Magento security 101: How to secure your Magento site – 10 minute mail

Due to its popularity as an e-commerce platform, Magento is an attractive target for hacker attacks, but basic security precautions can go a long way. We know that getting started with security can feel a little daunting, so we have put together this short guide to help you out. Follow our Magento security 101 and improve your Magento site’s security!

1. Use the latest version

Make sure that you are using the latest version of Magento as software updates often include security patches. If you are using Open Source (formerly known as Community Edition), the latest version as of October 2017 is 2.2. If you are running an older version, we strongly recommend you to upgrade and check Magento’s technical resources page for the latest release information.

2. Use a strong password

This may sound like a no-brainer, but it’s still worth mentioning because weak passwords are more popular than one might think. Seriously, take a look at the Worst passwords of 2016 (a list based on 5 million leaked passwords) and prepare to be amazed.

Once you’ve got your strong password in place, don’t change it too often. Contrary to popular belief, changing your password regularly can do more harm than good as you are more likely to choose a weak password that’s easy to remember. To generate strong passwords without having to worry about forgetting them, consider using a password manager.

3. Add two-factor authentication

Strong passwords are great, but there’s always an extra layer of security to add to the mix. A simple yet powerful measure is to add a two-step authentication to your login. To do this, you can buy an extension on Magento Marketplace.

4. Manage your admin panel

Change the Admin Directory to something unique (do not use /index.php/admin/), add an SSL certificate and make sure to restrict access to the admin panel to your IPs. This is a simple step that is often overlooked – our research showed that over 23.17% of all Magento sites use the default admin directory.

When the admin panel is exposed it gives the attacker the opportunity to bruteforce the login. The attacker can test common passwords, which has a high chance of succeeding as many people reuse their passwords. Exposing the admin panel also widens the attack surface and gives attackers one more page to check for vulnerabilities. To find out more about how attackers approach Magento sites, check out our video seminar where our security researchers explain how hackers think.

Not sure if your admin panel is secure? If you run a Disposable mail security check on your Magento website, the scanner will notify you when an exposed or disclosed Magento Admin panel is found.

Magento admin panel disclosure

Run a Disposable mail scan to check for Magento Admin Panel Disclosure

5. Stay up to date with the latest vulnerabilities

What is considered secure today could easily become vulnerable tomorrow, which is why reading up on the latest security research can help you keep your site secure. Magento’s Security Center is a good place to start – the center offers patch information as well as a number of security best practices for Magento users. However, when it comes to security, it’s always a good idea to have more than one source of information and that’s where automated tools come into play.

If you find security research a little overwhelming (don’t worry, we’ve all been there), automated security scanning tools like Disposable mail can help you out. Disposable mail’s researchers add new security tests to the scanner on a regular basis, ensuring that you can always check your site for the latest vulnerabilities.

Magento downloader vulnerability finding

Security never stands still. To help you stay one step ahead of hackers, we are always adding new security test modules to our scanner.

6. Monitor your Magento site’s security

Working with security is a long-term commitment, which is why we recommend testing your e-commerce store for vulnerabilities on a regular basis. Disposable mail tests your site for over 700 vulnerabilities (including security issues specific to Magento) and gives you a clear overview of its security status.

Disposable mail Magento findings

Your Disposable mail threat score is a handy summary of your site’s security status

The informative scan reports list all the security issues discovered as well as their severity level and tips on how to fix them. Disposable mail does not only look for Magento-specific security issues, but also checks your company blog, email settings, and much more. You can schedule regular scans, which means Disposable mail will keep an eye on your site’s security while you focus on your customers.

Disposable mail report Magento findings

Check your Disposable mail report for the exact location of vulnerabilities

Ready to get on top of your site’s security? Sign up for our 14-day free trial (no credit card required) and check your Magento store for vulnerabilities!

Start your free trial

More Magento security reading

Is your Magento store vulnerable? Why it’s time to put security first

Thousands of vulnerable Magento web stores out there

GDPR Compliance Checklist for eCommerce by our friends at Divante

[VIDEO SEMINAR] Magento security from a hacker’s perspective

Magento 2 Security Guide – An Actionable Checklist for 2019

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Is your Magento store vulnerable? Why it’s time to put security first – 10 minute mail

Magento is not only interesting for retailers – hackers like to target widely used platforms and the fact that online stores handle sensitive payment information is an added bonus. Our analysis of the world’s 30,000 biggest Magento stores shows that 23% are making one of the most common Magento security mistakes. Read this article to find out what these mistakes are and learn how the experts from Magento agencies Divante and Vaimo work with security.

In online retail, trust is crucial and your customers need to feel confident that you will protect their data. If customers don’t feel comfortable visiting your store and sharing their payment details with you, your business will suffer. PJ Utsi, co-founder of Magento partner Vaimo, explains that consumers are becoming increasingly aware of security risks: “Tech giants are pushing us towards a better security mindset with Apple and Google forcing 2FA. People are beginning to understand the value of security.”

25% of online shoppers in the US are concerned about personal data security and see security risks as a barrier to making online purchases more often. This is hardly surprising – when e-commerce security goes wrong, credit card details could be exposed and hackers are well aware of that. Mateusz Koszutowski, DevOps at Poland-based software house Divante, says this is why e-commerce platforms like Magento are an attractive target: “Our work has changed because there’s more money on the internet. More money means more hacker attacks because that’s what hackers are after.”

Magento best practices

There are more than 250,000 Magento stores around the globe handling over $100 billion every year. This makes Magento one of the most popular e-commerce platforms as well as a lucrative target for hackers.

In one of the most recent hacking campaigns that spanned over two years, more than 6000 Magento stores fell victim to payment information theft. Unknowingly exposing sensitive information can prove fatal for an online store as it does not only put sensitive data at risk, but also damages the retailer’s brand.

Nowadays, hackers seldom pinpoint only one victim. Instead, they target widely used technologies and attack hundreds of websites. This can be automated, giving the attackers an extremely broad scope and a higher chance of success. Disposable mail’s security researcher Linus Särud explains how a hacker would target a Magento web store:

“If I was to hack a Magento website I would look into two things: the installed version of Magento and the third party extensions and plugins that are being used. Magento has previously had a few publicly disclosed vulnerabilities, so if the system hasn’t been updated, it could be vulnerable. A hacker could just search Google for information on how to exploit it.”

Linus adds that unlike the core product, third party extensions are seldom updated, which renders them vulnerable:

“Even if there are no public vulnerabilities in the third party extension, an attacker is much more likely to find a vulnerability if they dig into the code for an extension than in the core Magento product. The core has been security tested by several people, while it is not unusual for extensions to be made in someone’s spare time. Unlike self-coded solutions, the code for third party extensions is public, which makes it easier for the attacker to find vulnerabilities.”

Missing HTTPS by default

To see what the most common security mistakes are in practice, we analyzed 30,137 biggest Magento websites based on Alexa rankings. We have confirmed that several of the vulnerable web shops are very active and still receive orders. 50.16% of the stores we checked did not use HTTPS per default, which is a surprisingly high percentage of our sample. Website visitors can’t be expected to manually switch to HTTPS, which is why forcing HTTPS by default is a simple precaution that prevents attackers from intercepting credit card details.

Exposed admin panels

Exposed admin panels are another common Magento security mistakes. Out of the 30,137 stores we analyzed, 23.17% had their admin panel exposed at /admin. While this is not a critical vulnerability in itself, an exposed admin panel makes it easier for hackers to try and gain access to your website. Mateusz Koszutowski explains that securing the admin panel is one of the most basic security measures: “The first thing we change when we start with a project is the admin panel URL.”

Third-party applications

Insecure third-party applications are another source of vulnerabilities, Mateusz explains: “In my experience, the most common mistake is using third party applications – some plugins or modules that are often useful and extend the Magento application, but haven’t been checked by us. These modules sometimes aren’t supported and they don’t have security updates.”

Make sure the platform is up-to-date

When vulnerabilities are discovered, they are quickly patched in the latest version of Magento, which is why it is crucial to keep your store updated. Divante’s Mateusz Koszutowski says that this can save you from a lot of security-related headaches and adds that Magento’s own security guidelines are a good resource: “Magento has an article about security best practices and we try to implement all of these best practices in our projects. When we go live with a project we have a checklist with these tips and we make sure to check off every single one of them. For customers who want to be sure that everything is okay, we have an offer from a specialist affiliate company that tests the services before launch.”

Work proactively with security education

Sharing security knowledge internally is important as it helps developers write safer code and consider security every step of the way, Mateusz Koszutowski says: “I think all developers should know how to prevent attacks and implement secure applications.”

Developing security skills inside the organisation also allows agencies to answer clients’ security questions and take the lead when it comes to projects like preparing for the GDPR. PJ Utsi explains that the learning process goes both ways: “As we operate one of the most important sales channels for our clients, the discussion about GDPR and security is not new to us. We have worked with big clients who take security very seriously and that has taught us a lot.”

Implement a long-term security strategy

Increased security awareness has led to people beginning to understand the value of security and organisations are now willing to invest in security services. With the GDPR becoming enforceable in May 2018 and bringing new security standards and requirements to the table, many companies are working hard to adapt their security routines. It is important to take responsibility for compliance work, says PJ Utsi: “We are focusing on GDPR so that we can be compliant by May. Many companies rely on their suppliers and don’t realize how big of a job they have ahead of them.”

Finally, viewing security as an ongoing project is a cornerstone of every security-focused mindset. Security never stands stills, which is why continuous security monitoring is needed to complement the development process. As PJ Utsi points out: “Security is a never-ending story. You need to understand that you’re never done – you need to do ongoing work with security and do regular internal audits, reviews and tests on your site, something many companies forget.”

To find out more about securing your Magento store, check out our Magento security 101 with 6 simple steps you can follow to improve your site’s security.

Want to know more about how hackers approach Magento sites?

Sign up to get access to our exclusive video seminar where our security researchers Fredrik Almroth and Linus Särud explain how black-hat hackers analyze and attack Magento stores.

Sign up using this form, and we will send you the video immediately per email, so that you can watch it whenever you want. We require double opt-in. Remember to check your spam filter if you don’t receive the confirmation email. And of course, the video seminar is for free!

magento-seminar-featured-image_720

More Magento security content

Magento security 101: How to secure your Magento site

Thousands of vulnerable Magento web stores out there

[VIDEO SEMINAR] Magento security from a hacker’s perspective

GDPR Compliance Checklist for eCommerce by our friends at Divante

Magento 2 Security Guide – An Actionable Checklist for 2019

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Thousands of vulnerable Magento web stores out there – 10 minute mail

We checked 30,000 Magento stores for three publicly available vulnerabilities that are sometimes found in older Magento installations. Despite the most recent of the three vulnerabilities being fixed over a year ago, a considerable percentage of web stores are still vulnerable.

Lately, we have been focusing on Magento security and the most common mistakes made by online retailers. To dig deeper, we went through some old publicly available Magento vulnerabilities that will be explained in more detail later in this post.

The interesting thing about these security issues is that they have been patched for at least a year. We knew that some do not regularly update their system, so we expected a few to be vulnerable, but it is interesting to see what the actual numbers tell us.

The vulnerabilities we looked at here were not discovered by us and we do not want to give the impression that doing the research was a hard thing to do. In fact, it is how easy it was to get these numbers that is concerning.

Please observe that it is probably even worse in reality. The most interesting vulnerabilities cannot be checked for without breaking the law, but chances are there are much worse vulnerabilities out there that can be automated.

We checked the most popular web sites in the world according to Alexa ranking and picked out about 30k web sites that were running Magento. This means that the tested sites are not some hobby installation that has been forgotten, but actually active web stores.

In short, to test for these issues we requested three different paths on all sites with the result and details presented below.

This was a configuration file containing the hidden path to the admin panel as well as the database password in plaintext. As it is an .xml-file in the web root, the default behaviour for a web server is to serve this file when requested. Magento solved this by also including a .htaccess file to prevent anyone from access this file.

Figured out the problem yet? .htaccess is only supported by Apache while Magento can be installed on other web servers, such as nginx. Nginx will ignore the .htaccess file and therefore gladly serve the configuration file to anyone who requests it.

This behavior was changed years ago, so instances vulnerable against this have not been updated in quite a while.

Even when this file existed Magento screamed at you if you published it publicly, so for this mistake to happen you would have to ignore a security warning.

So how many are affected? Out of the 30k web stores that we scanned, about 500 have this configuration file fully available for anyone to request. Around 20% of those in turn have port 3306 open.

This issue was brought up by Hanno Böck during Sec-T, which inspired us to look for it.

This vulnerability was patched in 2015, and yet 1,500 out of the 30k tested sites are vulnerable to it.

This is an API for order history. The problem is that there was no authentication server-side whatsoever. Anyone could send a request to it, no need to even log in. The exposed data is order history, that means which customer bought what and when. Names and addresses, the sum of orders and dates, amongst other things.

Keep in mind that we are talking about 1500 relatively popular web stores, so the amount of customer data that is publicly available is massive. By just crawling these public files one could build a very scary data leak.

Exposing the admin panel under something as easy to guess as /admin is far from a best practice. As people have a tendency to choose weak passwords, or to even re-use them, this can lead to a dangerous situation. Exposing the admin panel generates a security warning in Magento.

About 7,000 of the scanned web stores answered with an admin panel when we requested/admin. That is over 20%, or one fifth. Considering that these web stores are the biggest ones alongside the fact that the admins have intentionally ignored the security warning, one can only wonder what other best practices have been overlooked.

This number would be even higher if we included more common paths other than just /admin.

50.16% of the stores we checked did not use HTTPS per default, which is a surprisingly high percentage of our sample. Website visitors can’t be expected to manually switch to HTTPS, which is why forcing HTTPS by default is a simple precaution that prevents attackers from intercepting credit card details.

This issue is not by any means limited to Magento. We focused on Magento when testing these specific files, but everything indicates that every CMS (without auto-update support) has similar issues.

To add to this, for two of these three issues, Magento implemented security warnings that have to be ignored by admins. This is perhaps not the most well though-out situation, but Magento have done what they could do inform users of the security risks.

If it is possible to enable auto-update, do so! Keeping your system updated is the most efficient and one of the easiest way to stay secure.

If this is not possible, make it a routine to actually update the system regularly and add it to your calendar to make sure you log in and update once a month or at another interval that works for you.

Another option is to run a service such as Disposable mail, that of course both looks for these kinds of files and exposures but also warns you if you have not updated your system. If this post caught your interest, sign up for a free two-week trial and see whether you have also accidentally published any sensitive files (or any other kind of vulnerabilities we check for).

Is your Magento store vulnerable? Why it’s time to put security first

Magento security 101: How to secure your Magento site

GDPR Compliance Checklist for eCommerce by our friends at Divante

[VIDEO SEMINAR] Magento security from a hacker’s perspective 

Have you ever wondered how a hacker would analyze and attack a Magento website? We picked the brains of two ethical hackers to find out. Linus Särud, 18, and Fredrik Almroth, 27, share their best insights and advice on Magento security to help you keep your Magento store safe from hackers.

magento-seminar-featured-image_720

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[VIDEO SEMINAR] Magento security from a hacker’s perspective – 10 minute mail

Have you ever wondered how a hacker would analyze and attack a Magento website? We picked the brains of two ethical hackers to find out. Linus Särud, 18, and Fredrik Almroth, 27, share their best insights and advice on Magento security to help you keep your Magento store safe from hackers.

What you will learn in 15 minutes:

  • How Fredrik Almroth hacked one of the world’s largest e-commerce sites.
  • What any Magento website owner should know about security to be able to keep up with black-hat hackers.
  • A step by step-explanation on how a hacker would analyze an e-commerce page.
  • What the most common Magento security issues are based on our exclusive security data research on 30000 Magento sites.
  • What to do if you are hacked.

Get the free video seminar
Sign up through this form, and we will send you the video immediately per email, so that you can watch it whenever you want. We require double opt-in. Remember to check your spam filter if you don’t receive the confirmation email. And of course, the video seminar is for free!

magento-seminar-featured-image_720

About the hackers 
Fredrik Nordberg Almroth (Twitter: @almroot), 26, is internally known as “Godfather of Hacking”, since he has basically hacked everything that can be legally hacked. Fredrik has been appointed Security Expert of the Future by Symantec, and was one of the persons behind the famous read access on Google production servers hack, which earned him a bounty of 10,000 USD.

Linus Särud (Twitter: @_zulln), 18, started his career in IT security at the young age of 13. He has found serious security security flaws in Google’s system, written about IT security for IDG Sweden, and now works as a Security Researcher at Disposable mail in addition to going to high school. At Disposable mail, he is responsible for extensive security investigations like how top domains were vulnerable to email spoofing, writing articles and guiding customers in the support.

Send me the free 15-minute Magento security seminar

Sign up


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.