The era of online shopping has been at a steady growth, with more and more people preferring the convenience of shopping from the comforts of their own room or when they’re on the go. However it’s popularity also means an increase in finances – a field day for hackers looking for their next potential victim. Their latest method of attack is malvertising legitimate websites which people assume to be safe and secure. This is achieved through extra lines of malicious HTML code added by hackers to redirect payment from the company or sending credit card details to noxious third parties. As the owner of a Magento Ecommerce Website, it is imperative that you take the necessary steps to ensure that your website is not susceptible to malicious hacking, not only for your customer’s protection, but for yours as well. Here are a few tips to help you out:
Create a Unique Admin Path
Having a predictable admin access path such as yoursite.com/store/admin can make your Magento Website easily accessible to malicious parties. Instead, use a series of impossible-to-guess letters and numbers such as yoursite.com/store/Hg84Xt
Use an external third party payment option on your Magento Ecommerce website
Rather than letting customers enter their payment details directly onto your magento websites, outsource this step to trusted and highly secure services such as PayPal or Google Wallet. Even if hackers manage to compromise your site, they wouldn’t be able to steal your customers’ credit card details.
Never use your Magento Admin password for anything else
Your Magento password should only solely be used for that one specific account. A common method utilised by hackers to gain access to your commonly used password and use it to break into your Magento site. Ensure this doesn’t happen to you and come up with a unique passcode to bump up your level of security.
Avoid saving your password on your computer
It’s a common habit to let your computer save your login details for convenience’s sake, but doing so may be helping the hackers out there more than yourself. As an added defensive security measure, never allow your browser or password manager save your passwords for two different reasons. First, some of these password storage services are cloud based to allow easy accessibility from any computer you’re logged into; however this also means your sensitive data is being stored and waiting to be found. Secondly, you run the risk of allowing anyone access to confidential information in the chance your laptop or computer be stolen and hacked.
Use Two-Factor Authentication
Two-step login requirements guarantee that only trusted and selected devices and users can access your Magento backend. In other words, not only would you need to know the unique login details, but also require a randomly generated security code to be sent to your mobile or smartphone app. This makes it incredibly difficult for hackers to login to your Magento backend as it increases the amount of information they would need. So not only would they need to know your unique login page and secure username and password, but they would also require to have your smartphone in their possession.
Use a private and secure email address
Sophisticated hackers use social media to work out who’s in charge of the eCommerce site they’re interested in gaining control over. LinkedIn is a popular weapon for this method by searching up “eCommerce” and the company name. A number of people list their email address used for their workspace, which is then hacked into – often at times security measures aren’t a priority for email accounts, which only works in favour for the hackers themselves. Once successful, they can simply ask for a password reset and change both login details, gaining total control over your Magento Ecommerce website. To prevent this from happening, use a unique email account that is never to be shared outside the company used strictly for your admin username login.
Update your passwords before and after working with third party developers.
Outsourcing work to outside magento developers to help improve your Magento store is sometimes necessary. As a preventative measure to stop hackers from their end accessing sensitive information, make sure to change your admin and password before and after working together.
Disable Directory Indexing
By preventing malicious hosts from viewing all the files in a folder on your website, it prevents them from knowing what files exist in certain folders, making it increasingly difficult to find the weak hot spots in your Magento Ecommerce website. In order to utilise this security step, all you need to do is add “Options – Indexes” to your .htaccess file and hitting the return key.
Only use trusted and official Magento Extensions
It only takes one dodgy and vulnerable extension to provide a gateway to having complete access and control over your Magento Commerce site for any hacker. Thus, it’s highly recommended that you only use well tested extensions that have a proven legitimacy behind it. Also make it a habit to update your existing extensions when new versions are released, as usually these updates fix any security breaches.
Invest in a VPS or dedicated hosting
When you’re just starting your Magento store, it’s almost a force of habit to look for the cheapest shared hosting as a way to save finances. However even the most secure Magento store can be compromised by malevolent attacks on the other sites from your shared server. A good web hosting company would provide a web application firewall to interject MYSQL injection. Web application firewalls such as NAXSI inspect incoming HTTP traffic and scan them against malicious pattern rules and block them, thus preventing them from reaching the application running behind the web server. For quality security and maximum control over server resources, Virtual Private Services (VPS), Dedicated Server hosting or Cloud Hosting for your Magento Ecommerce website is most recommendable.
Acidgreen is an award winning digital agency and the leaders in developing the best Magento site stores in Australia, including giving you the best advice for online security. For more information on how to get started with acidgreen, contact us today.