6 Ecommerce Site Security Must-Haves for Magento
Online store security is essential to every ecommerce business. Without it, shopping sites become vulnerable to security breaches. Further, customers won’t complete their purchases if they fear their data isn’t protected. Because site security is so important, retailers often know a sleepless night from worrying about their site.
Hosted ecommerce platform providers, such as Shopify and BigCommerce, handle all aspects of a store, from the ecommerce software itself to the hosting, management, upgrades of the server – and site security. One of the great benefits of having a site on a hosted platform is that the security is managed by the platform itself. Nonetheless, there are measures retailers can take to underscore the strength of their online store’s protection.
Meanwhile, with self-hosted platforms like Magento, these aspects are the responsibility of the ecommerce retailer and/or their web hosting provider. In other words, you have to oversee the critical components of your site’s security. Magento has a variety of benefits, including virtually unlimited flexibility and customization possibilities. But it also brings many additional security risks and challenges that must be managed to ensure a secure ecommerce store. As a result, merchants on Magento may feel a lot more pressure in keeping your store secure.
Yet, while merchants on Magento have to be more hands-on with site security, it is still possible to have iron-clad protection. To help you get there, we want to share Command C’s guidelines for keeping your Magento ecommerce site secure.
1) Get the Basics Right: Secure Your Store on the Backend
This first one is easy: everything we said about security practices for hosted platforms is true for Magento, too. This includes rules such as limiting access to the administration panel, keeping passwords secure, and maintaining backups of store data. Taken together, these actions create an extra layer of security for your store, as well as help you recover in the event of a breach.
All of these practices apply to Magento, too. So, the first step in securing your store is to follow those guidelines.
2) Keep your Customers’ Credit Card Details Secure: Be PCI Compliant
Managing your own ecommerce platform also brings the responsibility of ensuring your customers’ credit card information remains secure. The credit card industry has compiled a set of guidelines, called the Payment Card Industry Data Security Standard, or PCI DSS, better known as PCI for short. These guidelines range from maintaining limited access to your servers to a periodic review of firewall rules.
The level of PCI compliance required depends on the number of orders placed via a storefront per year. For most retailers, all that is required is the periodic completion of a self-assessment questionnaire and the testimony of an officer or responsible party that PCI guidelines are being followed. The penalties for not complying with PCI guidelines can be severe, never mind putting customers’ data at risk, so it’s important that merchants follow these guidelines.
The good news is that most of these guidelines are common sense practices that ensure a secure site and storefront. In many cases, depending on how closely the web hosting provider manages the platform, much of the PCI compliance will be handled by the host. But it is still critical to be aware of and ensure compliance with these practices.
3) Keep the Bad Guys Out: Restrict Access to the Web Server(s)
In order for someone to breach a website, that person needs to be able to access the server. One of the easiest and most straightforward ways to limit this is to simply restrict access to the server to only those people who need it.
Many of the PCI guidelines are focused precisely on this need. Any user account which has access to the server should use secure passwords that are periodically changed. In addition, just like access to the web administration panel, user access to the server should follow the “principle of least privilege.” This means that you should only give someone access to the bare minimum required to perform their job. This way, if someone breaches that account, or that account owner goes rogue, the damage that can be caused is limited.
Another key technique to keep out unwanted people is to implement restrictive firewall rules, such that server admin access is only allowed to specific IP addresses where administrators are located. While this can cause some difficulties if administrators’ IP addresses change, it also mitigates the risk of unpatched security holes in server software, because attackers can’t even access the server to attempt an attack.
4) Keep Software Updated & Install Magento Security Patches
Software vulnerabilities are discovered daily. Some of these vulnerabilities present little risk, but others present a wide-ranging risk to the security of data on ecommerce websites. When vulnerabilities are discovered, often the techniques and procedures required to exploit that vulnerability are also published. Because of this, it’s crucial that companies periodically review the software installed on their ecommerce website’s server and perform upgrades or apply patches.
It is also important to understand that vulnerabilities can appear at all levels of a self-hosted server. Updates and patches should be maintained at all levels of software including: the operating system, web server software, programming language, and database. For low-level server software, an ecommerce website’s web hosting provider will be responsible for maintaining those updates.
With Magento, there are periodic updates to both Magento and to various modules and extensions that are installed to extend the functionality of the site. It is vital to apply patches to Magento shortly after they are released. With this in mind, it’s a good idea to sign up for Magento’s Security Center email list. Then you’ll to be notified when updates are released. Modules and extensions should also be updated.
Further, if any modules are no longer used, they should be uninstalled from the site. Not only will it help your site security, but it will also improve site performance, too.
5) Protect Against the Unexpected: Perform Regular Backups
It’s always important to have a second copy of a website and its data, in case of a catastrophe involving the web server. This is important for product and customer data, as we discussed in our article about shared hosting.
However, with self-hosted ecommerce platforms, like Magento, it is even more critical to keep a backup of the current state of the website’s software and data. That way, if something happens to the server, the site can be restored quickly.
6) Double-Check that it’s Secure: Perform Periodic Vulnerability Scans
Even if you follow all of the above practices, it’s best to double-check your work to make sure nothing was missed along the way. There are numerous tools available to scan the security of a website and web server. Magento offers a Security Scan tool that can review your site for known vulnerabilities. There are also many third-party tools that perform deeper analyses of the site or scan for exploits or malware that may have been installed, such as MageReport and Sucuri SiteCheck. Running periodic scans using these tools will help give peace of mind that an ecommerce website is truly secure.
As a part of the PCI compliance routine required by credit card providers, often an additional periodic vulnerability scan is required (and, if required, software to do so is typically provided by your payment gateway). These scans will help ensure that, not only is your ecommerce platform secure, but so is the server itself. So, if your payment gateway offers this service, it is a good idea to periodically run these scans to verify the server itself is secure.
Ecommerce retailers on Magento get the benefit of the platform’s nearly infinite flexibility and customization. But Magento also requires a heightened level of oversight to maintain site security.
In addition to adhering to best practices like having unique login credentials for each employee, Magento merchants have to stay vigilant about PCI compliance, server access, and security patches. It’s also critical to routinely back up your Magento store and perform site vulnerability scans. Once these measures are in place, retailers are ready to take advantage of Magento’s many assets.