Securing your store

Security

Lock everything down

As your sales increase, the warehouse gets busier and you are ensuring your own stock flow doesn't run dry - something that can easily be overlooked is security. Whilst you are running around running the business, there could well be someone trying to break in - and if that happens, a profitable peak season can rapidly become a peak disaster.

Protecting your store means two things,

  • Protecting customers
  • Protecting revenue

Your customers are your priority, ensuring they've got the utmost confidence in your service will guarantee repeat business - and through this, you can maintain sales. So oddly the goal is to both look secure and behind the scenes, be secure.

Contents


Look secure

When customers view your site, you have a limited opportunity to instil trust; there's a huge level of detail that could be delved into (and probably some significantly more detailed articles), but covering the basics is a simple, quick win.

To the average user, they've been trained to recognise three key signs of a secure website,

Trust Seals

The padlock

Buy a standard SSL certificate, have your hosting company install it, and enable HTTPS on your store. Its that simple. A standard SSL certificate costs £15/year.

Weighing up whether to go SSL site wide is a decision that needs careful thought and it isn't a change I'd recommend immediately before peak, the 301 redirection SEO cost could impact you more than the benefits.

The "green bar"

Upgrade your standard SSL certificate to an EV certificate. It can take a few days for these to be issued, so don't wait until expiry of your existing certificate before pursuing it. An EV certificate starts at £130/year.

The security seal

These are often included with all SSL certificates and are also often provided with standalone PCI security scans.


Be secure

The gloss of looking secure may be enough to convince your customers on the surface, but you'll also need to be secure. There'll be nothing worse than promising all the security in the world - and customers being informed by their card provider that it has been fraudulently used as a result of using your store.

Securing a Magento installation

Security starts at an infrastructure level and ends with your store - and any weak link in that chain is going to result in an insecure store. So your first focus needs to be on your hosting provider.

I hate to shamelessly promote our services (or equally, shamelessly undermine other providers) - but there are some basics that should be put in place to ensure your store is secure - some of which are what make the majority of cloud, VPS and even dedicated hosting completely insecure.

  • Lock down the infrastructure (if you are using MageStack you are already covered)
  • Restrict who has access to your code
  • Control access to your admin area
  • Monitor file changes
  • Maintain a good vetting policy for new developers and staff
  • Keeping software patched/up-to-date

There is a thorough article on hardening Magento when using MageStack - and for those using other providers, I've done a deep-dive on achieving similar functionality on Stack Exchange.

All your servers need to be in their own VLAN

If your servers aren't in their own VLAN, it means your network traffic is shared with that of other servers; the impact is that others can potentially sniff your traffic and read plain text traffic (like FTP, or MySQL) - or worse, steal your IP address and perform a MITM (man in the middle) attack.

All Sonassi solutions have a VLAN as standard. Ask your provider if you have your own VLAN.

Multi level firewalling is a must

Magento WAF

Traditional standalone hardware firewalls are becoming a thing of the past; their usefulness is declining because of their limited capacity, easy nature of being targeted for DOS attack (that's right, firewalls don't protect you from a DOS attack, they often are the first component to fail) and shallow intelligence when inspecting web traffic.

A traditional firewall will monitor very basic traffic, but isn't always capable of detecting or mitigating things like SQL injection, XSS attacks or application level exploits. So if your store is protected by just a basic Cisco ASA (or otherwise), its probably not as well protected as you think it is (or even at all).

All Sonassi solutions have a 3-Layer firewall as standard. Ask your provider if you have a WAF.

Restricting access and data transfer

When you've got a firewall in place, it immediately becomes useless if you open ports to allow plain-text traffic like MySQL and FTP through it; or expose web services like PHPMyAdmin.

An essential feature of securing your environment is to restrict access by using a VPN; this "first hop" will encrypt your traffic - allowing you to use insecure protocols like FTP. VPN's also have an added benefit of giving granular access control above that of the service being connected to.

All Sonassi solutions have a VPN as standard. Ask your provider if you can restrict access via VPN.

Separate environments for staging/dev/uat

Your development and staging sites are as much of a target as your live store is; so the less you have exposed to the internet, the better. It isn't a major problem having a single server for live and development purposes (and isn't even a violation of PCI v3 6.4) - provided that you adequately separate the environments.

This means that the code on your live site shouldn't be able to modify/view that on your staging site and vice versa.

All Sonassi solutions isolate environments via domain-groups as standard. Ask your provider if your sites are 100% isolated.

Be PCI compliant

A single paragraph alone isn't going to do this justice; but I'll summarise the important points. PCI compliance is very often misunderstood because the majority of merchants believe that they are PCI compliant by virtue of using a hosting provider that is; this isn't the case.

It is a merchants responsibility to be compliant - you must contact a QSA (qualified security assessor), complete a SAQ (self assessment questionnaire) where appropriate and undergo regular compliance scans from an ASV (approved scanning vendor). It isn't just a case of saying that you operate a secure practice, but also implement it (by rotating passwords, isolating environments, protecting customer cardholder information etc.)

If you haven't completed a SAQ yet, or don't know what a QSA is - priority number one for you is to engage an approved scanning vendor (like Security Metrics); who can guide you on what the next steps are for a business of your size.

All Sonassi solutions use MageStack, built to meet PCI v3 regulations as standard. Ask your provider if your solution does.

Patches

Like most applications, Magento has its vulnerabilities - and Magento address these in two ways,

  • Security patches
  • Magento updates

As most merchants will know, upgrading to a newer version is not a simple task; which is why the alternative of maintaining the security of your store via patches exists.

The patch files that Magento release are in the form of a script that is executed via SSH to fix the core; often they need to be followed up by a series of adjustments in your own customisations (be it modules you have installed, or the theme you use). Applying patches isn't an easy process, but it is essential for security - and is a considerably easier task than cleaning up a store than has been compromised.

Verifying whether your store is patched properly isn't easily done, but fantastic community efforts make the process easier, like MageReport from the boffins at Byte.nl (another Magento hosting specialist) - or the AppliedPatches module from Philip Jackson of MageTalk fame.

Read more about Magento's security program.

Keep up to date

MageTalk

Keeping Magento up to date is one thing, but its no use if you aren't up to date with the latest changes happening with Magento. There are many Magento blogs, news sites and podcasts.

I can wholly recommend subscribing to MageTalk - its a great way to absorb what's happening with Magento from a pair of enthusiastic and experienced Magento developers - or if reading is more your style, check out MageDev Weekly and the official Magento Community Digest.