How to Secure Your Magento Store Without Extensions


Invisible reCAPTCHA, database backup, admin permissions – the range of Magento security extensions goes on and on. If you are not ready to afford one, this is what you can do for free to protect your web store.

Since day one, e-commerce websites have been a bait for hackers because they deal with payments, money transactions, and sensitive bank card data. Reviewing your web store security is never an overmeasure. Perhaps, today you are not ready to afford particular security extensions. Well, perhaps, you don’t need one. Let’s take a look at the measures that you can take absolutely for nothing to increase the safety of your web store data.

#1. Check the latest updates and upgrades

When everything works fine, many merchants hardly want to search for updates. What if an update conflicts with third-party extensions? What if it has some bugs? Perfect is the enemy of good, right? Well, sorry, Voltaire, not this time.

The thing is, Magento stays alert to possible vulnerabilities and releases updates and new versions with the necessary fixes. For a merchant, timely updates are not just a precaution, this is a must. Once Magento releases a security patch, they describe vulnerability in the supporting documentation. Attackers in their turn also read this info and start testing web stores for this particular weak point. Failing to update a Magento store in time, increases the risk of a data breach.

So, right now don’t waste a moment and check that you have installed the latest security patches.

As of November 2018, the must-haves include:

  • SUPEE-10888 which comprises many security enhancements to close cross-site scripting (XSS), cross-site request forgery (CSRF), and other vulnerabilities.
  • SUPEE-10752 which regards vulnerabilities in authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF).
  • SUPEE-10570б which allows closing remote code execution (RCE) and cross-site scripting (XSS).

#2. Scan your web store regularly with a FREE tool

Just like your web store, hackers work day and night. Magento released an unpaid tool to arm their customers with one more security measure. You can schedule regular checks, keep an eye on your web store in real time to minimize intrusion risks, and monitor malware signatures. Don’t miss your chance to increase security for free and read more details in the Security Center.

#3. Make your admin work 100% safe

Many security breaches regard unauthorized access to the admin panel, the door to the most sensitive customer and business data. To prevent such cases, pay maximum attention to default security measures for the admin environment.

Let’s think logically. Brute force attacks require knowing the admin panel URL, admin usernames, and admin passwords. So, the first thing to do is to make at least these three aspects hard to guess.

Step 1. Make the admin path unique

Magento allows you to change the default admin path ( into any custom one. This measure makes it harder for attackers even to find the gateway to your backend and reduces exposure to scripts. Just, please, don’t use your company name or ‘backend’, for sure, you know why.

To change the admin path, go to System -> Configure -> Advanced -> Admin and select Yes in Use Custom Admin URL and in Custom Admin Path. Then enter the name of your new path (say, securepath). Alternatively, open the app/etc/local.xml file in a text editor, and change the name of the [admin] path.

For example, you had a default # <frontName><![CDATA[admin]]></frontName>.

You can change it as # <frontName><![CDATA[securepath]]></frontName>.

Then flush cache and that’s it.

Step 2. Introduce a decent password policy

Elaborating a thought-out password policy is the necessary minimum you can do to protect your web store. Make sure you follow at least these rules:

  • A password must be 10+ characters long;
  • A password must include at least 1 symbol, 1 number, and 1 capital alphabet letter;
  • A password mustn’t include any dictionary word as well as your company name;
  • A password must be changed not less frequently than every 90 days.

Step 3. Configure Admin Account Security

Apart from a password policy, Magento gives a range of admin account security options. You can limit the number of password reset requests per hour, as well the time frame between requests to make it harder to guess the password. Make login case sensitive to support a more advanced password policy, set the session lifetime to make admins reconfirm their identity, and set the maximum login failures to lockout account. All the setting can be accessed via System -> Configuration -> Advanced -> Admin -> Security.

Step 4. Limit the number of IP addresses that have access to the admin panel

To further raise the security of admin operations, you can manually whitelist particular IP addresses which can be used to access the backend of your web store. This is done at the server level and allows blocking any attempts to penetrate into your web store from third-party devices.

Step 5. Use two-factor authentication on the admin page

 Two-factor authentication means that, to access the web store, a user has to use both a password and a random code sent to their phone. Though this measure requires installing extensions, even Magento documentation recommends doing this.

#3. Implement CAPTCHA and invisible reCAPTCHA

CAPTCHA is one more measure to protect your web store from automated attacks. A default Magento CAPTCHA generates code combinations of letters and numbers and asks a user to verify that they are human beings by giving a correct answer. Magento CAPTCHA works for protecting the most vulnerable pages:

  • Admin Sign In
  • Admin Forgot Password
  • Customer Log In
  • Create User
  • Customer Forgot Password
  • Checkout as Guest
  • Register During Checkout
  • Contact Form

You can set the code length, case sensitivity, and lifespan. To enable Magento Admin CAPTCHA, navigate to Stores -> Settings -> Configuration ->Advanced -> Admin ->Default Store View -> CAPTCHA. To deal with customer CAPTCHA, go to Stores -> Settings -> Configuration -> Customers ->Customer Configuration ->CAPTCHA.

CAPTCHA is a great security measure, yet, it unfortunately affects user experience. Customers hardly want to solve puzzles when they are ready to make a purchase. Invisible reCAPTCHA is the solution in this case. It uses advanced risk analysis technology, combined with machine learning, and mostly doesn’t require users’ actions. It asks for verification only in cases of suspicious attacks.

Google Invisible reCAPTCHA is not included in Magento out-of-the-box. However, it sometimes comes with third-party extensions provided by reputable vendors. So, if you don’t want to buy a standalone reCAPTCHA extension, check one more time. Maybe it is included in some other module you are considering.

#4. Use private SSL certificate

Private SSL certificate allows encrypting all communication between the server and the browser and this way ensure that any data, be it sensitive customer info, records with financial transactions, or your business data, is transferred via an HTTPS connection. To configure the feature, navigate to System -> Configuration ->General ->Web -> Secure and select Yes in Use Secure URLs in Frontend and in Use Secure URLs in Admin.

#5. Remember trivial things as well

At the most basic level, remember to back up your database and servers automatically and keep it in a safe location. This will help you quickly start your web store recovery in case of an intrusion. And obviously, install only the third-party extensions that are provided by vendors trusted by Magento. Free extensions by unknown providers can open your web store to hackers.