Hardening/Securing your Magento Store

Magento is a secure application out-of-the-box, but it should be supplemented by further measures to ensure it is as secure as possible. Below is a series of steps on securing/hardening your Magento store.

  1. Do not use the root account or distribute root credentials to developers
  2. Register with a security scan service (eg. Comodo HackerGuardian, McAfee Secure, TrustWave etc.)
  3. Follow and apply instructions from your QSA/SAQ
  4. Do not change your admin URI - security through obscurity is not security. Keeping the /admin URL allows for us to automatically apply WAF rules to protect your admin, and allows for many other features of MageStack to auto set rules based on the admin area.
  5. Restrict admin acesss by IP and/or username/password
  6. Restrict downloader acesss by IP and/or username/password
  7. Correctly configure Magento cron.sh
  8. Correctly configure custom cron jobs
  9. Regularly audit VPN/SSH/FTP access
  10. Regularly audit file changes
  11. Regularly review PHP code changes
  12. Ensure file permissions are correct
  13. Secure Magmi (if installed)
  14. Securely install WordPress
  15. Review DOS blocks by country