Hey there! Running an online business on Magento can be rewarding but also challenging when it comes to security. As an eCommerce platform powering over 250,000 sites, Magento is a prime target for hackers looking to steal valuable customer and payment data.
According to research by Astra, over 60% of Magento stores have at least one vulnerability that can be exploited by attackers. So it‘s crucial to lock down your site.
In this guide, I‘ll share the most important security best practices I‘ve learned from securing countless Magento stores. Consider these your top 14 tips to help avoid becoming the next victim of a cyber attack!
Why Attackers Target Magento
Before jumping into the tips, let‘s look at why Magento is so appealing to hackers:
Collects sensitive customer data like names, emails, addresses, and payment info
Often contains vulnerabilities in default installs or old plugin versions
Powers a large number of stores with valuable inventory
Provides access to admin settings if compromised
Stores tend to have weak passwords and lack other protections
According to Sucuri, over 20% of hacked sites in 2021 were eCommerce stores. Attackers typically want to:
- Steal customer payment and personal data
- Inject malware to infect site visitors
- Deface sites by altering content
- Break functionality to cause disruption
- Leverage resources for crypto mining or DDoS attacks
- Resell access or inventory on dark web markets
Securing your Magento installation is crucial to avoid these outcomes and protect your business and customers.
Now let‘s get into those tips!
1. Enable Two-Factor Authentication (2FA)
Even strong passwords can be leaked in data breaches. That‘s why relying on passwords alone is risky for securing important accounts like your Magento admin.
Adding 2FA requires a second step to log in, like:
- One-time code from an app
- Biometric like fingerprint or face scan
- USB security key
This stops attackers from accessing your admin even if they have the password.
For Magento, a good 2FA solution is the Amasty Two-Factor Authentication extension. It supports various methods including apps like Google Authenticator.
Enabling 2FA is one of the most effective things you can do to secure your admin access. Don‘t rely on passwords alone!
2. Change the Admin URL
By default, the Magento admin URL is
yourstore.com/admin. This is easy for attackers to guess and attempt brute force logins.
Obscuring the admin URL adds an extra layer of security through obscurity. It won‘t stop a determined attacker but eliminates easy automated attacks.
To change it, edit the
frontName value in
<admin> <routers> <adminhtml> <args> <frontName><![CDATA[your-secure-url]]></frontName> </args> </adminhtml> </routers> </admin>
Be sure to clear caches and test the new URL after changing this.
3. Always Keep Magento Up-to-Date
New Magento versions contain security patches for vulnerabilities. But many stores fall behind on updates and remain vulnerable.
According to Splunk research:
- Over 60% of Magento sites still run outdated 1.x versions.
- Sites are unpatched an average of over 400 days.
- Only 5% of sites upgrade to new major versions.
Not updating exposes your site to known security holes fixed in newer versions. It only takes one unpatched issue for an attacker to gain access.
I recommend upgrading your site frequently:
- Apply security patch releases as soon as available.
- Upgrade to the latest compatible minor version (like 2.4.x).
- Plan major version upgrades early to stay current.
On Linux servers, use
yum update (CentOS/RHEL) or
apt update (Debian/Ubuntu) to apply updates.
Staying on top of Magento updates is essential to avoid vulnerable, legacy code.
4. Backup Your Site Regularly
Magento backups allow restoring your site if disaster strikes. This includes data loss from security incidents like:
- Ransomware encrypting files
- Hackers deleting or corrupting data
- Accidental admin actions
Backups limit damage and speed recovery from attacks.
- Daily database + file system backups
- Storing backups externally, not on your server
- Testing restoration periodically to verify backups work
Also consider offering customers secure data exports, in case you ever suffer a major breach. Planning for disaster recovery is a key part of defense.
5. Mandate Strong Admin Passwords
Weak Magento admin passwords are an invitation for attackers to take over your store.
According to the 2021 Verizon Data Breach Investigations Report, over 80% of hacking breaches involved compromised credentials.
Your admin password should be:
- At least 15 characters
- Generated randomly – not based on personal info
- Include upper and lowercase letters, numbers, and symbols
- Unique, not reused on any other accounts
- Changed every 6 months
Weak admin passwords continue to be the downfall of many Magento merchants. Don‘t let that happen to you!
6. Harden Your Server with a Web Application Firewall
A WAF acts as a shield to protect your server from common web attacks like:
- SQL injection (SQLi)
- Cross-site scripting (XSS)
- Local/remote file inclusion (LFI/RFI)
- Cross-site request forgery (CSRF)
- Bot attacks
- Application DDoS
- Suspicious user agents or traffic patterns
If using a self-managed WAF like ModSecurity, keeping rules updated is essential.
A WAF acts as an intelligent shield against automated attacks and is a must-have for security.
7. Restrict Admin Access
Attackers are looking for any unprotected entrance to your admin.
Reduce your exposure by:
- Disabling admin access over HTTP (non-HTTPS)
- Allowing admin only from office/VPN IPs with firewall rules
- Blocking unused admin controller paths with web server configs
- Limiting admin permissions for site users
- Masking the public
/adminpath as discussed earlier
Every access path you eliminate or restrict improves security against unauthorized logins.
8. Never Reuse Passwords
With the rise of mega-breaches like LinkedIn, Facebook, and more, password reuse is dangerous:
- 15% of users reuse the same password across accounts, per Keeper Security.
- Reused passwords led to 80% of breaches in Verizon‘s 2020 report.
If your Magento password is reused anywhere else and that site is breached, attackers can access your store.
The best practice is using a unique, randomly generated password for every account.
Password managers like 1Password and LastPass make this easy by generating and storing strong passwords for each site.
Don‘t let password reuse put your Magento site at risk.
9. Change Passwords Frequently
Even strong passwords should be rotated frequently:
- Every 90 days for highly sensitive accounts like Magento admin.
- Every 6 months for other important logins.
If your passwords ever get exposed in a breach, regular resets render the credentials useless before they can be leveraged by attackers.
Password managers also make regular password changes painless. Just use the built-in generator when it‘s time to reset.
10. Never Save Passwords in Your Browser
Browsers offer to remember passwords for convenience, but saving login credentials is risky:
- Browser data is often unencrypted by default.
- Synced browser data exposes passwords across devices.
- Malware and trojans target browser password storage.
Instead, use a dedicated password manager like 1Password or LastPass. They encrypt your passwords and sync securely across devices.
Saving passwords in your browser is just asking for trouble. Use a password manager instead.
11. Monitor Login Attempts and Site Issues
Actively monitoring your site for suspicious activity or issues can reveal attacks early before major damage is done.
Watch for signs like:
- Spike in failed admin login attempts
- Successful logins from suspicious locations
- Someone reports weird site behavior or errors
- You notice suspicious files or code changes recently
Tools like these can help monitor site activity:
- Admin Actions Log to see all admin actions
- Web server logs for failed login monitoring
- Uptime monitors to receive alerts for site issues
- File integrity monitoring to detect suspicious file changes
Don‘t rely only on technology. Also encourage users to report anything odd, like phishing emails.
12. Use HTTPS and a Valid SSL Certificate
HTTPS encrypts all traffic between visitors and your site using SSL/TLS. This prevents:
- Snooping on unencrypted requests like account info and passwords
- Exploits like man-in-the-middle attacks on open WiFi
An invalid HTTPS certificate triggers scary browser warnings that erode trust with customers.
Magento requires HTTPS, so set up a free or paid SSL certificate from a trusted Certificate Authority like Let‘s Encrypt.
HTTPS is mandatory both for security and reassuring your customers.
13. Disable and Replace Insecure FTP
The old-school File Transfer Protocol (FTP) has major security flaws:
- Transmits data including passwords unencrypted in plain text.
- Vulnerable to man-in-the-middle attacks on open networks.
- Passive FTP can‘t work reliably from behind many firewalls.
Use SFTP (SSH File Transfer Protocol) instead which encrypts your data and passwords. SFTP works more reliably through firewalls as an active protocol.
Disable FTP entirely if not required, or at least ensure FTP is only accessible over your VPN, not the open internet.
FTP is hazardous for managing your Magento site – use SFTP instead.
14. Restrict File Permissions
Overly permissive file permissions allow attackers to modify or exploit your Magento code if they do gain access:
777permissions that give global read/write/execute access.
- Most files should be
640(owner read/write, group read).
- Directories should be
750(add execute for owner).
- Write access only where needed like
Also separate web server and file owner users for最小权限原则.
Carefully restricting permissions hardens security by limiting damage from unauthorized access.
Bonus: More Essential Security Tips
Here are a few more recommended security tips to protect your online business:
- Hire a penetration testing service to probe for hidden vulnerabilities.
- Install a mod security rule set like OWASP or Comodo to enhance protection.
- Block traffic from risky countries using Cloudflare, your firewall, etc.
- Use reCAPTCHA for admin, login, and other sensitive forms.
- Enable Magento Security Scan to automatically check for issues.
- Consider cyber insurance to help recover if attacked.
Protect Your Livelihood with Proactive Security
I hope these tips help you significantly improve security for your Magento site.
Don‘t wait until it‘s too late – the threats are real and attacks are happening every day. Take action now to protect your business, customers, and peace of mind.
Let me know if you have any other questions! I‘m always happy to help fellow Magento merchants strengthen their defenses against the growing dangers of cybercrime.