Is your Magento Ecommerce Website Secure?

File permission issues

During the installation period, Magento Install Wizard will create app/etc/local.xml file which contains database configuration and global encryption key for your Magento copy. That is to say, [magento_dir]/app/etc folder has to be writable to web service. Simple Shell snippet can easily reset the file permissions via SSH:

Be aware that after installation, files and folders will need to be returned to 655 non-writable permissions, except the directories listed below, which have to be 775 recursively:

Also make sure to use a custom admin path and a password-protected downloader directory using .htaccess.

Do remember to make sure that [magento dir]/app/etc/local.xml is not readable to public!

Admin URL & Passwords

A lot of the Magento stores use storeURL/admin or storeURL/index.php/admin as their admin panel. This is the default Magento admin login page but you should change it once you’ve setup a Magento Installation. A lot of issues comes from this URL so please make sure you change it after the installation. Or you can change it through the [magento dir]/etc/local.xml

And change the admin to be any path you want. After that, please don’t forget to refresh your cache.

For the passwords, please use a ‘powerful’ password rather than something like “111111” or “abc123”, avoiding some dictionary passwords(the most commonly used passwords). Here is some tips for choosing a password:

  • Make it longer. At least 8 characters;
  • Mix it with upper and lower case, punctuation and numbers;

And also, please make a unique password for your Magento store and do not use it anywhere else. Hackers will find your passwords on some other “less secure” website and then use it to attack your Magento store. So as a good practice, use different passwords for different websites. Or you can set different secure level for different passwords of your own.

FTP and Backend Login

You’ll need to ask a service provider to help to develop and improve a Magento site from time to time. Whenever you’re going to have someone working on your site, do change the passwords of your FTP, Backend, and remember to change them again after working with them.

This has become critical now. Almost up to 75% of the merchants don’t change their FTP account after working with a service provider.
Some other tips for keeping your Magneto secure:

  • Keep your Magento installation up-to-date.
  • Read news from Magento official team, or follow us on Facebook or Twitter.
  • Don’t save passwords on your computers

Comments are closed.