E-commerce Site Vulnerabilities
Most e-commerce platforms and payment gateways possess the same vulnerabilities as they are created using similar development approaches and coding techniques.
Sometimes developers have no necessary knowledge of security programming or are bounded by tight deadlines, which put functionality and design first, and push aside security issues.
The second reason is that due to tricky functionality required by customers web applications are too complex and inevitably contain multiple vulnerabilities, as a result.
Common Hacking Techniques
SQL Injection
SQL injection is an attack technique, which exploits application vulnerability and executed by insertion of malicious SQL statements in users input. Depending on the circumstances, it can result e.g. in receiving detailed error notifications disclosing the backend technology details or getting an access to restricted areas by manipulating always-true Boolean values in their queries.
DDOS Attacks
DDoS or Distributed Denial of Services attack is a kind of hacking technique, when multiple requests, exploiting server capacity bottlenecks, make a site unavailable for users . After that hackers proceed to compromise the entire site or its definite functions.
Broken Authentication and Session Management Attacks
This malicious technique exploits the weaknesses within the authentication procedures, or explores sessions IDs and cookies in order to get access to your account.
Cross-site Scripting
Commonly targeted against the end user, cross-site scripting is usually based on lack of input and output validation and unjustified users’ trust.
Remote Command Execution
Remote command code executions are possible in those cases, when an inadequate input validation allows hackers to execute operation system commands with the privileges of the web server.
Magento stores, the same as many other e-commerce sites, are exposed to hacking, but Magento store owners can undertake some precautionary measures to keep their sites safe.
Magento Stores Security Tips
The biggest danger of hacker attacks is that you almost can’t reveal them until it is too late. So, we should take care about the site security in advance and regularly check its health.
1. Use only the latest Magento version
Despite the complexity of changing Magento versions in your store, try to use only the latest ones. Magento constantly improves its products and fixes possible security vulnerabilities. So, the latest Magento version is usually better and more secured.
2. Use two-factor authentication
Secure passwords are not enough for proper safety of your Magento store. You should better use two or several layers of authentication, including trusted IPs and devices, private files and so on.
3. Use a custom path to the admin panel
Default Magento uses the same paths to admin panels, which are in most cases located on the Magentosite.com/admin or a similar web page. Using a custom path to admin panel makes it difficult to locate the URL and improves your security.
4. Use an encrypted connection (SSL/HTTPS)
Unencrypted connections are absolutely defenseless against intentional data interceptions and make vulnerable transferring data from customers to you and vice versa. Magento store owners should use secure HTTPS/SSL connections, the more so it is simple. You should just check the “Use Secure URLs” tab in your Magento system configuration menu.
5. Use Secure FTP
FTP password interceptions are almost the most common ways to be hacked. You can eliminate this vulnerability using SFTP (SSH File Protocols), which requires private files submission for the access and provides additional encryption of your credentials.
6. Do not set file permissions to 777
Magento recommends to not keep 777 file permissions for your files and offers to change them to 755 as soon as you finished the rewrite.
7. Carry out regular Magento backups
Regular backups is still one of the most effective methods to decrease the damage of attacks and the easiest way for recovery.
8. Disable directory indexing
In order to hide core Magento files from hackers you can disable directory indexing and make your security stronger.
9. Choose strong passwords
Highly-secured password makes you feel safe about customers’ information and sales data. You should use long enough passwords with upper and lower case letters, numbers and special characters.
10. Never reuse admin Magento password anywhere else
This statement is true for all important passwords you use and Magento passwords are no exception. Use Magento passwords only for the purpose they were created.
11. Eliminate e-mail loopholes
As far as Magento provides the passwords recovery feature, make sure your e-mail is not widely known and keep its passwords secured, the same as Magento admin passwords.
12. Grant admin access to only approved IP addresses
If you enter the Magento admin area from a definite pull of IP addresses, you can restrict the access from other ones in the .htaccess file. Just specify a certain IP address or pull of addresses there and improve the overall Magento security.
13. Check Magento security regularly
Regular Magento security checking keeps you up to date and calm about the health of your store. For this purpose you can use Magento extensions or hire us to make a security audit on your website and server.
14. Keep up-to-date your anti-virus software
Up-to-date antivirus software fulfills a very important task within the security policy. Strong protection against trojans and viruses is usually provided by commercial products and you should better pay for their services and products than suffer from data leaks.
15. Use the Magento community advantages
Since Magento has a tremendous community of users and developers you can use multiple tutorials, guides, forum threads and some good advices in order to keep the safety of your store.
16. Don’t save passwords in your browser
Saving passwords in your browser may be convenient, but certainly not wise. Those who have the access to your computer can easily read the credentials and use them.
17. Know where your browser comes from
Your internet browser is the main mediator between you and the Web. It stores your passwords, cookies, and URLs, so make sure you use a verified one from a trustworthy provider. Otherwise all security efforts are almost useless.
18. Disable/block the downloader access
Magento provides a convenient tool in order to keep your installation and extension up-to-date. The tool named downloader was proven unsecure by enabling hackers to install rogue extensions and brute forcing your admins passwords.
Restoring Sites After Hacker Attacks
If you still have been attacked, the most urgent issue is to eliminate the vulnerability, restore data and security, and resume sales. We are storing multiple backups of your files and DB. Contact us and we'll restore it to a sane state.
The first step on this way is to contact your hosting provider in order to get the backup of your store and find out the vulnerability, if possible. Then change your passwords, even if this is not the point of the safety breach.
The actions above may require you to put your site offline for a while, but do not dramatize this situation. Just customize the 503 error page and ask customers contact you via alternative channels.
It may sound mocking, but online attacks usually make store owners revise their security policy and increase the overall safety of the store.
If you have something to add, contact us and we'll add it.
- 1 Users Found This Useful
Related Articles
How to disable guest checkout
By default guests can shop without creating a customer account on your eCommerce. You can...
Informations Importantes Pour Sécuriser Votre Site
En tant que détenteur d'un forfait d'hébergement mutualisé, il est...
How to add and edit search terms in Magento
Magento has a search function that customers can use to look for products on the frontend of your...
How to add and edit attribute sets in Magento
Each product that you add in Magento can be configured thanks to a set of attributes. These are...
Recommended firewall
What firewall do you recommend to secure my Linux server? MACI recommends the CSF (ConfigServer...