{"id":996,"date":"2015-03-24T07:34:26","date_gmt":"2015-03-24T07:34:26","guid":{"rendered":"http:\/\/invisiblezero.net\/?p=996"},"modified":"2024-07-22T09:30:08","modified_gmt":"2024-07-22T09:30:08","slug":"magento-secure-your-webshop","status":"publish","type":"post","link":"http:\/\/ndthanh.com\/magento-secure-your-webshop\/","title":{"rendered":"Magento &#8211; Secure your webshop"},"content":{"rendered":"<div>Recently , i have been working on security aspects of Magento and Server (centos,ubuntu ..) to help my clients secure their webshops, so i have prepared a security plan . perhaps you can find useful information here .<\/div>\n<p><!--more--><\/p>\n<div><b>Part 1. Integrity Check<\/b><\/div>\n<div>&#8211; Core code check : check to make sure core files are similar to default Magento installation core files .<br \/>\n&#8211; Lib directory check : Lib directory contains Varien libraries, Zend Framework and other 3rd party stuffs<\/div>\n<div>&#8211; Git log check :\u00a0if you are using git, then reviewing git log regularly is a good idea.<\/div>\n<div>&#8211; Public accessible directories : Check for big files in \/media and \/var , check file type to make sure they&#8217;re not fake (imagemagick to check images, ffmpeg to check video files, qpdf to check pdf files , etc..) . Hackers often extract content to these directories so they can download easy later , that&#8217;s why we do this type of checking. i have a script for this type of work and i will post it in another post soon \ud83d\ude42<\/div>\n<div><\/div>\n<div><b>Part 2. Magento Tunning<\/b><\/div>\n<div>A &#8211; Tighten up security<\/div>\n<div>&#8211; Change admin login path : \/index.php\/admin is a well known path, Hackers always try this first to find login path, this should be changed into something else.<br \/>\n&#8211; Lower Admin session life time : With this changes, you can reduce risk from cookie thief by XSS or someone use your computer to login backend.<br \/>\n&#8211; Use Long &amp; complex admin user\/password : This one is solution for password brute force attack<br \/>\n&#8211; Enable captcha : you can enable it from backend . So bot or script won&#8217;t work anymore.<br \/>\n&#8211; Install Admin Logger extension (this is a feature from Magento EE). <a href=\"http:\/\/www.magpleasure.com\/admin-logger.html\">http:\/\/www.magpleasure.com\/admin-logger.html<\/a><br \/>\n&#8211; Check for Security Patch weekly : Magento often release patches to fix security vulnerabilities , it&#8217;s good to have your code up-to-date.<\/div>\n<div>&#8211; Setup 2-factor authentication , there are extensions for this from Magento marketplace.<\/div>\n<div>&#8211;\u00a0Use HTTPS\/SSL for all login pages.<\/div>\n<div>&#8211;\u00a0Disable Magento Connect Manager tool : this utility is not really necessary and it is another way to get in your website.<\/div>\n<div>&#8211;\u00a0Stop using untrusted Magento Extensions<\/div>\n<div><\/div>\n<div>B &#8211; Prepare for disaster<\/div>\n<div>&#8211; Use Magento extensions that allow export orders\/customers\/products\/categories and encrypt them for recovery purposes.<br \/>\n&#8211; Design a better \u2018Store undergoing scheduled maintenance\u2019 page to use it when we\u2019re going to do disaster recovery. Stop using Magento default maintenance page.<br \/>\n&#8211; re-design error reporting page : remove trace of Magento error reporting file and turn make it match your webshop design.<\/div>\n<div><\/div>\n<div><b>Part 3.\u00a0<\/b><b>Server Tunning<\/b><\/div>\n<div><span style=\"text-decoration: underline;\">A &#8211; Data Base<br \/>\n<\/span>&#8211; Grant minimum access previledges to database users : do not use root credentials for your database.<br \/>\n&#8211; Use different user\/password for different databases : with this setup, other website will be safe if one of your websites is compromised.<br \/>\n&#8211; setup firewall to limit only internal access. disable public access : database should only be accessible from your server, never open it to public.<span style=\"text-decoration: underline;\">B &#8211; Apache &amp; PHP<br \/>\n<\/span>&#8211; Use production mode for error reporting : with this setup , you won&#8217;t see error throwing on your live environment. There are a lot of website that leave error reporting for live site, so once error happen, people will see error and path to your website on server.<br \/>\n&#8211; Use correct file permission , it should be 644 or 664 for source files : do not use 777 permission for your files unless it&#8217;s cache or temporary files<br \/>\n&#8211; Limit file upload : file upload will be exploit a lot, so you will need to validate file upload carefully.<br \/>\n&#8211; Limit access to development environments : if you have dev site or staging site, remember to set .htpasswd for them, so web scraper like google , bing or your customer won&#8217;t see content on your development sites.<\/div>\n<div><\/div>\n<div><span style=\"text-decoration: underline;\">B1 &#8211; Increase security via .htacess file\u00a0<\/span><br \/>\n&#8211; turn off server signature<br \/>\n&#8211; disable directory listing<br \/>\n&#8211; force index.php as directory index<br \/>\n&#8211; deny access to protected server files and folders : htaccess, htpasswd, errordocs, logs ..etc..<br \/>\n&#8211; add request methods filter to prevent these request types : HEAD, TRACE, DELETE, TRACK, DEBUG<br \/>\n&#8211; only allow internal file request from internal server\/website<br \/>\n&#8211; deny browser access to php.ini, xml files, config files and readme files<\/div>\n<div><\/div>\n<div><span style=\"text-decoration: underline;\">B2 &#8211; Nginx<\/span><\/div>\n<div>&#8211; make sure you have the same security or better as described above. there are some tools online that support conversion between Apache config and Nginx config.<\/div>\n<div><\/div>\n<div><span style=\"text-decoration: underline;\">C &#8211; Server &amp; Scripts<br \/>\n<\/span>&#8211; Use VPN to connect to main server\u00a0 (limit ip address to VPN server only) : this is a strong approach to secure your server, it gives you complete control to users who are allowed to work with your server.<br \/>\n&#8211; Daily database backup<br \/>\n&#8211; Daily media backup (incremental backup)<br \/>\n&#8211; Daily check for website integrity.<br \/>\n&#8211; Setup Antivirus software : it&#8217;s important for Windows server. if you&#8217;re using Linux, you can use ClamAV which is also good for scanning bad files and scripts on your server.<br \/>\n&#8211; If FTP is required, use SFTP for file transfer<br \/>\n&#8211; Update server software, kernels regularly<\/div>\n<div><\/div>\n<div><b>Part 4. Coding principle &#8211; this one is for developers<br \/>\n<\/b>&#8211; Never trust user input, always check, validate and escape if you\u2019re working on feature that contain input fields\/upload fields.<br \/>\n&#8211; Test code properly to make sure it won\u2019t display error log on front-end . the error log<br \/>\n&#8211; notify\/update to latest version of Magento<b>Part 5. Admin Tips<\/b><br \/>\n&#8211; never use admin username\/password for anything else<br \/>\n&#8211; don\u2019t save password on computer or notes<br \/>\n&#8211; use Private\/company email address for admin instead of gmail\/hotmail\/etc..<\/p>\n<p>&#8211; request for PCI compliance tests<\/p>\n<p>i hope this article will help you to enhance your website security. Please post your comment if you have any question<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Recently , i have been working on security aspects of Magento and Server (centos,ubuntu ..) to help my clients secure their webshops, so i have prepared a security plan . perhaps you can find useful information here . Part 1. Integrity Check &#8211; Core code check : check to make sure core files are similar&#8230;<\/p>\n<p><a class=\"read-more\" href=\"http:\/\/ndthanh.com\/magento-secure-your-webshop\/\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":1479,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,67,44,66],"tags":[],"aioseo_notices":[],"views":12,"_links":{"self":[{"href":"http:\/\/ndthanh.com\/wp-json\/wp\/v2\/posts\/996"}],"collection":[{"href":"http:\/\/ndthanh.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ndthanh.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ndthanh.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/ndthanh.com\/wp-json\/wp\/v2\/comments?post=996"}],"version-history":[{"count":2,"href":"http:\/\/ndthanh.com\/wp-json\/wp\/v2\/posts\/996\/revisions"}],"predecessor-version":[{"id":1301,"href":"http:\/\/ndthanh.com\/wp-json\/wp\/v2\/posts\/996\/revisions\/1301"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ndthanh.com\/wp-json\/wp\/v2\/media\/1479"}],"wp:attachment":[{"href":"http:\/\/ndthanh.com\/wp-json\/wp\/v2\/media?parent=996"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ndthanh.com\/wp-json\/wp\/v2\/categories?post=996"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ndthanh.com\/wp-json\/wp\/v2\/tags?post=996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}