Difference between revisions of "Securing Magento"

From Moogento How-to Guides
Jump to navigation Jump to search
(Created page with "==Overview== Magento has a few basic things to keep an eye on to keep you and your customers safe. ==Quick Wins== ===Change the admin url=== The default Magento admin URL is...")
 
m
Line 22: Line 22:
 
====Restrict access to specific IPs====
 
====Restrict access to specific IPs====
 
'''If you're using Nginx:'''
 
'''If you're using Nginx:'''
1. Edit your /conf.d files, inside the <code>server {</code> block, to include this:
+
 
 +
1.  
 +
 
 +
Edit your /conf.d files, inside the <code>server {</code> block, to include this:
 
<code>#block access to downloader
 
<code>#block access to downloader
 
location /downloader/ {
 
location /downloader/ {
Line 29: Line 32:
 
}</code>
 
}</code>
 
''Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.''
 
''Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.''
2. Remember to restart Nginx after editing this.
+
 
 +
2.  
 +
 
 +
Remember to restart Nginx after editing this.
  
 
'''If you're using Apache:'''
 
'''If you're using Apache:'''
1. Edit your {{folder|/downloader/.htaccess}} file to include these lines:
+
 
 +
1.  
 +
 
 +
Edit your {{folder|/downloader/.htaccess}} file to include these lines:
 
<code>Order deny,allow
 
<code>Order deny,allow
 
Deny from all
 
Deny from all

Revision as of 10:28, 21 September 2015

Overview

Magento has a few basic things to keep an eye on to keep you and your customers safe.

Quick Wins

Change the admin url

The default Magento admin URL is /admin - although it's not a perfect solution to change this, it will stop a lot of bots stressing your server.

  1. Edit the /app/etc/local.xml file.
  2. Look for <frontName><![CDATA[admin]]></frontName>
  3. Change 'admin' to something else.
  4. Clear the cache & login at the new URL.

Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site

Restrict access to the Magento Connect page

The default URL for this is /downloader; this is a classic target for people trying to get in. Once in, people could install an extension which allows total access to the attacker. 2 different ways to protect this:

Move the /downloader folder

  1. Just move it outside the web root. When you need it again move it back in.

Restrict access to specific IPs

If you're using Nginx:

1.

Edit your /conf.d files, inside the server { block, to include this: #block access to downloader location /downloader/ { allow 11.22.33.44; deny all; } Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.

2.

Remember to restart Nginx after editing this.

If you're using Apache:

1.

Edit your /downloader/.htaccess file to include these lines: Order deny,allow Deny from all Allow from 11.22.33.44 Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.