Securing your Magento Store
Magento is a secure application out-of-the-box, but it should be supplemented by further measures to ensure it is as secure as possible. Below is a series of steps on securing/hardening your Magento store.
- Do not use the
root
account or distributeroot
credentials to developers - Register with a security scan service (eg. Comodo HackerGuardian, McAfee Secure, TrustWave etc.)
- Follow and apply instructions from your QSA/SAQ
- Do not change your admin URI - security through obscurity is not security. Keeping the
/admin
URL allows for us to automatically apply WAF rules to protect your admin, and allows for many other features of MageStack to auto set rules based on the admin area. - Restrict admin acesss by IP and/or username/password
- Restrict downloader acesss by IP and/or username/password
- Correctly configure Magento cron.sh
- Correctly configure custom cron jobs
- Regularly audit VPN/SSH/FTP access
- Regularly audit file changes
- Regularly review PHP code changes
- Ensure file permissions are correct
- Secure Magmi (if installed)
- Securely install WordPress
- Review DOS blocks by country