Security is often a topic that is overlooked during the build or ongoing maintenance of an ecommerce site. At the same time the build process is often complex with UX, design and technical considerations, so it can quite easily become an after thought.
Unfortunately it is often when a site gets hacked that security becomes the new priority and the extent of vulnerabilities are exposed. Or during maintenance when a PCI compliance scan fails and the site owner is forced to fix the issues or face a fine.
As an independent consultant it is scary how many sites I find that have multiple security vulnerabilities and are turning over significant amounts of transactions.
In this article I focus on the Magento Ecommerce Platform (although the same principles apply to other systems) and make some recommendations on how you can make your site secure from the outset and keep it that way.
Lets get started...
Let’s start by highlighting some of the many ways that a Magento store can become compromised:
- Core security issues in Magento
- Insecure third party extensions
- Insecure server configurations
- Bad password management
- Shared tenancy server (with other clients / other CMS’)
- Improper theme implementation and sanitization of data
This list is not exhaustive and the possibilities for exploitation are vast. The full details of these are outside of the scope of this article. There is a lot to keep your eye on but there are a few general principles that can help keep things secure:
Always launch with the latest security patches and make an effort to keep Magento up to date.
This is arguably one of the most important points. Magento is hugely popular accounting for around 26%* of market share at the time of writing. This popularity comes with the downside that when a vulnerability becomes public, it is often widely exploited. This is similar to other very popular systems like Wordpress.
It is therefore critical that when Magento release a security patch that you
a.) are aware of it and
b.) you apply the patch
Magento has also recently increased its ongoing release cycle, so upgrading the core regularly will help keep things secure as well as making future upgrades much simpler. Sign up to the Magento security alert registry and get notified whenever a new one is released.
Don’t forget to apply patches during the build process too. This avoids going live with vulnerabilities. Magento is really good at letting the community know about vulnerabilities nowadays.
Use HTTPS not HTTP
In this day and age there is no excuse for not implementing for HTTPS across all pages on your website (not just on your checkout).
Magento supports this natively, Google rewards it and most importantly it protects your users and administrators from potential man-in-the-middle attacks and session hijacking when using your site.
This can be easily enabled from within the configuration section of the Magento admin.
Unsecure 3rd party extensions
Part of Magento’s strength lies in the amount of 3rd party extensions available on the marketplace (some are good, some are not so good).
It is important to remember that anytime you extend the Magento core you are potentially introducing a new security vulnerability. Be aware of this, consider it when implementing new features but most importantly choose your 3rd party providers wisely. Once you get to know who the good providers are, opt for them over lesser known ones to reduce the likelihood of badly built unsecure extensions being added to your store.
Theme security and user input
There are lots of security principles that I don’t have time to go into here but if I could recommend just one principle it would be:
"Don’t trust any user input"
Make sure that all user input via your site’s forms is sanitised and validated. Also be sure to escape all output from your application to ensure nothing executable can be run. Basically... trust nothing! PHP provides various methods to do this.
SQL injection and Cross Site Scripting (XSS) can be surprisingly easy to execute on a badly implemented / unchecked input field. This is also one of the most commonly flagged items on failed PCI scans and you may unwittingly provide an easy way for a person to do nasty things to your ecommerce site.
Shared tenancy and extra CMS’
The first priority should be securing your main ecommerce application however the work doesn’t stop here.
Often the most overlooked item within security are ‘backdoors’ to your application. If you host other CMS’ on the same server as your ecommerce store and don’t properly manage server and site security then this can potentially leave your store wide open to being compromised.
Imagine for example you are hosting an outdated version of Wordpress, arguably one of the most hacked CMS’ out, next to your ecommerce store and someone manages to gain access to the underlying filesystem or database. This is extremely common and before you know it, you're relatively well protected Magento site has been compromised.
The recommendation here is to host your ecommerce application separately whenever possible. If you are going to host on the same server talk with your hosting company and ensure that the setup has been properly secured.
In terms of shared server tenancy, avoid this wherever possible. When you go with a shared solution you have no idea what other sites may be housed on the same server and how secure they are.
Make sure you go with a well trusted hosting provider that knows ecommerce and preferably Magento. You might save some cash in the short term by going with the cheap option but believe me, this is a false economy.
MageReport offers a great adhoc scanning service for your Magento store and will highlight unapplied patches when you run the scan. This can be great as a quick way to identify what needs to be done to get and keep your store secure.
Magento have also recently released an automated scanning tool which allows you to set up automatic periodic scans against your site(s) and will alert you when a security issue is found. This is a must.
The recommendation here is to enforce strong passwords in your organisation, make sure they are rotated regularly and remove all unused admin accounts that aren’t in use. Tools like Lastpass and OnePass are great for making sure the above principles are enforced.
As a side note Web Application FireWalls (WAFs) are a great way to flag and block potential brute force attacks on your ecommerce site. This is a great proactive way to add protection.
This is by no means a comprehensive look into security, it’s a huge stand alone topic but I would strongly suggest learning more on the subject. The OWasp Top Ten is a great place to start, they are an official body and cover the most common security issues on the web today.
As I mention, the topic is huge but these general principles should help to keep your site more secure.
If you are interested in a comprehensive Magento site audit which includes detailed security analysis then please get in touch here.
Remember, don’t let security become a low priority. You are dealing with sensitive customer data on a daily basis. Don’t wait until your site has been compromised before thinking about security.