      Read more Read more
      Cookies give you a personalised experience

      We're not talking about the crunchy, tasty kind. These cookies help us keep our website safe, give you a better experience and show more relevant ads. We won't turn them on unless you accept. Want to know more or adjust your preferences?

      Manage cookies Manage cookies
      Allow all cookies Allow all cookies