The popularity of Magento is growing and with that growth comes the desire for hackers and bots to try to learn how to get in to Magento stores. In this post, I will go over a handful of quick ways to improve your Magento store security.
AS ALWAYS —- BACK UP YOUR SITE BEFORE MAKING ANY MAJOR CHANGES. MAKE MAJOR CHANGES TO A STAGING SITE FIRST BEFORE YOUR LIVE SITE TO MAKE SURE THE RESULTS ARE AS YOU EXPECT.
Check Up on Your Health
Your Magento site may not be as ‘healthy’ as you think. I love to share free online tools with you and here is one you will love if you are not already familiar with it. It is called MageReport.
When you visit Mage Report, you simply input your URL for your Magento Store and the tool will scan your website. It will check to see if Patches are in place and if any other vulnerabilities exist. Once you have this report, you can being applying the changes that put you at Risk.
I have already written an article on how to easily use SSH to patch your Magento site, so I won’t revisit that in this article, however you can find right here at Hip Gloss Connect. Critical Patches are VERY important. Magento has only released a handful of them over the last year or so and it is very important to install the patches to help keep your website healthy.
Another fix that is necessary now is protecting your Paths. The first path we will cover is /admin. When you first setup your Magento store, you are allowed to select what your admin path will be, however, most leave it set to the default which is /admin. The hackers and bots are aware of this. This is a check they will run on your site before they attack it to make sure you are a site they can attack. The best thing to do is change your path.
First – Clear your cache in Magento
Second – Use FTP and go to this file: app/etc/local.xml
You will be changing one word in this file, admin. You will be changing it to a new word that will be easy for you to remember to access your admin area.
In blue you see [admin] change that to your desired word. For example, if I wanted to name mine supercoolentry it would be [supercoolentry].
You will want to make sure that you do not select another generic term such as administrator or backend. Make it unique and easy to remember for only you or your team/staff.
Before you change the /downloader path, you should know, this will break loading the downloader through the System dropdown in Magento backend. The Downloader is also referred to as Magento Connect in the backend. It is the area where you login and then install extensions. The reason we want to protect this AND disable it from being accessed in the backend, is because if someone gets in and creates an administrator account (full access), they can then install Extensions on your website.
What I like to do is, use a variation of my company name for the downloader. Then I know that for all of my client Magento sites, they have a standard path that is easy for me and my team to remember. This works great for us.
To rename your downloader path, just login to your FTP and you will see a folder named downloader. Rename it. 🙂 Let’s call it hipglossconnect for this example.
While you are in FTP, go out to /var/cache and manually delete your cache. You should now be able to access your new Downloader (Magento Connect Manager) tool by going to the new URL: http://www.yoursite.com/hipglossconnect/
TIP: We recommend renaming the folder so that it is hidden from within the Magento Back-End (an error will occur when accessing System > Magento Connect because the path is no longer there). If you would like to rename your /downloader/ so that it cannot be directly and easily found but would still like your link to work in the Magento backend, here is the fix:
In your File Manager or FTP go to the path – app/code/Mage/Connect/controllers/Adminhtml/Extension/LocalController.php
Locate the word downloader in the code and change it to the new path name, Save file.
You can now access Magento Connect in the Back-End once again.
NOTE: Our recommendation is to not update the controller file so that your new path is not accessible from the Back-End for added security. Also, when you are ready to use Magento Connect, we recommend changing the name back to /downloader so that you can see all of your extensions once again. Once you have completed you install, uninstall, or updating of extensions, change the name back to the new name you have created to keep it hidden.
The var path leads to what is called CacheLeak. So, in a nutshell, the cache and the sessions folders are inside of /var. If a robot can get in to your var, they could potentially take pieces of sessions or cache and find out information you do not want them to know such as customer information or admin login etc. It seems a bit far fetched but if there is a bot that has a process written to decode and put the info back together, it is a possibility and therefore we must protect against it.
You will want to check out the following folders and see if they have a .htaccess file inside. If not, we will need to create one.
To prevent Cacheleak, Backupleak and Sessionleak, we need to create a new file in each of these 3 folders and name it .htaccess. In this file, paste in the following only and save it.
That’s it. Just 2 lines. Now your folders are protected! One final thing I recommend, is that NO HTACCESS has WRITE access. So, go to the file properties and take the check out of the box next to the W. A lot of people don’t think this matters because they want to click the file and edit it with ease in the future (why the W exists) but I know from years of experience that if someone else gains access to your site, the last thing you want is for them to have access to this file.
In the future, when you want to edit the .htaccess, just go to your FTP and right click on the file, properties, and enable W access. Tada. It is way more important to take away the access that is preset then to leave it as a write file for 365 days out of the year when you may only edit it once or twice a year.
This was a quick rundown to help keep your most important paths protected and a reminder to install critical patches!
NOTE: It is my assumption that if you are reading this you probably are pretty tech savvy and you are looking for some quick tweaks. However, if you are not experienced or do not feel comfortable making changes like this, you can always contact me and hire us to make the changes for you.