Recently we have been getting a flood of calls from distressed Magento store owners with compromised servers. As a result we compiled a comprehensive list of security tips on running a secure Magento environment. Some tips are basic but still it is worth mentioning it here since I have seen so many cases where the basics are not covered properly. Like any other eCommerce application residing on a web server, Magento needs to be secured and one will be surprised how often these basics mistakes are done on live production servers.
1. Do not leave sensitive data ANYWHERE on the server
Sounds obvious right? not so fast. I’m talking about cases where developers copy entire folders for backup reasons or leave DB dump files accessible on the server which are then downloadable with a simple browser. Your user passwords may be stored in the DB and hence are now potentially accessible, or even just the list of your customer’s emails is enough to do some serious damage.
2. Do not use the same password everywhere
SSH password and DB root password should not be the same. Take it a step further and use a non root user for SSH or your specific Magento database. Make sure the Magento admin does not have same password.
3. Delete any administrator account that are old or not in use
Perhaps your ex-employee or ex-developer email account got hacked recently which means they can now trigger the forgot my password mechanism and gain access to your Magento admin panel. Disabling old accounts is an easy way to avoid this. You can always re-enable the accounts if you ever need to.
4. Refresh passwords every 3-6 months, force all of your administrators to do so as well
Sometimes it seems excessive, but when it comes to security you rather make this a once in a while annoyance happen and avoid a call from angry customers with stolen credit card numbers or even worse a call from the authorities (yes, it happens!).
5. Make sure your Linux/OS is up to date with all the latest patches
Redhat and CentOS are good linux distributions that keep their software patched pretty frequently. Another good distribution is Ubuntu but try to stick with their LTE (Long Term Edition) releases which are kept patched for 5 years.
6. Be alert for any unusual activity on your web servers
Any unusual behaviors like often CPU spikes, random errors in the log files, process hanging, etc. are potentially a security breach indicators, especially if they happen for no apparent reason. Setting up a monitoring server to track all vital metrics and setup alerts is not a bad idea. Zabbix and Zenoss are great for this.
7. Review your web server logs or log file sizes periodically
A monthly visual inspection of the error log files is not a bad idea. Check both the error log for apache and the ssl error log as well. If a quick scan is not possible, try to simply review the file sizes of the various error log files. If your linux environment is setup with logrotate you should see a log file per week and the default is to keep 4 weeks of data. Hence a quick ls -l on the folder can show trends in error log file sizes. If you have a growing file size recently you may want to check what is causing it and resolve the issue. You can do the same on your /var/log/ folder within Magento.
8. Tighten up file permissions and ownership settings
The safest setup is to set chmod 755 on directories and 644 on all files with the exception of often created/deleted files like session or cache files will need chmod 755. Here is a short guide on setting up proper Magento file permissions post installation.
9. Make sure that payment processing files are identical to the original versions
If you suspect that you got hacked that is the first thing to check. If you do not have source control setup, use diff or similar tools to make sure that your core payment files are exactly what they are suppose to be. In Magento’s case you need to still review the /app/code/local/ and the /app/code/community/ folders for any extension class overwrites but the same idea applies make sure there is no suspicious code within the payment modules.
10. Setup a basic iptables firewall, even if you are behind a hardware firewall
Block ports that do not need to be open. You can take it a step further if you are savvy enough you can switch the SSH port to something more unique. Here is a short guide on how to setup a basic web iptables firewall.
11. Block countries you do not wish to do business with
If you are not shipping to China, you can block access altogether by location. These days it is relatively easy to set this up via hardware firewall, at the DNS level if you have a service such as cloudflare, or with software service by using Iptables or Apache’s mod_geoip.
12. Deploy your production code with source versioning
If you deploy your code with either SVN or GIT you can always check for code changes on your live website. This makes it really easy to detect any unwanted changes. A couple of tips: if you use older versions of SVN – make sure you disable access to the .svn subfolders which are present under each folder. If you use source code, make sure that you check the code before you make an update through the Magento Connect Manager: since updates will carry 10s and sometimes 100s of file changes it will be way more difficult to detect unwanted changes, so try to check before.
The above tips for keeping your Magento server environment secure should keep hackers away from your setup. Keep it safe!