Securing Magento

From Moogento How-to Guides
Jump to: navigation, search


Magento has a few basic things to keep an eye on to keep you and your customers safe.

Quick Wins

Change the admin url

The default Magento admin URL is /admin - although it's not a perfect solution to change this, it will stop a lot of bots stressing your server.

  1. Edit the /app/etc/local.xml file.
  2. Look for <frontName><![CDATA[admin]]></frontName>
  3. Change 'admin' to something else.
  4. Clear the cache & login at the new URL.

Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site

Restrict access to your un-used store RSS feeds

If you're like 99% of Magento stores, you're not using your Magento rss feeds.

These have some security vulnerability, so if you're not using them, disable them:

location ~* ^/?(index.php/?)?rss/(order/new|catalog/notifystock|catalog/review) { return 404; }

Restrict access to the Magento Connect page

The default URL for this is /downloader; this is a classic target for people trying to get in. Once in, people could install an extension which allows total access to the attacker. 2 different ways to protect this:

Move the /downloader folder

  1. Just move it outside the web root. When you need it again move it back in.

Check your admin logins

  • Remove any that aren't in use (these easily build up with old team members, 3rd party access, etc)
  • Check the usernames
  • remove or change any like 'admin','aheadworks','amasty','magestore','mirasvit'
  • remove or change any 'one word firstname' like 'John', 'Jane'
  • Change the passwords on a regular basis, if possible (by regular, at least once every 6 months or so).

Restrict access to specific IPs

  1. If you're using Nginx:
    1. Edit your /conf.d files, inside the server { block, to include this:
      #block access to downloader
      location /downloader/ {
      deny all;
      Edit the to match your IP. If you have multiples just add a new line for each.
      Remember to restart Nginx after editing this.
  2. If you're using Apache:
    1. Edit your /downloader/.htaccess file to include these lines:
      Order deny,allow
      Deny from all
      Allow from
      Edit the to match your IP. If you have multiples just add a new line for each.

Check Your Server

If you're on a managed host, all good. If you're on a server that you're managing you'll want to check that you have secured the server inline with best practices for your specific server type. It's beyond the scope of this article as it's such a huge area, but couple of ideas:

Check File Ownership

If you get errors uploading files, especially when upgrading, you'll want to check the file permissions. If you're uploading via FTP and easy way is to create a file and check the ownership of that file.

Then go into the part of the server where Magento is located and set the recursive ownership:

chown -R {server user name} . Replace {server user name} with the actual user name.

Check File Permissions

This is a pretty standard set of file permission resets:

find . -type f -exec chmod 400 {} \;

find . -type d -exec chmod 500 {} \;

find var/ -type f -exec chmod 600 {} \;

find media/ -type f -exec chmod 600 {} \;

find var/ -type d -exec chmod 700 {} \;

find media/ -type d -exec chmod 700 {} \;

chmod 700 includes

chmod 600 includes/config.php

Top Tip: Install fail2ban and check it's working

Install Fail2Ban

This is an easy one - if you've not got this running, and then install it, it's not uncommon to see thousands of IPs immediately blocked.

There's a good guide to this over at Linode.

Ban bad IPs

You might spot some IPs repeatedly having a pop at your admin logins. Probably best to show them the door.

  1. If you're using Nginx:
    1. Edit your /conf.d files, inside the server { block, to include this:
      location / {

(Change etc. to the IPs that are keep trying to get in)

How to see which IPs are trying to get in? Easiest way is with slackCommerce:

Install slackCommerce

slackCommerce has an option to send an instant message whenever there is an admin login fail. This works for both attempts to the login page and to the downloader page. It's a free extension and will take the worry off needing to check emails constantly to see if there are any breach attempts.