Difference between revisions of "Securing Magento"
Jump to navigation
Jump to search
m |
m |
||
| Line 21: | Line 21: | ||
====Restrict access to specific IPs==== | ====Restrict access to specific IPs==== | ||
| − | '''If you're using Nginx:''' | + | #'''If you're using Nginx:''' |
| − | + | ##Edit your /conf.d files, inside the <code>server {</code> block, to include this: | |
| − | + | ##:<code>#block access to downloader</code> | |
| − | + | ##:<code>location /downloader/ {</code> | |
| − | Edit your /conf.d files, inside the <code>server {</code> block, to include this: | + | ##:<code>allow 11.22.33.44;</code> |
| − | + | ##:<code>deny all;</code> | |
| − | <code>#block access to downloader | + | ##:<code>}</code> |
| − | location /downloader/ { | + | ##:''Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.'' |
| − | allow 11.22.33.44; | + | ##:Remember to restart Nginx after editing this. |
| − | deny all; | + | #'''If you're using Apache:''' |
| − | }</code> | + | ##Edit your {{folder|/downloader/.htaccess}} file to include these lines: |
| − | + | ##:<code>Order deny,allow</code> | |
| − | ''Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.'' | + | ##:<code>Deny from all</code> |
| − | + | ##:<code>Allow from 11.22.33.44</code> | |
| − | + | ##:''Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.'' | |
| − | |||
| − | Remember to restart Nginx after editing this. | ||
| − | |||
| − | '''If you're using Apache:''' | ||
| − | |||
| − | |||
| − | |||
| − | Edit your {{folder|/downloader/.htaccess}} file to include these lines: | ||
| − | <code>Order deny,allow | ||
| − | Deny from all | ||
| − | Allow from 11.22.33.44</code> | ||
| − | ''Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.'' | ||
[[Category:Extension Setup]] | [[Category:Extension Setup]] | ||
Revision as of 10:32, 21 September 2015
Contents
Overview
Magento has a few basic things to keep an eye on to keep you and your customers safe.
Quick Wins
Change the admin url
The default Magento admin URL is /admin - although it's not a perfect solution to change this, it will stop a lot of bots stressing your server.
- Edit the /app/etc/local.xml file.
- Look for
<frontName><![CDATA[admin]]></frontName> - Change 'admin' to something else.
- Clear the cache & login at the new URL.
Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site
Restrict access to the Magento Connect page
The default URL for this is /downloader; this is a classic target for people trying to get in. Once in, people could install an extension which allows total access to the attacker. 2 different ways to protect this:
Move the /downloader folder
- Just move it outside the web root. When you need it again move it back in.
Restrict access to specific IPs
- If you're using Nginx:
- Edit your /conf.d files, inside the
server {block, to include this:#block access to downloaderlocation /downloader/ {allow 11.22.33.44;deny all;}- Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.
- Remember to restart Nginx after editing this.
- Edit your /conf.d files, inside the
- If you're using Apache:
- Edit your /downloader/.htaccess file to include these lines:
Order deny,allowDeny from allAllow from 11.22.33.44- Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.
- Edit your /downloader/.htaccess file to include these lines:
