Blog
Ten Tips for Keeping your Magento Store Secure
| Monday, May 24, 2010
Are you worried about the security of your Magento store? Magento has a number of built-in security features aimed at keeping you safe, but there are some steps you can take to make your site even more secure. Follow this ten-point security policy to protect your site from hackers and security breaches.
1. Choose a secure password
When you're choosing your Magento site's administrator passwords, choose wisely. Depending on your configuration and permissions, this password may give access to customer information and credit card data. This is probably review for most readers, but here are some guidelines for creating a really secure password:
- Bigger is better. Use at least 10 characters
- Mix upper and lower case, punctuation, and numbers.
- Making your password phonetic can make it easier to remember and type quickly.
2. Require HTTPS/SSL for all pages with logins
Each time you send data over an unencrypted connection you run a risk of this data being intercepted by an unwanted third-party. Login credentials are no exception. To minimize the risk of your username and password landing in unscrupulous hands, always send it over a secure connection. By always sending your login information over an encrypted connection, hackers are limited to expensive and extremely difficult brute-force attacks.
How to require HTTPS/SLL in Magento
In Magento you can require secure logins by selecting "yes" for both "Use Secure URLs in Frontend" and "Use Secure URLs in Admin" by going to the "Secure" section of the "Web" tab in the system configuration. In order to access the system configuration, go to the "System" menu and select "Configuration."
Set "Use Secure URLs" to "yes" for both the frontend and admin
3. Don't use your Magento password for anything else
Do not use your Magento password with any other web services (such as email) or any other sites (such as Twitter, Facebook, Flickr, etc.). Third-party sites may not require or even support HTTPS/SSL to login, breaking rule number two. In the event that a third-party website is hacked, your password may be vulnerable.
4. Use a custom admin path
By default, you access your Magento admin panel by going to your-site.com/admin. Having the path to your admin panel path easily guessable means that someone or something (i.e. a password-guessing robot) can snoop around and try to guess your password. By having your admin path be a secret code word instead of the default /admin, you can prevent users from guessing your password or using it if they do somehow get a hold of your password.
How NOT to change your Magento admin path
Tucked in the "admin" section of the system configuration, the "Admin Base URL" setting looks like it offers the ability to set a custom admin URL and choose whether to use that custom URL or not. But BEWARE: this setting will break Magento by preventing you from accessing the admin panel (I've tested this and found this to be true as of Magento 1.4.0.1 and earlier).
BEWARE: Do not use the admin base URL settings; it will break your site.
How to change your Magento admin path
Although the setting does not work, there is an easy way to change your Magento admin path.
- Locate /app/etc/local.xml
- Find <![CDATA[admin]]> and replace 'admin' with the path you would like to use
So if your local.xml file says <![CDATA[drawbridge]]>, your admin path will be /drawbridge.
5. Close email loopholes
Magento has a really convenient feature that allows administrators to reset their password if forgotten. In order to reset your password, you need to know the email account associated with the account. Then you need access to that email account to retrieve the new password. First, choose an email address that is not publicly known. Second, make sure the password for your email account is secure. Third, make sure that if your email account has a security question that allows you to reset your password, you choose a question and answer that is so obscure that it would be impossible to guess.
6. Use secure FTP
Guessing or intercepting FTP passwords is probably one of the number one ways sites get "hacked." In order to prevent unauthorized access to your site's FTP, use secure passwords and use SFTP (SSH File Transfer Protocol) or FTP-SSL (Explicit AUTH TLS). With SFTP, you can use Public Key Authentication to increase security even more by requiring a private key file and an optional de-encryption password to authenticate the FTP access.
7. Limit unsecured FTP access
If you do have to connect through regular (non-secure) FTP for some accounts (i.e. to upload photos), limit access for these accounts to a narrow set of directories. You can then use .htaccess and httpd.conf files to prevent scripts from running in these directories that can change other files and directories on the server that should not not be accessible through that FTP account.
If you have access to the httpd.conf file on your server, this is the best method to preventing scripts from running in a specific directory. Place this code in your httpd.conf file:
<directory /path-to-directory-you-want-to-restrict> AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI </directory>
If you don't have access to httpd.conf, you'll have to use .htaccess. Include the following code in the .htaccess file of the directory you want to restrict:
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
Because .htaccess does not support the
Important: placing this code in a directory's .htaccess file will prevent scripts from running in that directory and all sub-directories.
8. Don't save passwords on your computer
Most modern computers and browsers offer the option to save passwords as a convenience so you don't have to enter your password every time. This is great most of the time, but can be a security problem because often saved passwords can be easily revealed in plain text. Anybody with access to the computer has access to the sensitive data. Even worse, someone could steal the computer and then use the saved passwords to access the sensitive data. To avoid unintended access to your Magento password or data, simply set your computer or browser to never save it— this might be a bit inconvenient, but it's a great security policy.
9. Keep up-to-date anti-virus software
Computer viruses and trojans can steal your data and log your key strokes. To minimize the risk of this happening, be sure to invest in reputable anti-virus software. Free anti-virus software like AVG may be great for home and personal use, but if you want indemnification or a warranty, you may want to look at commercial anti-virus software.
10. Restrict admin access to only approved IP addresses
You can use .htaccess to limit access to your admin area. In the .htaccess file for your admin directory (details below), place the following code in order to block access to all IP addresses except those specifically listed:
AuthName "Protected Area" AuthType Basic <Limit GET POST> order deny,allow deny from all allow from 11.111.111.11 allow from 22.2 </Limit>
"allow from 11.111.111.11" allows the specific IP address 11.111.111.11
"allow from 22.2" allows a range of IP addresses beginning with 22.2
Now for the admin directory. Magento's admin URL path is not a physical directory, it's just a symbolic link. To get started, create a directory with the same name as your admin path. The presence of this new physical directory will override the symbolic link, rendering your admin area inaccessible. To solve this, you need to copy your index.php file into your new admin directory. Then you have to change the paths within index.php to two files (includes/config.php and app/Mage.php) to account for the fact that the relative path has changed as a result of the new duplicate index.php file in the admin directory. Assuming your admin directory is just one level down from your root directory, the two lines you need to change will look like this:
... $compilerConfig = '../includes/config.php'; ... $mageFilename = '../app/Mage.php'; ...
Once you've done this, you can drop your .htaccess file in your new physical admin directory and access your admin like this:
http://www.[your-site].com/[your-admin-directory]/index.php/[your-admin-path]
There's one more step, though. The admin URL can still be accessed through /index.php/admin. You need to disable this so that anybody who knows you're running Magento can't exploit this fact. Here's how I did this:
Add this code to your site's root .htaccess file:
Redirect permanent /index.php/admin /admin/index.php/admin Redirect 301 /index.php/admin /admin/index.php/admin
There is a downside to restricting access based on IP: if you travel a lot you may find this method very inconvenient as you'd have to manually add each new IP address or IP range to the .htaccess file in order to gain access.
SU!Subscribe
Search
Search our Blog:
Addoa on Twitter
Addoa Excellence
We know your vision is important to you. That's why our vision is to help you share yours. When you use Addoa for your creative needs, you'll see the difference excellence makes on your project. Our superior quality, strong communication, attitude and unbeatable value make Addoa the right choice for any project.
Free project estimates anytime
Comments
Very good information, thanks for sharing. Do you have a recommended client to use for SFTP on Windows?
Dave, I've found Filezilla to be a good (and free) choice.
http://filezilla-project.org/
For #10, since the admin directory is dynamic, do you have to actually create the folder for your admin directory and put the .htaccess file in there?
You'd have to create the directory with the same name as your admin path, and place the appropriate files in that directory (index.php) to make it work. I haven't checked, but you might need to edit the contents of admin.php to refer back to the base install up one directory.
Yeah, definitely not as easy as creating the directory and just putting .htaccess in it as I've just learned. If you have a more step-by-step way of doing it, make sure to update the article :)
Dave, I updated the instructions in item 10 to include how to create a physical admin directory.
I followed your direction, though when I create the admin folder, put index.php in there and update the paths...when I go to domain.com/admin It just goes to the store homepage, rather than the admin. Is there a step I'm missing?
You're not missing any steps; you're just using the wrong admin URL. You'll want to use this:
domain.com/admin/index.php/admin
Right so I was able to access through admin/admin, but then the .htaccess IP deny doesn't seem to go into affect for the admin.
Btw, really appreciate your guidance and quick responses :)
Hey Dave,
It's working for me, but I did leave one detail out. See the comment in response to the anonymous comment below.
"blocks the specific IP address 11.111.111.11"
shouldn't this read:
"allows the specific IP address 11.111.111.11"
?
Sorry about that, it's fixed now. The code is correct, but I meant to say "allows" as you pointed out. My bad!
Regarding #10:
1. It doesn't work as far as I can tell (and I've rechecked the steps involved).
2. If the hacker knows you're running Magento and you haven't renamed your admin folder to something more obscure, then they can still enter through /index.php/admin.
3. I can't see how this protects scripts generally as they're not all within a real directory protected by .htaccess authentication. The hacker could go direct to the script if they're familiar with Magento's file structure, bypassing the "admin" folder entirely.
1. It's working for me - I get a 403 error when trying to access the site from a proxy.
To be sure, access the admin panel from /admin/index.php/admin rather than /admin/admin. If you can access /admin/admin, that's a problem. Start with a blank .htaccess file in the admin directory and then add only the code that limits the IP addresses. Magento's root .htaccess file allows you to access all pages from /page rather than /index.php/page, which is really clean and convenient for most uses. You could disable this behavior manually in your admin directory's .htaccess file, but you shouldn't need to since your admin directory's .htaccess (which omits this rewrite declaration) will override your root .htaccess file, rendering it impossible to access anything without including index.php in the URL.
Make sure you start with a blank .htaccess file in the admin directory. There is code in Magento's admin directory that allows rewrites to use /admin rather than the usual index.php/admin.
2. I forgot to include the bit where you disable access to this. I accomplished it by rewriting that path to the admin directory. Check the updated post above for details.
3. Item 10 does not protect against scripts; it protects against brute-force attacks or authorized access in uncontrolled locations. Items 1, 2, 3 and 6 protect against unauthorized FTP access, which is often used to install the types of malicious scripts you mentioned. Item 7 is aimed at preventing malicious scripts from running by disabling scripts in FTP access points unrelated to the Magento installation (such as a file-sharing directory).
Restricting admin access by IP address can be useful for a number of reasons. First, it prevents a computer from using brute-force attacks (trying sequential username/password combinations) to gain access to sensitive information available through the admin panel such as names, emails, and credit card numbers. Second, it allows administrators to control access to a physical location. This can be important for PCI compliance because PCI compliance demands that all access points be secure (for example, have up-to-date anti-virus software or are physically secure from theft). Certain measures can be taken in an office such as requiring anti-virus software on computers or physically securing the computers in the office with surveillance or locks that cannot be ensured on random computers with internet access. For example, an employee with authorized access to a username and password might access the site from his personal computer at his home without antivirus software on his personal computer. A key-logger could then steal this data, opening a security hole. By restricting access to specific locations (i.e. IP addresses), you can prevent access to the admin panel from unsecured computers.
I have tried to add the IP block as you described in the post. But after doing that, I couldn't save any settings from the admin panel. When I change something and click the save button, it shows the green bar which says that the config changes are saved successfully, but when I check back I see the old settings.
I removed the redirection to /index.php/ and accessed the control panel using index.php/ everything works fine. So I think I'm missing something in the physical directory settings. Please help.
Hi Vishnu,
I just tested what you described but was unable to replicate your problem. Is this true of all settings or just one particular setting? This sounds like this could be an issue with your database.
If you'd like me to take a closer look, please fill out the quick contact form.
Can we set ip restriction for our frontend?
Yes, you could, but why would you want to? You would be blocking customers from accessing your website.
some competitors want to copy my site, i can block them with htaccess, is this the only method?
Hey Will,
Blocking ranges of IPs is best done through .htaccess or PHP. For example, I use PHP to block all IPs but my own when the site is down for maintenance.
I wouldn't worry about trying to block your competitors. It is virtually impossible to prevent certain people from accessing your public website if they have their mind set on doing so. If you block via IP address, your competitor could just use a proxy or VPN to circumvent that. Or they could go to Starbucks or some other place with public WiFi.
To restrict access to your admin, it is simpler to user the Apache directive LocationMatch, instead of adding directories and copying files.
<code> <LocationMatch "admin"> Order Deny,Allow Deny from All Allow from 10.10.10.0/24 </LocationMatch> </code>Hi Anton,
Thanks for the contribution— this is a very good point. This is actually the method I use to block access to the site while in maintenance mode.
Hello, Really helpful article.
So would you say Anton's suggestion is just as good as your #10?
If so where would this file be placed?
Thanks!
Yes, Anton's method is just as good, if not better than the original method in my blog post.
so who wrote this?
http://www.magentonews.co.uk/magento-development/ten-tips-for-keeping-your-magento-store-secure
I am the original author of the content. I guess I shouldn't be too upset they stole my entry... they say imitation is the most sincere form of flattery...
Hi, for #4. Use a custom admin path. I broke it before I read your post. Is there a way to get it back. I cannot access my admin pages now.
Hey John,
Sorry to hear your admin path isn't working. I had the same frustration when I discovered this bug. You can fix the issue by searching within your database for the admin URL. Then simply change it in the database. You may need to flush your browser and/or Magento's cache. To delete Magento's cache, delete the contents of /var/cache.
Thanks Again.
I tired #10. At first it seemed to work fine - but actually the admin utility was not returning results properly - taking a long time to load.
Any ideas?
Thanks,
Izzy
If you're having trouble with my method for #10, try Anton's above.
Hi Isaac,
thanks for this nice article. we have a special import script called fullprodsimport.php which is actually placed on the server root folder and we just execute it without even logging into the admin. So wanted to know how to ensure that only if a person who has logged into the magento-admin can run this script else it should not run?
thanks.
Hey Dustin,
When you say you've placed it in the server root folder, do you mean the actual server root folder, or the web root folder (aka there your Magento installation is located)?
If your php file is placed in the true server root, it cannot be accessed by anyone via the web and must be run via shell, etc. This would be the most secure option, although perhaps a bit inconvenient, especially if you're not familiar with shell.
If you've placed it in the web root directory, then depending on the file permissions, the script can be run by anybody who loads the php script in their web browser. This is potentially dangerous, depending on the contents of the script.
Magneto's file structure and permissions protect the contents of many of the directories containing scripts from executing via HTTP requests. For example the /app directory results in a "403 Permission Denied" error.
If you want to protect a script file, the simplest way to setup Apache authentication for the file, or place the file in a directory that is password-protected. This is easy to do via cPanel if your host has cPanel installed.
Finally, you should know that some recent version of Magento already have a product import feature built-in. The one I've used in version 1.4.x isn't the most intuitive as it requires creating CSV files with product details, but it can save a lot of time if you have to import a lot of products. I've heard the 1.5.x version of Magento has a brand new product import feature, but I haven't tested it out.
Good luck,
-Isaac
Hi Issac,
Thanks for this tutorial. I'm however a little stuck with number 10. I've noticed that index.php/admin is still showing the admin page like you mention. I've tried the .htaccess redirect trick you mention but now when I try to visit any pages on my Magento installation all I get is a 500 error popping up. It seems this redirect might be conflicting with the "RewriteRule .* index.php [L]" comment? Please could you help?
Instead of the IP address block, I'm using a password protect of the admin folder but it should work the same.
Thanks,
James
Hi James,
Sorry to hear you're having trouble implementing this. Without look at your full .htaccess file, I can't really give you much advice on what might be wrong.
One piece of advice I do have though is that password protecting the admin folder via .htaccess and .htpasswd doesn't protect against brute force attacks. The goal of IP-based blocking is that potential hackers can't even connect to your website to test passwords.
Great find, thanks for the article, this was the last set of things I needed prior to setting the site free.
Post new comment