Securing Magento

Overview

Magento has a few basic things to keep an eye on to keep you and your customers safe.

Quick Wins

Change the admin url

The default Magento admin URL is /admin - although it's not a perfect solution to change this, it will stop a lot of bots stressing your server.

1. Edit the /app/etc/local.xml file.
2. Look for <frontName><![CDATA[admin]]></frontName>
3. Change 'admin' to something else.
4. Clear the cache & login at the new URL.

Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site

Restrict access to the Magento Connect page

The default URL for this is /downloader; this is a classic target for people trying to get in. Once in, people could install an extension which allows total access to the attacker. 2 different ways to protect this:

Move the /downloader folder

1. Just move it outside the web root. When you need it again move it back in.

Restrict access to specific IPs

1. If you're using Nginx:
   1. Edit your /conf.d files, inside the server { block, to include this:

      #block access to downloader

      location /downloader/ {

      allow 11.22.33.44;

      deny all;

      }

      Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.

      Remember to restart Nginx after editing this.

2. If you're using Apache:
   1. Edit your /downloader/.htaccess file to include these lines:

      Order deny,allow

      Deny from all

      Allow from 11.22.33.44

      Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.