Difference between revisions of "Securing Magento"

From Moogento How-to Guides
Jump to navigation Jump to search
m
m
Line 36: Line 36:
 
##:<code>Allow from 11.22.33.44</code>
 
##:<code>Allow from 11.22.33.44</code>
 
##:''Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.''
 
##:''Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.''
 +
  
 
===Check Your Server===
 
===Check Your Server===
 +
 
If you're on a managed host, all good.
 
If you're on a managed host, all good.
 
If you're on a server that you're managing you'll want to check that you have secured the server inline with best practices for your specific server type.
 
If you're on a server that you're managing you'll want to check that you have secured the server inline with best practices for your specific server type.
 
It's beyond the scope of this article as it's such a huge area.
 
It's beyond the scope of this article as it's such a huge area.
 +
 
{{idea|Top Tip: Install fail2ban and check it's working}}
 
{{idea|Top Tip: Install fail2ban and check it's working}}
 +
  
 
===Install [https://www.moogento.com/slackcommerce slackCommerce]===
 
===Install [https://www.moogento.com/slackcommerce slackCommerce]===
 +
 
slackCommerce has an option to send an instant message whenever there is an admin login fail.
 
slackCommerce has an option to send an instant message whenever there is an admin login fail.
 
This works for both attempts to the login page and to the downloader page.
 
This works for both attempts to the login page and to the downloader page.

Revision as of 10:44, 21 September 2015

Overview

Magento has a few basic things to keep an eye on to keep you and your customers safe.

Quick Wins

Change the admin url

The default Magento admin URL is /admin - although it's not a perfect solution to change this, it will stop a lot of bots stressing your server.

  1. Edit the /app/etc/local.xml file.
  2. Look for <frontName><![CDATA[admin]]></frontName>
  3. Change 'admin' to something else.
  4. Clear the cache & login at the new URL.

Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site

Restrict access to the Magento Connect page

The default URL for this is /downloader; this is a classic target for people trying to get in. Once in, people could install an extension which allows total access to the attacker. 2 different ways to protect this:

Move the /downloader folder

  1. Just move it outside the web root. When you need it again move it back in.

Restrict access to specific IPs

  1. If you're using Nginx:
    1. Edit your /conf.d files, inside the server { block, to include this:
      #block access to downloader
      location /downloader/ {
      allow 11.22.33.44;
      deny all;
      }
      Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.
      Remember to restart Nginx after editing this.
  2. If you're using Apache:
    1. Edit your /downloader/.htaccess file to include these lines:
      Order deny,allow
      Deny from all
      Allow from 11.22.33.44
      Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.


Check Your Server

If you're on a managed host, all good. If you're on a server that you're managing you'll want to check that you have secured the server inline with best practices for your specific server type. It's beyond the scope of this article as it's such a huge area.

Top Tip: Install fail2ban and check it's working


Install slackCommerce

slackCommerce has an option to send an instant message whenever there is an admin login fail. This works for both attempts to the login page and to the downloader page. It's a free extension and will take the worry off needing to check emails constantly to see if there are any breach attempts.