Throughout the Holiday Season shoppers are putting credit cards into Magento stores at a higher rate than other times of the year. All that business makes it an especially attractive period for hackers to strike. Here are a few tips to help you prevent and identify Magento attacks. If you identify a hack or even think you have, we recommend you contact Commerce Forge or other professional Magento Support Agency.
We see two especially vulnerable periods each holiday season and while we take security precautions all year, we spend a little extra time checking things over during them. We see more activity in August and September than usual as hackers look to embed code or access sites before the busy time starts and thus be settled and waiting for the season. We also see more activity between Christmas Eve and New Year’s Day when many people are less likely to be paying as much attention to their Magento stores. It’s a good idea to run through the following tips during both of these periods.
5 Simple Magento Security Checks
1. First ensure your site is up to date. The easiest way to do this is to go to MageReport.com and enter your site URL. This tool will run through all the common issues and security patches that should be addressed by your site.
2. As you may see at MageReport.com it’s a good idea to provide security around your admin, downloader and rss resources. We rename the admin URLs and then also secure access to them and downloader and rss by whitelisting ip addresses. It only takes about 15 minutes to do all this and here are the instructions from Magento for securing these resources.
3. We review our admin accounts as well. During the year you may have given others access to the admin for support or assistance and never revoked their access. You should at least disable any admin accounts that do not need to access your admin on a regular basis. You can always enable them later if they do.
4. Next review your server and FTP accounts. Are there any that are not needed? It’s always good to change your passwords before Q4 while you are at it!
5. This is more difficult but its beneficial to run a code review. Many Magento Support Agencies will charge you for this service but it’s not hard to run the review and look to see if there is anything you think an agency should review. What you are looking for are core Magento files that have been modified or files that have been added which are not part of the Magento installation package. A good tool that will do this for you (with clear instructions) is available from Customer Paradigm here.
The idea with identifying any new or modified files is to then look at them and determine if they are supposed to be there or if they contain anything they shouldn’t. An example we found with this check is one where code was injected into a file with the intent of emailing checkout information to a suspicious gmail account. The audit gave us the file to check and the injected code was obvious. With the thousands of files in the Magento file system this code would have been very hard to find without such a tool. So what could have taken days took us about 30 minutes!
These steps won’t guarantee your Magento store isn’t hacked but they go a long way towards making it unlikely and making it likely that you’ll catch it before it causes any real damage.
Note: Magento security has many layers and this article does not propose to cover them all. This article simply outlines some good tactics the average Magento store owner can and should employ on their own or request that their Magento Support Agency do it for them.