8 tips to protect your Magento store from brute-force attacks
- AbdurRahman Lakhani
- April 10, 2015
Today we are featuring Wajid from Cloudways who would like to share 8 tips for protecting your Magento store against brute-force attacks.
Brute-force attacks are becoming very common these days. Most websites are by default vulnerable to such attacks. If you use Magento, WordPress, Drupal or any other popular web software, it’s not unlikely to see hundreds of attempts being carried out by hackers to crack through your website each day as “admin”, “administrator” or “root”.
A brute-force attack is one of the simplest methods to gain access to a website because other than patience it does not require any additional skill or resources. An automated script tries several different combinations of usernames and passwords, over and over again, until the login security is breached.
Brute-force attacks are simply trial and error. During such an attack, certain permutations and combinations of usernames and passwords are used by hackers to attempt to break into an account. Key in understanding the widespread usage of these attacks is that it is relatively simple to add new targets and new permutations at very little cost.
Luckily, it is also relatively simple to protect your Magento store against such an attack. Here are 8 tips for adopting security measures to protect your or your client’s precious Magento store.
1. Use a strong password
The best way to protect your Magento store against a brute-force attack is to – and advise other administrators to – use a strong password. There are various tools available to do this and they are only a simple Google search away (this one is pretty good).
Though not necessarily effective given the nature of a brute-force attack, you should change your password(s) on a frequent basis given your previous password might end up on a common dictionary list used in brute-force attacks over time.
2. Use a custom admin path
By default, you can access a Magento store backend by navigating to domain.com/admin in the browser. Because the default Magento backend URL is common knowledge in brute-force suites, you can easily get some advantage by cutting the low-hanging fruit.
Changing the admin path can be done in three steps:
- Open the /app/etc/local.xml configuration file
- Locate <![CDATA[admin]]> and replace “admin” with the path you would like to use. For example, if you change it to youradmin, the admin path will now become domain.com/youradmin.
- After you have changed this URL, refresh the Magento caches.
3. Restrict admin access
Another step is to restrict access to the Magento backend only to a few certain IPs. You can do this by protecting the admin path on a webserver level. This will point you in the right direction for Apache and this for nginx.
4. Secure local.xml
The local.xml file is one of the most important web files to be secure. This file contains all kinds of sensitive data like the database credentials and the encryption key. If the local.xml file is visible for the public, you have a problem.
To check local.xml file visibility, visit the following URL and check whether any XML is being displayed: http://domain.com/app/etc/local.xml
To secure the local.xml file, I recommend to 1) block web access to the app directory and 2) change local.xml its file permissions to 600 (-rw). This will limit read and write access for the outside world.
5. Require SSL for all login pages
Since Magento is used for e-commerce transactions, the data is often very sensitive. This is why it is recommended that all of your login details should pass through a secure connection.
Implementing an SSL certificate is needed to secure sensitive data such as: credit card information, customers’ information, log in credentials for both administrators and customers and so forth. You can obtain an SSL certificate from any verified Certificate Authority.
6. Use the latest Magento version
There are many reasons to update the version of Magento. By updating any software or application, you will get the latest security features. It fixes loopholes that might provide hackers a way into your store.
7. Pick a good hashing algorithm
MD5 was the traditional algorithm of choice for passwords on the web, because it was once considered secure. As technology and computing power has improved, the MD5 algorithm was left behind. However, there are better alternatives available. SHA-256, Whirlpool, and Tiger-192 would all be good options for you.
8. Secure the Magento Connect Manager
Magento Connect Manager is a great way to quickly install extensions, but it also poses a security risk as it is a well known entry point for brute-force attacks. Like your admin path, my suggestion is to change the downloader path to make it hard for hackers to force their way in. You can also restrict the Connect Manager on an IP address basis.
Bonus: Get a secure Magento hosting server
Lastly, your infrastructure is also a part of this equation. Every server has an operating system and server stack. These pieces of software also require regular updates. If your Magento hosting provider is not keeping an eye on the server and its security, then you are sitting on a ticking timebomb. This is where Cloudways leads the pack in the Magento hosting industry.
As a Magento Cloud Hosting Platform, Cloudways provides managed and secure cloud hosting services on the top of reliable cloud infrastructure, namely Google Compute Engine, Amazon Web Services, and DigitalOcean. This means you don’t have to worry about the security of your server. You only have to focus on the development and safety of your Magento store.
And you? Do you have a tip for protecting your Magento Store from brute-force attacks?