Magento Security Scan Tool
By Pratik Sonawadekar
Online attacks are becoming common these days. Any website can become a target of the hacker’s interest. This can have a negative impact on the online store and can cause millions or even a billion dollars to be lost.
Reference from CVE Details (https://www.cvedetails.com/)
62% of stores have at least one vulnerability.
60% of stores have SWF uploader open vulnerability.
49% of stores do not use SSL.
14% of Magento stores have more than 4 security issues.
Reference from Astra (https://www.getastra.com/blog/cms/magento-security/magento-security-report-by-astra-security/)
What is the Magento Security Scan tool?
Magento Security Scan Tool is developed to monitor Magento websites on a regular basis and provides multiple security tests. Magento Security Scan tool performs a comprehensive check of the Magento website security, including missing patches and configuration process checks. By following this security practice you can get timely reports about suspicious activities that take place in a store.
Benefits of Security Scan Tool
● It is secure
● Reports configuration issues & recommends fixes for them
● It tells about what you have done right
● Can be scheduled as per the convenience
● Does not affects the performance of the store during the scan
● It maintains a history of security reports
● Easy to use
● It is freely available
1. Registered Account in Magento
2. Online Store
3. Admin Access to the Store
1. Go to the Magento home page and log in to your Magento account > Then choose the Security Scan option > Read the Terms and Conditions and Click Agree.
2. After redirecting to the Monitored Websites page, you should click on the Add Site button.
3. Verify that you are the owner of the website domain.
Magento – 2 Configuration
1. Click Content > Design > Configuration. Then in the Action column, you have to click Edit next to the website.
2. To add the given code to the HTML head, expand the HTML Head. Enter the code in the Scripts and Style Sheets field.
3. When you’re finished, click Save Configuration.
Magento – 1 Configuration
Click System > Configuration > General > Design. Then Add the given code to either your HTML header or footer.
Failed Scan Results
Apart from utilizing the Magento Security scan tool, you can follow the Magento Security Best Practices:
1. Update Security Patches
The first and foremost way to keep your site secure is to routinely monitor for the latest security patches that can be implemented on your website. Patches and version upgrades are constantly released to address vulnerabilities found in the platform.By upgrading your Magento website to the latest version, along with utilizing all security patches, this will help keep your website secure from reported vulnerabilities and those looking to exploit them.
2. HTTPs secure internet protocols
The primary function of an SSL Certificate is to encrypt the information that is communicated between servers and websites. Encryption is the process of changing the data into code to prevent unapproved use or access. This protects the data going between the two with a secure connection (HTTPS). Sites that do not use a secure connection are susceptible to this data being intercepted by third parties.
In Ecommerce systems such as Magento 2, this data comprises personal customer information as well as credit card details. Ensuring that this information stays protected while being communicated between servers and websites are of the utmost importance.
3. Customize the Admin URL
The standard URL path to access your Magento 2 admin panel is yoursite.com/admin. Because the /admin path is common information amongst hackers, setting this to a custom path is an added way to prevent people from attempting to access the backend administrative dashboard of your Magento site. This path can be set by your Magento website developer to anything you’d like.
For Example: yoursite.com/my_superduper_admin or yoursite.com/pro_itservices_admin
4. Changing Passwords on a regular basis
When creating a password for your Magento 2 admin, it is best to use a mix of numbers, lower and upper case letters, and special characters such as &,),(%, ^, #, etc. to create a unique password. You would need to avoid using real words in your password. It is also advised to not use your Magento 2 password anywhere else, to keep it from becoming jeopardized.
Apart from having a unique password, you should be changing passwords on a regular basis as a hacker may try to access your account more than once over a period of time. Also if you lose or change devices, it is possible that someone might gain access to your saved passwords.
5. Database backup on a regular basis
While a database backup may not expose security vulnerabilities, it can be a lifesaver should your website be compromised by hackers adding malicious files to your website, brute force attacks, or Malware. This can also be helpful as a plan B kind of situation if there are other problems that happen, such as a server failure or database crash. Running regular site backups keeps a copy of your site in a secure place, just in case you require to quickly restore it at any time.
6. Set Strict File Permissions
The local.xml file in Magento 1 & env.php in Magento 2 houses crucial information, including database usernames and passwords. Ensuring that proper permissions are set strictly for this file is extremely important to prevent any unwanted changes being made. File permissions can be restrained for other directories and files that are within your site for added security. To understand more about file permissions, and to discuss what is best for your site, contact one of our Magento Solution Specialist today.
7. Use Two-Factor Authentication
Two-factor authentication (2FA) trades a lot of convenience for a huge security boost and since the use of two-factor authentication diverts the balance so heavily towards security, a lot of hackers dislike it. On one hand, your Magento account password becomes useless for hackers and attackers, because they now require two passwords to enter. This means it’s a great idea to introduce two-factor authentication when you suspect your accounts could be compromised.
8. Correct User Roles & Permissions
The Magento 2 Admin Panel is the cause of more trouble than anything else. Even limited access to the Admin Panel opens up to the malicious users a sea of possibilities to hack into the store. So let’s take a closer look at the #1 problem with users: excessive permissions. It’s not uncommon for website admins to forget to block Magento accounts of users who have received access to the admin panel once or employees who have left the company. This situation can get very bad if you have to give Magento accounts to your suppliers.
There are two steps you need to do to deal with this challenge. A glance at your Magento user list to check if you recognize every account there. If you don’t, disable it and please don’t hesitate to do that. If you disable anyone important in the admin panel, they will let you know as soon as they lose access and you can enable their access quickly. Now it is time to check the user list for the second time as there may be people there who don’t need all the permissions they have. Take your time to comb through the list and restrict user permissions and assign appropriate permissions to people who require it to do their job.
9. Website Monitoring
Always keep monitoring your website for the changes that are done to it. Check if any unwanted code is written by doing git status. Check if multiple users with random email ids are getting registered on the website suddenly.
Any Magento website can be vulnerable to attacks, by using the Magento Security Scan tool and following the best security practices, you will be able to secure your Magento website from such incoming threats.