July 20th, 2017
In a world now filled with DDOS attacks (Distributed Denial of Service), brute force admin panel access and more, security has moved to the forefront of almost every website owner’s mind. This is especially true when you are running an E-commerce website!
The fact that you are running a business where transactions are carried out through a website means you need to make sure that everything is locked down securely. On top of this, you want to make sure that the site stays “up”, rather than having a server crash and losing potential sales because customers can’t access the site.
Then there’s the SEO benefit of having a safe website; if your website were to be hacked and have malicious content or files added to it, then Google will penalise you, causing even further losses in sales.
It’s all pretty harrowing, isn’t it? But did you know that you can get your security setup checked?
How do you check your Magento security setup?
To begin with, the first thing that you should be doing is paying close attention to the Magento Notifications. These will be your first port of call, and your first warning signs if there are any major security issues with the website.
The second step would be to sign up for Magento Security Alerts. This is a service run by Magento specifically, where they will let all registered users know when a security flaw has been found in the Magento system as a whole. Whilst you’re there, you should also visit the Magento Security Centre and check what the latest security patch is!
We would also recommend going through the following checklist, in order to make sure that you have everything as tightly knit as possible!
- Is your Magento site fully up to date?
- Are your extensions up to date?
- Have you made sure that all of your passwords are encrypted?
- Have you removed any unnecessary images and files from the hosting?
- Are your file and folder permissions set correctly?
- Have you checked that your email address is not easily accessible to spambots?
Doing these will mean that you are always one step ahead of the game when it comes to “out-of-the-box” Magento security. However, that’s only really part of the issue, isn’t it? What about all of those extensions?
Which are the most important security patches?
Well, the first thing to say is that, honestly, all of them are important and you should implement each one. That said, the Shoplift Bug Patch (SUPEE-5344) is utterly imperative!
Released to combat major security flaws that could lead to hackers potentially being able to hijack your entire store, it’s a really important patch that you absolutely must install! So, if you haven’t already, go and get it!
The other patch that you really, really need to install would be SUPEE-8788. This patch rectified security flaws with the Zend framework, addressed payment vulnerabilities, made sure that sessions are ended when a user logs out and fixed a number of smaller security issues.
However, once again, we cannot stress enough the importance of getting all of the security patches installed!
How to check the security of Magento extensions
Even if you have the base Magento installation locked down like Fort Knox, the website itself could still have any number of vulnerabilities. How?
Well, almost every Magento e-commerce website out there runs on extensions. We’ve seen them everywhere. In fact, we use them everywhere too! Everyone does. The base version of Magento is good but doesn’t do everything that you will need it to do. That’s why extensions are so widely used.
The issue is, security updates for these extensions are the charge of the extension developer, not Magento themselves.
Because these are entirely third-party pieces of software, and because Magento is open-source, anyone can make an extension! Well, anyone who can code anyway. What that means is that there are tons of different extensions out there that are written for a hobby and never fully patched. Even some of the best developers out there miss the odd security hole when working in tunnel vision on a single project – for hobbyist developers this can be even worse.
But it’s not just the hobbyist developer extensions that can cause trouble. If Magento itself updates and changes the way it runs or understands a specific syntax, then a professional extension may be at risk. It may appear to work fine, but in the back end, a door to the website may have just been opened.
Therefore, it’s imperative that you check your site for any potential Magento security issues caused by these extensions. To do this, you can use one of a variety of specialist tools to review the security setup.
However, these tools tend to miss some of the security issues within the website, not really giving you the full and honest picture of your security setup.
That’s why you need a specialist Magento developer who can understand these reports and then sift through the backend of the website and find all of the other security risks currently facing it. They will then need the confidence and skill to be able to plug those security holes.
This way, you don’t end up relying on information that isn’t completely accurate and leave gaping holes open in your security!
If you’re worried about your Magento security, then why not get in touch with us? Our specialist developers can work with you to find and plug any of the security holes in your e-commerce website and get you back on track again!