Difference between revisions of "Securing Magento"
m |
m |
||
Line 12: | Line 12: | ||
# Clear the cache & login at the new URL. | # Clear the cache & login at the new URL. | ||
{{idea|Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site}} | {{idea|Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site}} | ||
+ | |||
+ | ===Restrict access to your un-used store rss feeds=== | ||
+ | If you're like 99% of Magento stores, you're not using your Magento rss feeds. | ||
+ | |||
+ | These have some security vulnerability, so if you're not using them, disable them: | ||
+ | |||
+ | <code>location ~* ^/?(index.php/?)?rss/(order/new|catalog/notifystock|catalog/review) { return 404; }</code> | ||
===Restrict access to the Magento Connect page=== | ===Restrict access to the Magento Connect page=== |
Revision as of 19:19, 31 March 2017
Contents
Overview
Magento has a few basic things to keep an eye on to keep you and your customers safe.
Quick Wins
Change the admin url
The default Magento admin URL is /admin - although it's not a perfect solution to change this, it will stop a lot of bots stressing your server.
- Edit the /app/etc/local.xml file.
- Look for
<frontName><![CDATA[admin]]></frontName>
- Change 'admin' to something else.
- Clear the cache & login at the new URL.
Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site
Restrict access to your un-used store rss feeds
If you're like 99% of Magento stores, you're not using your Magento rss feeds.
These have some security vulnerability, so if you're not using them, disable them:
location ~* ^/?(index.php/?)?rss/(order/new|catalog/notifystock|catalog/review) { return 404; }
Restrict access to the Magento Connect page
The default URL for this is /downloader; this is a classic target for people trying to get in. Once in, people could install an extension which allows total access to the attacker. 2 different ways to protect this:
Move the /downloader folder
- Just move it outside the web root. When you need it again move it back in.
Restrict access to specific IPs
- If you're using Nginx:
- Edit your /conf.d files, inside the
server {
block, to include this:#block access to downloader
location /downloader/ {
allow 11.22.33.44;
deny all;
}
- Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.
- Remember to restart Nginx after editing this.
- Edit your /conf.d files, inside the
- If you're using Apache:
- Edit your /downloader/.htaccess file to include these lines:
Order deny,allow
Deny from all
Allow from 11.22.33.44
- Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.
- Edit your /downloader/.htaccess file to include these lines:
Check Your Server
If you're on a managed host, all good. If you're on a server that you're managing you'll want to check that you have secured the server inline with best practices for your specific server type. It's beyond the scope of this article as it's such a huge area, but couple of ideas:
Check File Ownership
If you get errors uploading files, especially when upgrading, you'll want to check the file permissions. If you're uploading via FTP and easy way is to create a file and check the ownership of that file.
Then go into the part of the server where Magento is located and set the recursive ownership:
chown -R {server user name} .
Replace {server user name} with the actual user name.
Check File Permissions
This is a pretty standard set of file permission resets:
find . -type f -exec chmod 400 {} \;
find . -type d -exec chmod 500 {} \;
find var/ -type f -exec chmod 600 {} \;
find media/ -type f -exec chmod 600 {} \;
find var/ -type d -exec chmod 700 {} \;
find media/ -type d -exec chmod 700 {} \;
chmod 700 includes
chmod 600 includes/config.php
Top Tip: Install fail2ban and check it's working
Install slackCommerce
slackCommerce has an option to send an instant message whenever there is an admin login fail. This works for both attempts to the login page and to the downloader page. It's a free extension and will take the worry off needing to check emails constantly to see if there are any breach attempts.