A Definitive Guide on Magento 2 Security 
Setting up a Magento 2 store might be easier. However, it is difficult to protect your online business from cyber attacks and potential vulnerabilities.
Hence, today, I’ll reveal the best practices you can implement for Magento 2 store security!
Hackers can target valuable and confidential information about your store and its customers and steal your data. In exchange, they may ask for a handsome amount to be credited to their Bitcoin account or any other account. Or worst, they can destroy your whole store, data and commit a fraud.
None of the E-commerce stores is fully secured. Hackers identify vulnerability and commit cybercrime. Magento 2 experts and professionals work hard and try to find out ways to make the store more secure.
The security of 2000 Magento stores was exposed with the Magecart attack, according to a Sansec research report. Such a scenario can be avoided to much extent by following the below guide on Magento 2 security:
12 Best Practices for Magento 2 Security in 2021:
- Create a custom admin path
- Choose Powerful Hosting Infrastructure
- Have a Recovery plan
- Prefer Only Reputed Security Extensions
- Use SSL for Encrypted Connection
- Update Magento store
- Change File Permission
- Use Two-Factor Authentication
- Configure Maximum Login Attempts Allowed
- Disable Directory Indexing
- Enable Forced Password Change
- Other Security Measures
Guide to Securing the Magento 2 stores:
1. Create a custom admin path
Creating a custom admin path prevents hackers from visiting the admin login page. If you have changed the admin path, it would be difficult for hackers to find out the admin path and commit any type of cybercrime.
The admin URL is used to access the backend of the store. Someone with access to admin URL can edit and manage the administrative tasks. However, the default format of the URL, “sitename.com/admin” is vulnerable to bots.
Avoid predictable names like admin, backend, etc. and instead use custom admin path.
There are three methods to change admin URL in Magento 2:
- via SSH
- via admin panel
Check the detailed method to change admin URL in Magento 2 in order to prevent unauthorized access to the store backend.
2. Choose Powerful Hosting Infrastructure
Not all the hackers want to steal data from your Magento store. There are groups of hackers just want to disrupt your website that makes it inaccessible for a longer period of time and it eventually damages the revenue.
When your Magento 2 store goes down, the powerful hosting service provider can help you to fix the problem and reduce the down time.
Choose the best Magento 2 hosting providers that can help with securing the store data from potential vulnerabilities.
3. Have a Recovery Plan
No matter how powerful hosting service you have, it is essential to have a recovery plan for your Magento 2 store. Hackers may target your E-commerce store and delete all the data. Imagine this situation, if you don’t have a recovery plan, you have to build your E-commerce store from scratch.
To create a recovery plan, you can just start taking a backup on a daily, weekly or monthly basis and that’s it. There are three methods to backup Magento 2:
- Magento 2 backup via Command Line
- Magento 2 backup via Admin Panel
- Magento 2 manual backup
If attackers try to steal or delete website data, you can simply restore by leveraging backup files. Therefore, make sure you take backups for the Magento 2 store.
4. Prefer Only Reputed Security Extensions
The core purpose of buying extensions is to extend the Magento 2 store facility. Security extensions in Magento 2 help to advance the level of security for the store.
However, merchants sometimes purchase non-reputed security extensions unknowingly that are harmful to the store.
Are the extension providers following the Magento standards of code? Are they certified Magento 2 developers?
Check such details before buying extensions for your Magento 2 store. Make sure about the authenticity from where you are purchasing!
5. Use SSL for Encrypted Connection
SSL, i.e., Secure Socket Layer, encrypts the sensitive information of customers and provides a safe environment for Magento 2 stores. It offers privacy, critical security and data integrity for your store and customers as well.
If a store does not have SSL for establishing encrypted connection, the connection will become vulnerable and attackers can see credit card details, usernames and passwords of customers.
By using an SSL certificate, the data becomes unreadable to everyone. It will be readable for only the server you are sending the information. Therefore, for protecting customers’ information, SSL certificates become essential.
6. Update Magento 2 Store
Magento keeps on releasing security patches and updated versions to address the bugs and issues found in the earlier Magento versions.
Updating your Magento 2 store is the best and highly recommended way to increase security. Each Magento version comes with the latest security features apart from performance and administrative enhancements.
Even Visa and PayPal urges the merchants to migrate to Magento 2 in order to maintain the PCI DS standards of security.
Therefore, if you are the one who still uses older versions of Magento, you need to upgrade your Magento store for better security.
However, while migrating, merchants make several mistakes and that can be avoided. As the store and customers’ sensitive data is at stake, one of the best ways to avoid mistakes while migrating to Magento 2 store is to hire certified Magento developers.
7. Change File Permission
Changing the file permission is extremely important for protecting valuable files of your E-commerce store.
There are mainly three types of file permission. Read, Write and Execute. If the file permission is set to allow read and write in public mode, your files are not safe, as the attackers can easily view and download the files.
Sahil Chug, CEO of MageHost, recommends avoiding 777 file permission that gives read and write permission to the attackers.
Setting file permission to 644 will only allow the owner and the group to access the files. That means, read and write activities are limited to only the owner and a specific group.
8. Use Two-Factor Authentication
Two-factor authentication adds an additional security layer to your Magento admin panel.
Therefore, even if the attackers crack the password, they need to bypass another layer of security. Attackers will not be able to login because the one-time password is being sent to the store owner or the admin, and therefore, there would be fewer chances of a cyber attack.
Earlier, Magento 2 did offer an option to install two-factor authentication. The store owner can enable or disable the Magento 2 2FA as per the requirements. However, it is not best practice to disable Magento 2FA.
With the release of Magento 2.4, 2FA is enabled by default and cannot be disabled. It is recommended to download the latest Magento 2 version and leverage this security feature offered in default Magento 2.
9. Configure Maximum Login Attempts Allowed
It is mandatory to set login attempts because if the Magento 2 store owners do not set maximum login attempts, the attackers can apply trial and error methods using various software. Hence, it would be easier for the attackers to log in to the admin panel.
In order to avoid it, the default Magento 2 allows configuring password options using which the store owner can set the maximum login failures to lockout account.
10. Disable Directory Indexing
When Google crawls a website, all the pages of the website get indexed most of the time according to the crawl budget.
There are some confidential web pages that should not be indexed by Google. If such pages are indexed, Google users can view the page and the confidential data may get leaked.
Therefore, for not showing specific webpages to search engines, you can simply disable directory indexing of your Magento 2 store.
For instance, you can prevent Google from indexing Magento 2 admin URL!
11. Enable Forced Password Change
Changing the Magento 2 admin panel’s password frequently is essential for Magento store owners. If the store owners do not change passwords periodically, there are chances that the attackers may crack the password and damage your store massively.
The default Magento 2 has the facility to enable forced password change. So, after certain days, when the store owner logs in, he will be redirected to the change password webpage. Eventually, it helps to protect Magento 2 stores.
One can easily enable password expiration in Magento 2 that helps the merchant to secure the store frequently.
12. Other Security Measures
There are some ways that no one would like to discuss but if you implement them, they will certainly contribute to protecting your stores from hackers.
- Secure your computer
If the computer you use for managing your Magento 2 store does not have a secure password, it would be extremely easy for hackers to crack your operating system and make damages to your computer and Magento store as well.
Make sure to have a password in your computer, good antivirus software and turn on the firewall for protecting your computer.
- Use SFTP
It would be better to use the Secure File Transfer Protocol rather than just the File Transfer Protocol.
SFTP encrypts the data and commands to prevent passwords and other sensitive information from being exposed to attackers.
- Secure your Email
Email is always linked with whatever we do on the internet. If a store owner has set up a weak password without two-factor authentication, the chances of being hacked increases extremely.
If a hacker manages to find the password of the official email address of the store, he may commit cybercrime. Hence, securing your email is also one of the small but important steps to increase the security of the store.
The Federal Bureau of Investigation(FBI) has reported 3000-4000 complaints every day since the COVID19 outbreak, according to The Hill.
The cybercrime rate has been increasing rapidly. Hence, it’s an alarming situation for E-commerce stores to increase their security.
I hope you liked this article and I would be happy to read your views on securing Magento stores.
Do consider sharing this article to Magento Community via social media.