Highlights of #MagenticiansTalk Twitter Session with Riccardo Tempesta about Security of Magento 2
- Magenticians
- May 16, 2018
Security has become the buzzword of the ecommerce industry. Given the recent news of data breaches, customers have become very conscious about the security measures stores have in place.
Magento 2 is a popular ecommerce platform with a growing user base around the world. We at Magenticians are all about everything Magento and as such decided to cover security as the topic of our very first #MagenticiansTalk Twitter session. For the event, we reached out to Riccardo Tempesta, CTO at MageSpecialist, who accepted our invitation to discuss the security of Magento 2.
So at the beginning, we would like to thank him for sharing his expert views on Magento 2 security :)
Here’s the recap of the session from the very first day to the last:
We're excited to announce our first ever #MagenticiansTalk on '#Magento 2 Security' with Riccardo Tempesta, CTO @magespecialist ?
Join us on Tuesday, 15th May, 2018 at 03:30 PM GMT for this Live Twitter Chat Session ⏲️#Magento2 #MagentoSecurity pic.twitter.com/riz2mWh4Is
— Magenticians (@magenticians) May 11, 2018
Want to know the tips and tricks about Magento 2 #security? ?
Join us on Tuesday, 15 May, 2018 at 03:30 PM GMT and learn from @RicTempesta, CTO @magespecialist ?#MagenticiansTalk #Magento2 #TwitterChat pic.twitter.com/O9bDened4B
— Magenticians (@magenticians) May 14, 2018
Get ready to know the best security practices for #Magento 2 from @RicTempesta, CTO @magespecialist ?️✍️
Join us tomorrow at 03:30 PM GMT ⏲️#MagenticiansTalk #Magento2 #Security pic.twitter.com/a55wNwOeuE
— Magenticians (@magenticians) May 14, 2018
Just a few hours left in #MagenticiansTalk with @RicTempesta, CTO @magespecialist, about Magento 2 security. We are waiting for your participation to make it bigger and successful ?
Join us today at 03:30 PM GMT #Magento #Security ⏲️ pic.twitter.com/aFtFTmYnLa
— Magenticians (@magenticians) May 15, 2018
Only 30 mins left for the first ever #MagenticiansTalk with @RicTempesta, CTO @magespecialist ?
Join us for an amazing session on #Magento 2 security at 03:30 PM GMT ⏲️ pic.twitter.com/e1V29oq9fQ
— Magenticians (@magenticians) May 15, 2018
Waiting for you at #MagenticiansTalk on '#Magento 2 Security'today 15th May, 2018 at 03:30 PM GMT. A live Twitter session to discuss about security in Magento2 #Magento2 #MagentoSecurity cc @magespecialist
— The Rick (@RicTempesta) May 15, 2018
The wait is finally OVER ⏰
We are ready with @RicTempesta, CTO @magespecialist for the first ever #MagenticiansTalk ?
We'll be asking Riccardo some interesting questions about #Magento 2 security ?
— Magenticians (@magenticians) May 15, 2018
Since it is all about Magento, the first question we asked was about describing Magento in one word ;)
First of all, we would like to thank @RicTempesta for being with us today ?
So here's our very first question: Describe #Magento in one word? #MagenticiansTalk #Magento2 #Security
— Magenticians (@magenticians) May 15, 2018
Uh… just one word? I think the most appropriate is: "flexible" #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
In the next question we asked for a comparison of Magento 2 with Magento 1, in terms of platform security:
Q2. Keeping the topic of security in mind, how would you compare Magento 2 with Magento 1?#MagenticiansTalk #Magento2 #Security
— Magenticians (@magenticians) May 15, 2018
Magento 2 has drastically increased the security standards for sure. Magento 1 is a 10 years old platform and security at that time was not the same of today :) . Just to make an example: Magento 1 was completely exposed to brute force attacks. #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
Magento 2 is "fixes" brute force attacks by having a 30 second Redis timeout for admin login ???
— Erfan Imani (@erfanimani) May 15, 2018
Lol… I know what you mean ?. I mean it disable your account after some failures at least. In Magento 1 you did not have this feature + most of the admin were under the "/admin" url. #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
Hahaha glad you recognise the bug (I think it's fixed in newer versions). But yes true, proper lockout and different admin route.
— Erfan Imani (@erfanimani) May 15, 2018
It is not a security issue per se, but I think it is very annoying and can be considered an admin denial of service, but if you can experience it, you problably exposed your admin URL. #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
@erfanimani , not 100% sure, but this module could help for that issue. https://t.co/pPxxV5lPLD #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
The third question was about key points for making Magento 2 more secure:
Q3. Please share some key points for making #Magento 2 more secure?#MagenticiansTalk #Magento2 #Security
— Magenticians (@magenticians) May 15, 2018
The main security threat ever is details disclosure. More you can hide, more you will be safe. Use an unguessable admin URL. Do no use "admin" as username. Avoid unverified extensions (most important). Use strict typing while programming. #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
I found that most of the threats while programming Magento2 come from unknown PHP methods side effects. #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
And please: use professional hosting services with Magento 2 ?. #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
Regarding hosting services, would you prefer Managed solution or Unmanaged solution for M2 stores? #MagenticiansTalk
— Fayyaz Khattak (@fay_khattak) May 15, 2018
It depends, but I generally suggest managed hosting in the way that I disencourage self managed hosting without specific skills in house. #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
@magemojo and @Cloudways for example?
— Maier Bianchi (@maierb) May 16, 2018
Never tried them, we have a server farm in our group. But afaik they are good service providers with Magento skills.
— The Rick (@RicTempesta) May 16, 2018
Next, we asked about the best Magento 2 security practices that developers should adopt:
Q4. What are the best practices that every developer should adopt to keep Magento 2 secure? #MagenticiansTalk #Magento #Security
— Magenticians (@magenticians) May 15, 2018
Strict typing is one of the most important, PHP type juggling can be really dangerous. I also recommend to follow the Magento guidelines and avoid approaches like direct queries, unescaped strings, use of unserialize, eval, system and so on. #MagenticiansTalk .
— The Rick (@RicTempesta) May 15, 2018
For example, most programmers undervalue the danger of one unescaped strings in frontend allowing XSS attacks. Another common error is to expose database ids in the url . #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
For the fifth question, we asked Riccardo to name useful security-related Magento 2 third-party extensions:
Q5. Name third-party extensions which you think are beneficial for improving the Magento 2 security? #MagenticiansTalk #Magento #Security
— Magenticians (@magenticians) May 15, 2018
As @magespecialist we have been working on several free extensions to increase the Magento 2 security. You can find them in our GitHub page. One of the most cool is probably https://t.co/BO7eiMBIFw . #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
And of course, a 2FA verification is recomended. But godd news from that side: Our module will be included in the Magento 2.3 core https://t.co/a3ia1LXIbQ. #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
Next up, we asked Ricardo to share bonus tips for improving Magento 2 security:
Q6. Any bonus tips for Magento 2 security? #MagenticiansTalk #Magento #Security @RicTempesta
— Magenticians (@magenticians) May 15, 2018
Keep Magento updated! I know, it is easier to say than to do because of regressions and incompatibilities accross different versions. Writing tests is a good way to make it easier. @VinaiKopp is a good trainer for testing if you need one ? #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
And plus: consider IT security as an illusion and never feel safe. No system is bug free, no system is 100% safe… and if you think your Magento store does not handle sensitive information, think to people using the same email and password in PayPal. #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
For the second last question, we asked him to recommend resources that can help users and developers improve Magento 2 security:
Q7. Can you recommend resources to learn more about #Magento 2 security? #MagenticiansTalk #Magento2 #Security @RicTempesta
— Magenticians (@magenticians) May 15, 2018
Experience, failures and headaches ?. Seriously: Magento 2 security is PHP security, so OWASP (https://t.co/4WOlWXuu3X) is a good place to start from. But nothing can replace curiosty. Be curious and dig into Magento code. #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
In the end, we asked him to nominate a Magento maverick for the next #MagenticiansTalk session:
So, here's our last question: Who would you like to see next on #MagenticiansTalk? ? @RicTempesta #Magento #Magento2 #ecommerce
— Magenticians (@magenticians) May 15, 2018
My friend @aleron75 ! #MagenticiansTalk
— The Rick (@RicTempesta) May 15, 2018
Perfect recommendation for our next #MagenticiansTalk session, Ricardo! ? We are pretty excited to host @aleron75 next! ?
— Magenticians (@magenticians) May 15, 2018
Our closing tweets were:
So that's it for today's #MagenticiansTalk ?
Thank you @RicTempesta for your great & informative answers about #Magento 2 security. Special thanks to those who participated in the session?
Stay tuned #Magenticians… We'll come up with more sessions like these in future! ?
— Magenticians (@magenticians) May 15, 2018
My pleasure. Thank you for what you do for the Magento community.
— The Rick (@RicTempesta) May 15, 2018
Is there a recording of this?
— Dannie L. (@dannie0la) May 16, 2018
Just look for the hashtag #MagenticiansTalk
— The Rick (@RicTempesta) May 16, 2018
Good stuff!? Thanks!
— Dannie L. (@dannie0la) May 16, 2018
We hope that the above discussion will help you in improving the security of your Magento 2 store. Follow the tips Riccardo Tempesta and provide your customers a very secure Magento 2 store :)
If you think, we have missed an important security tip or would like to share a suggestion, feel free to drop your comment below!