Difference between revisions of "Securing Magento"
(Created page with "==Overview== Magento has a few basic things to keep an eye on to keep you and your customers safe. ==Quick Wins== ===Change the admin url=== The default Magento admin URL is...") |
m |
||
| Line 22: | Line 22: | ||
====Restrict access to specific IPs==== | ====Restrict access to specific IPs==== | ||
'''If you're using Nginx:''' | '''If you're using Nginx:''' | ||
| − | 1. Edit your /conf.d files, inside the <code>server {</code> block, to include this: | + | |
| + | 1. | ||
| + | |||
| + | Edit your /conf.d files, inside the <code>server {</code> block, to include this: | ||
<code>#block access to downloader | <code>#block access to downloader | ||
location /downloader/ { | location /downloader/ { | ||
| Line 29: | Line 32: | ||
}</code> | }</code> | ||
''Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.'' | ''Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.'' | ||
| − | 2. Remember to restart Nginx after editing this. | + | |
| + | 2. | ||
| + | |||
| + | Remember to restart Nginx after editing this. | ||
'''If you're using Apache:''' | '''If you're using Apache:''' | ||
| − | 1. Edit your {{folder|/downloader/.htaccess}} file to include these lines: | + | |
| + | 1. | ||
| + | |||
| + | Edit your {{folder|/downloader/.htaccess}} file to include these lines: | ||
<code>Order deny,allow | <code>Order deny,allow | ||
Deny from all | Deny from all | ||
Revision as of 10:28, 21 September 2015
Contents
Overview
Magento has a few basic things to keep an eye on to keep you and your customers safe.
Quick Wins
Change the admin url
The default Magento admin URL is /admin - although it's not a perfect solution to change this, it will stop a lot of bots stressing your server.
- Edit the /app/etc/local.xml file.
- Look for
<frontName><![CDATA[admin]]></frontName> - Change 'admin' to something else.
- Clear the cache & login at the new URL.
Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site
Restrict access to the Magento Connect page
The default URL for this is /downloader; this is a classic target for people trying to get in. Once in, people could install an extension which allows total access to the attacker. 2 different ways to protect this:
Move the /downloader folder
- Just move it outside the web root. When you need it again move it back in.
Restrict access to specific IPs
If you're using Nginx:
1.
Edit your /conf.d files, inside the server { block, to include this:
#block access to downloader
location /downloader/ {
allow 11.22.33.44;
deny all;
}
Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.
2.
Remember to restart Nginx after editing this.
If you're using Apache:
1.
Edit your /downloader/.htaccess file to include these lines:
Order deny,allow
Deny from all
Allow from 11.22.33.44
Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.
