Magento Security Tutorial

How to improve the security of your Magento store

In this tutorial we will make some suggestions on how to make your Magento more secure.

Administrator Name and Password

Choose an administrator name that is more complex and difficult to guess. Don't just use the most obvious name such as admin or administrator. For a password use a random combination of upper and lower case letters, symbols and numbers (e.g. t8D#z9?U^1). You can change both your administrator name and password from the Dashboard of your Magento store. After you log in to your admin panel go to the System menu and click on My Account:

Magento Credentials Change

It's also possible to change the admin name and password from the database used by Magento. It's useful if you forget your password or admin name. This can be done through phpMyAdmin. For more information on this read the article on how to reset the Magento admin password.

Backup

Make regular backups of your Magento files and database. In this way if something happens to your site, you'll be able to restore it using the most recent undamaged backup. You can back up the files on your account by downloading them with an FTP client (e.g. FileZilla). You can export the Magento database through phpMyAdmin. You can access phpMyAdmin from the Databases section of the HostKnox control panel. In phpMyAdmin (in the left frame) click on the name of the database where Magento is installed to view the database tables. Then in the right frame mark all the checkboxes for the tables and from the With selected drop-down menu choose Export. Keep in mind that there are a couple of pages with database tables.

Update

When there is a new stable Magento update it's advisable that you don't wait too long before you update. Updates fix various problems including security issues.

File Permissions

Make sure the Magento files and folders on your hosting account have the correct permissions. Files should have a permission of 644 and folders of 755. The most important part of the permissions in this case, however, is the last digit in the number. It specifies the permission level for the visitors of the site. You can use the Fix incorrect permissions tool in the Files section of the HostKnox control panel to check for incorrect permissions (world-writable permissions of 777, or 666). If there are any, the world-writable part will be fixed. Of course, if you spot a file/directory with incorrect permissions you can fix it manually with an FTP client, for example.

Disable Dangerous PHP Functions

There are some potentially dangerous PHP functions that can be disabled by adding some rules to the php.ini file for your account. HostKnox servers are configured to work with one global php.ini file per account. This means that the rules put in that file will affect all PHP files on your account. If you want to use this as one of your security measures, contact the HostKnox support team by submitting a ticket. Here is an example of the rule put in the php.ini file with some dangerous PHP functions to be disabled:

disable_functions = proc_open,phpinfo,show_source,system,shell_exec,passthru,exec,popen

SSL Encryption

SSL (Secure Sockets Layer) is a network protocol which is used to encrypt the data transfer between the server and the client. This prevents eavesdropping and the exposure of sensitive information. If you want your Magento store to use SSL first you need a private SSL certificate. You can order such a certificate from us as an additional product add-on. This can be done from the HostKnox client area.

After you have an SSL certificate, from your Magento admin panel you can choose to use SSL for your site's backend (admin panel) and/or its frontend. To do this, after you log in go to the System menu, then select Configuration. From the General menu on the left click on Web and then open the Secure panel in the middle of the page. In the field for the first option (Base URL) type the URL of your store : e.g. https://yoursite.com. The last two options are for enabling SSL for the respective parts of the site: Use Secure URLs in Frontend, Use Secure URLs in Admin.

Enabling SSL in Admin Panel

Don't forget to click on the Save Config button after you make any changes.