Magento Security Tips

Security is a hot topic these days. Below we have compiled a list of tips for both Magento & general all-around computer security to help put your best foot forward in securing your sensitive data.

Magento Site Login / Password Management

  • Know and limit who has access to your computer, your site’s backend and your sensitive data. (Would you trust them to watch your child? If the answer isn’t “Yes”, then don’t give them access.)
  • Change the default Magento login URL from /admin/ to something that isn’t easy to guess (will help avoid brute-force attacks)
  • Never use Admin, your store name, or something else that can be easily guessed as your username.
  • Don’t display or use the admin email address anywhere on the frontend of your site.
  • When creating a password, make sure it’s at least 8-10 characters, contains a capital letter, and doesn’t include any full words (the more “random” and less it relates with your business, the better!)
  • Although it’s tempting, never use the same password. For anything. Ever.
  • It’s best to change your password on a regular basis – we recommend once a month.
  • Never email, message, or in any way transfer passwords in plain text. If you must send it to someone, encrypt and password-protect that file. As inconvenient as it is to call and give the new password over the phone, this is a much more secure way of handling things.
  • Never save your username/password on your computer, mobile device, or on an online storage service (unless it’s encrypted/password protected)
  • Handle your hosting & FTP logins the same way – protect them like your child!

General Computer/Network Practices

  • Update and scan for viruses and malware on all computers that access the backend on a regular basis.
  • Never access your backend or work with any file that contains sensitive data on an unsecured WIFI connection.
  • Update your business WIFI password, as well as home or wherever you access your store’s backend, on a semi-regular basis. We suggest if you live in a well-populated area, it’s best practice to do this more frequently.
  • Password protect your computer’s user account.
  • Keep your computer’s operating system and programs updated.
  • If you work in a public place, lock or log out of your computer’s user account every time you walk away from the computer.
  • If you work on a network, know who is on that network and follow any further security practices your IT department may have in place or recommend.
  • Turn off Remote Access. If you don’t need it, we strongly recommend turning this off.
  • Turn on and use firewalls.
  • Backup your most important data (site database/files & computers) on a regular basis.

Other Practices

  • Don’t have your site hosted on shared hosting. Yes, it is more cost-effective at first, but not only is it generally slower — you can be affected by other sites that are attacked on that server. It’s best to make the investment and host your site on a VPS or dedicated server.