Securing Magento
Contents
Overview
Magento has a few basic things to keep an eye on to keep you and your customers safe.
Quick Wins
Change the admin url
The default Magento admin URL is /admin - although it's not a perfect solution to change this, it will stop a lot of bots stressing your server.
- Edit the /app/etc/local.xml file.
- Look for
<frontName><![CDATA[admin]]></frontName>
- Change 'admin' to something else.
- Clear the cache & login at the new URL.
Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site
Restrict access to the Magento Connect page
The default URL for this is /downloader; this is a classic target for people trying to get in. Once in, people could install an extension which allows total access to the attacker. 2 different ways to protect this:
Move the /downloader folder
- Just move it outside the web root. When you need it again move it back in.
Restrict access to specific IPs
- If you're using Nginx:
- Edit your /conf.d files, inside the
server {
block, to include this:#block access to downloader
location /downloader/ {
allow 11.22.33.44;
deny all;
}
- Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.
- Remember to restart Nginx after editing this.
- Edit your /conf.d files, inside the
- If you're using Apache:
- Edit your /downloader/.htaccess file to include these lines:
Order deny,allow
Deny from all
Allow from 11.22.33.44
- Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.
- Edit your /downloader/.htaccess file to include these lines:
Check Your Server
If you're on a managed host, all good. If you're on a server that you're managing you'll want to check that you have secured the server inline with best practices for your specific server type. It's beyond the scope of this article as it's such a huge area.
Top Tip: Install fail2ban and check it's working
Install slackCommerce
slackCommerce has an option to send an instant message whenever there is an admin login fail. This works for both attempts to the login page and to the downloader page. It's a free extension and will take the worry off needing to check emails constantly to see if there are any breach attempts.