Tips for keeping Magento store secure
Magento has a number of built-in security features aimed at keeping you safe, but there are some steps you can take to make your site even more secure. Here are some tips that will make your store secure. 1. Choose a secure password When you're choosing your Magento site's administrator passwords, choose wisely. Depending on your configuration and permissions, this password may give access to customer information and credit card data. This is probably review for most readers, but here are some guidelines for creating a really secure password:
- Bigger is better. Use at least 10 characters
- Mix upper and lower case, punctuation, and numbers.
- Making your password phonetic can make it easier to remember and type quickly
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGIBecause .htaccess does not support the tags, the .htaccess file must be placed in the directory you want to effect. Because of this, you need to set the permissions of the .htaccess file to 444 (read-only) to prevent modifications to the .htaccess file. You may also want to chown the file so the permissions cannot be changed. This method isn't fool-proof, but it's a good start to preventing naughty scripts from wreaking havoc. Important: placing this code in a directory's .htaccess file will prevent scripts from running in that directory and all sub-directories. 8. Don't save passwords on your computer Most modern computers and browsers offer the option to save passwords as a convenience so you don't have to enter your password every time. This is great most of the time, but can be a security problem because often saved passwords can be easily revealed in plain text. Anybody with access to the computer has access to the sensitive data. Even worse, someone could steal the computer and then use the saved passwords to access the sensitive data. To avoid unintended access to your Magento password or data, simply set your computer or browser to never save it— this might be a bit inconvenient, but it's a great security policy. 9. Keep up-to-date anti-virus software Computer viruses and trojans can steal your data and log your key strokes. To minimize the risk of this happening, be sure to invest in reputable anti-virus software. Free anti-virus software like AVG may be great for home and personal use, but if you want indemnification or a warranty, you may want to look at commercial anti-virus software. 10. Restrict admin access to only approved IP addresses You can use .htaccess to limit access to your admin area. In the .htaccess file for your admin directory (details below), place the following code in order to block access to all IP addresses except those specifically listed:
AuthName "Protected Area" AuthType Basic"allow from 188.8.131.52" allows the specific IP address 184.108.40.206 "allow from 22.2" allows a range of IP addresses beginning with 22.2 Now for the admin directory. Magento's admin URL path is not a physical directory, it's just a symbolic link. To get started, create a directory with the same name as your admin path. The presence of this new physical directory will override the symbolic link, rendering your admin area inaccessible. To solve this, you need to copy your index.php file into your new admin directory. Then you have to change the paths within index.php to two files (includes/config.phpand app/Mage.php) to account for the fact that the relative path has changed as a result of the new duplicate index.php file in the admin directory. Assuming your admin directory is just one level down from your root directory, the two lines you need to change will look like this:
order deny,allow deny from all allow from 220.127.116.11 allow from 22.2
... $compilerConfig = '../includes/config.php'; ... $mageFilename = '../app/Mage.php'; ...Once you've done this, you can drop your .htaccess file in your new physical admin directory and access your admin like this: http://www.[your-site].com/[your-admin-directory]/index.php/[your-admin-path] There's one more step, though. The admin URL can still be accessed through /index.php/admin. You need to disable this so that anybody who knows you're running Magento can't exploit this fact. Here's how I did this: Add this code to your site's root .htaccess file:
Redirect permanent /index.php/admin /admin/index.php/admin Redirect 301 /index.php/admin /admin/index.php/adminThere is a downside to restricting access based on IP: if you travel a lot you may find this method very inconvenient as you'd have to manually add each new IP address or IP range to the .htaccess file in order to gain access.