Protecting Your Magento Store From Malicious Attacks
Recently there has been an increase in brute-force password guessing attacks,
This has effected a large portion of Magento installations. These attacks have allowed unauthorized admin panel access.
Magento recently came out with a few steps you can take to help protect your store against these kinds of attacks.
The earlier versions of Magento 1 are the most at risk. (Magento Enterprise Edition 1.14.2 Etc),
“locations”/”admin”/”down-loader” all need to be guarded on these early versions.
In the case of Magento 2, only the admin panel could possibly be effected and needs to be protected.
Listed below are a few steps you should take to ensure your site security.
Make sure your password and those of your employee’s using the admin panel are strong.
Keep in mind that longer, complicated passwords are harder to for hackers to guess or bruteforce.
-Best Practice’s Pro Tip (“Password’s should be updated every 2-3 months to ensure your site security.”)
Look over all admin users in System→Permissions→Users. Religiously remove any employees that no longer work for you from admin access, as well as any admins that are unknown to you.
Make sure your password and the password of all the other employee’s using the admin panel are strong: utilizing numbers, letters, and capitals as well as special characters can drastically improve your site’s security. Longer, complicated passwords are harder to guess.
Your admin user-name should be something unusual and original– dont use admin or administrator.
It is very important to also ensure that all available patches are installed as these help protect you from known security issues within the magneto software.
IP Whitelisting
Another great way protect access to your administrator panel is set access for user only coming from a IP address or network that you trust. E.g your office or home office, that uses the same location and computer or computers every time. (This strategy will not work efficiently if your IP address is dynamic or if your or if your company utilizes a remote workforce.)
(Do it yourself information coming up)
If You Are Using An Nginx Web Server
In most cases you will need your hosting provider to block the admin down-loader and rss access locations. If you have all access to your server, you can modify the Nginx configuration yourself, following these instructions as were posted at HTTPS://WWW.NGINX.COM/RESOURCES/ADMIN-GUIDE/RESTRICTING-ACCESS/
IP WHITE-LISTING THE ADMIN PANEL AND RSS FEEDS
The admin panel is reachable through /admin/index.php/admin URLs (or custom paths that you assigned).
The way to protect an admin panel and RSS feed is to redirect any requests coming from unknown IP. This can be done by editing the .htaccess the Magento root folder and add the following code right after the rewrite rules for mobile user agents.
RewriteCond %{REQUEST_URI} ^.*/ADMIN_PANEL_LOCATION [OR,NC]
RewriteCond %{REQUEST_URI} ^.*/DOWNLOADER [OR,NC]
RewriteCond %{REQUEST_URI} ^.*/RSS/CATALOG [OR,NC]
RewriteCond %{REQUEST_URI} ^.*/RSS/ORDER [NC]
RewriteCond %{REMOTE_ADDR} !^1.2.3.4
RewriteCond %{REMOTE_ADDR} !^5.6.7.8
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
Fail2Ban Adaptive Filtering
Change Location of Admin Panel and Magento Connect Manager
Password attacks assume typical admin panel locations like /admin, /backend, /manage, /control and similar as the default location of Magento Connect Manager. Shifting the location of your admin panel’s and downloader can bring down the likelihood of being targeted by generic attacks.This does not protect against targeted attacks as attackers may try to guess the location with many requests.
Change the Name of the Admin Panel (Magento 1 Only)
Changing the name of the admin panel can help to protect it from attacks. To change the name, log into the admin panel and steer to System -> Cache Management.
David Johnstone
Developer & Marketer
"I am adaptable, witty, and brutally honest. I really love a good drive on a racing track, snowboarding, and spending time with the fam. I consider myself the average talent but give 110% with a ridiculous obsessiveness for practice, preparation and the passion to step-out without fear of failure."