A Fast Action Plan For Magento 2 Security

On the previous article, we described a complete guideline of security best practice for Magento 2 platform users. However, sometimes you forget to check the security of your website and hackers can break into your website and compromise your business. In this article, we will describe an action plan, so you will know what you have to do when suspect that your site is compromised.

DIAGNOSE. Scan your website to establish the security status of your Magento store. MageReport.com is a recommended service for free to all Magento users.
CLEAN. Contact a qualified consultant or online service to clean your site of all malicious code. The most recommended from Magento users is Sucuri Website Malware Removal.

  • Remove the leftover executable code in /media folder.
  • Remove unknown Admin users and reset all Admin passwords.
PROTECT. Update your Magento installation and security patches

REPORT. If you have found a vulnerability in Magento, send a description of the problem with technical details to security@magento.com.
UPGRADE. For additional peace of mind that comes from 24/7 support, plan your upgrade now to Magento Commerce Cloud.

Above is a fast action plan for Magento 2 security, we hope that you don’t have to use this action plan, or at least you can follow this list to defend yourself against hackers and protect your online store from malicious code. If you have more effective method to secure your online store, please leave a comment or contact us directly, and we will update this article as soon as possible. On the next blog post about Security For Magento 2, we will describe tutorial on configuring Admin Security. See you in the next blog post.

A Complete Guideline Of Security Best Practice For Magento 2 Platform Users

Because of the personal, payment and credit card information that is required to complete a sale, hackers are always aiming to eCommerce sites. When a website is hacked, customers might suffer money loss and private identity theft, and merchants suffer lost of merchandise, their reputations collapse. In this guideline, we will describe a multifaceted approach to enhance the security system of your Magento installation, so you can make your online store secure and avoid being hacked.

  • Start Right

Choose the reliable hosting providers and solution integrators. When checking their qualifications, check their approach to security. Make sure that they pentest their code for security issues, and they have a standard secure software development life cycle, for example, The Open Web Application Security Project (OWASP).

Launching your site or upgrade to run it over securely, encrypted HTTPs

  • Protect the environment

Update all software and security patches on your server, including other websites and database software.

Server Environment

Secure the server operating system. Your hosting provider must ensure that they do not install any unnecessary software on the server.
Manage files using SSH/SFTP/HTTPS, and disable FTP.
To protect system files when using the Apache web server, Magento includes .htaccess files. If you use another web server such as Nginx, make sure to protect all system files and directories. For a sample Nginx configuration, see magento-nginx.conf on GitHub.
Use secure and unique passwords (at least 20 characters including uppercase, lowercase, numbers, and symbols) and change them periodically.
Update the software and security patches.
Check any issues that are reported for software components used by your Magento installation, including the operating system, MySQL database, PHP, Redis (if used), Apache or Nginx, Memcached, Solr, and any other components in your specific configuration.
Restrain access to the cron.php file to only required users. For example, restrict access by IP address. If possible, block access entirely and execute the command using the system cron scheduler.

Advanced Techniques

Automate the deployment process, if possible, and use private keys for data transfer.
Restrain access to the Magento Admin by list all IP address of computers that are authorized to use the Admin and Magento Connect downloader. To know how to whitelist IP addresses, please read: Secure Your Magento Admin.
Do not install extensions directly on a production server. Block or remove access to the /downloader directory to disable the Magento Connect downloader on the production site. Use the same whitelisting methods if necessary.
Use two-factor authorization for Admin logins. Some extensions provide additional security by requiring a generated passcode on your phone or a token from a particular device.
Check your server for “development leftovers.” Clear all available log files, publicly visible .git directories, tunnels to execute SQL, database dumps, phpinfo files, or any other unprotected files that are not required, and might be used for hacking.
Restrain outgoing connections to only those that are required, such as for payment integration.
Use a Web Application Firewall to block all suspicious traffic, such as credit card information being sent to a hacker.

Server Applications

Secure all applications running on the server.
Try not to run other software on the same server as Magento, especially if it is accessible from the Internet. Vulnerabilities in blog applications such as WordPress can leak personal information from Magento database. Install such software on a different server or virtual machine.
Update the software and security patches.

Admin Desktop Environment

 

Secure the computer that is used to access the Magento Admin.
Update your antivirus software, and use a malware scanner. Do not install any unknown programs, or click suspicious links.
Use a password manager tool, for example, LastPass, 1Password, or Dashlane to create and manage secure, unique passwords. Use a secure password to log in to the computer (20 characters including uppercase, lowercase, numbers and special characters), and change it periodically.
Do not save FTP passwords in FTP programs, because they are often penetrated by malware and used to infect servers.
  • Protect Magento

 

Update the Magento installation and security patches to enhance security.
Use a unique, custom Admin URL to avoid to scripts that try to hack into every Magento site.

Check with your hosting provider before using a custom Admin URL. Some hosting providers require a standard URL to meet firewall protection rules.

Block access to any development, staging, or testing systems. Use IP whitelisting and .htaccess password protection. When compromised, such systems can produce a data leak or be used to attack the production system.
Use the correct file permissions. Set core Magento and directory, including app/etc/local.xml files to read-only.
Use a secure password for the Magento Admin (20 characters including uppercase, lowercase, numbers and special characters).
Use all security-related configuration settings of Magento for Admin Security, Password Options, and CAPTCHA.
  • Don’t be Taken for a Ride
Only download and install extensions from trusted sources. Review extensions for security issues before installing them.
Do not click suspicious links or email.
Do not unveil the password to your server or the Magento Admin, unless you are required to do so.
  • Be Prepared!
Build a disaster recovery/business continuity backup plan.
Backup your server and database automatically to an external location. A typical setup requires daily incremental backups, with a full backup on a weekly basis. To verify that data can be restored, test the backup regularly.
For a large site, simple text file dumps of the database take a long time to restore. To deploy a professional database backup solution, work with your hosting provider.
  • Monitor for Signs of Attack

To check for signs of attack, complete a security review periodically, and also when contacted by customers with security-related concerns.

Security Review

Check for unauthorized Admin users periodically.
Use automated log review tools such as Apache Scalp.
To install and set up an Intrusion Detection System on your network and review server logs for suspicious activity, work with your hosting provider.
Use a file and data integrity checking tool such as TripWire to receive notification of any potential malware installation.
Monitor all system logins (FTP, SSH) for unexpected activity, uploads, or commands.
  • Follow Your Disaster Recovery Plan

In case your website is compromised, work with your IT security team, hosting provider and system integrator to decide the scope of the attack. Focus on consideration the type of compromise and the size of the store. Then, adjust the following recommendations to your business needs.

  1. Block access to the site, so the hacker cannot erase evidence or steal more data.
  2. Backup the current site, which will include evidence of the installed malware or compromised files.
  3. Determine the scope of the attack. Was credit card data accessed? What type of data was stolen? Was the data encrypted? How much time has passed since the compromise? Typically you can expect the following types of attack:
Deface Site access is compromised, but often the payments information is not. User accounts might be compromised.
Botnet Hackers use your site as a botnet that spams email. Although data is not compromised, your server is blacklisted by spam filters.
Direct Attack on Server Data is compromised, malware and backdoors are installed, and the site is down. Payment information – provided that it is not stored on the server – is probably safe.
Silent Card Capture (Phishing) Hackers install hidden malware or card capture software or possibly modify the checkout page to phishing credit card data. Such attacks can go secretly for a long time, and result in a significant compromise of customer accounts and financial information.
  1. Try to find the attack vector to decide how and when the site was compromised. Read server log files and file changes. Sometimes there are multiple different attacks on the same system.
  2. If possible, format and reinstall everything. In the case of virtual hosting, create a new instance. Malware might be hidden in an unsuspected location, just waiting to restore itself. Remove all unnecessary files. Then, reinstall all required files from a known, clean source.
  3. Update security patches.
  4. Reset all credentials, including the database, file access, payment and shipping integrations, web services, and Admin login.
  5. If payment information was compromised, it might be necessary to contact your payment processor.
  6. Contact your customers about the attack and the type of information affected. If payment information was compromised, they should check for unauthorized transactions. If personal data including email addresses was compromised, they might be targeted with phishing or spam.

A Complete Guideline Of Security In Magento 2

In the previous articles, we described alternative media storage in Magento 2 including several tutorials on using the database and using the Content Delivery Network. In this article, we will describe security best practices, tutorial on managing Admin sessions and certifications, implement CAPTCHA, and maintain website restrictions.

For security reason, please visit a Magento Security Center and sign up the Security Alert Registry to receive the latest news about potential vulnerabilities and best practices. Don’t forget to set up a Security Scan for each domain in your Magento 2 installation.

Security Center
Security Center

A Security Scan provides a function to monitor each of your Magento sites for known security risks, and to receive patch updates and security notifications. From the Security Scan, store administrators can get the status of the real-time security in the store, schedule security scan weekly, daily, or on demand, receive reports with the results of security tests and the recommended actions for each failed test.

Security Scan
Security Scan

The Security Scan tool is in the dashboard of Magento account. For further information about security, please read the tutorial on how to run the security scan, security best practice and security action plan.

Above is an insight into the security system in Magento 2, we hope that you can find useful information from this article and build the best protection for your shopping website. In the next article, we will describe a complete guideline of security best practice in Magento 2 installation. Keep tracking Magestandard by subscribe us to read further information about security in Magento 2.

A Tutorial On Using A Content Delivery Network For Magento 2 Media Storage

As we said in previous articles, store administrators can use a Content Delivery Network (CDN) to store media files. Although the version of Magento that is installed “on-premise” does not include integration with any specific CDN, store administrators can choose and use their CDN. Magento Commerce (Cloud) consists of the Fastly CDN. To learn more, see Fastly in the Magento developer documentation.

After configuring the CDN, you must complete the configuration from the Admin. You can make the changes at either the global or website level. When a CDN is used for media storage, all paths to media on store pages are changed to the CDN paths that are specified in the configuration.

CDN Workflow

  1. Browser requests media: A page from the web store opens in the browser, and the browser requests the media that is specified in the HTML.
  2. Request sent to CDN; images found and served. First, the request is sent to the CDN. If the CDN has the images in storage, the media files will be served to the browser.
  3. Media not found, request sent to Magento web server. If the media files are not available in the CDN, the request is sent to the Magento web server. If the media files are available in the file system, the web server sends them to the browser.

For security reason, JavaScript may not work correctly if the CDN is placed outside of the subdomain when a CDN is used as media storage.

Follow these steps to configure a content delivery network for Magento 2 media storage:

On Admin sidebar click Stores > Under Settings click Configuration > Under General click Web. Set Store View as needed, open the Base URLs tab and follow these steps:

Content Delivery Network For Magento 2_1

Enter the URL of the location on the CDN where static view files are stored to the Base URL for Static View Files.

Enter the URL of the JS files on the CDN to the Base URL for User Media Files.

You can empty these field or can start with the placeholder: {{unsecure_base_url}}

Open the Base URLs (Secure) tab:

Base URLs (Secure)
Base URLs (Secure)

Do the same as above and click the Save Config

Tutorial On Using Database In Magento 2 Media Files Storage

In the default installation of Magento 2 Open Source, images, compiled CSS files, and JS files of the Magento instance are saved in the file system on the server. Store administrators can store these files in a database on a database server. This method allows you to select between auto-sync and reverse-sync between the web server file system and the database. You can use the default database to store media or create a new one. To use a newly created database as media storage, you must include information about it and its access credentials in the local .xml file.

The database workflow of using database In Magento 2 media files storage below:

  1. Browser requests media: The browser requests the media that is specified in the HTML while opening a page in the store on the browser.
  2. The system looks for media in the file system: The media files will be searched and found in the file system and send to the browser.
  3. The system locates media in database: If the file is not available in the system, a request is sent to the database that is specified in the configuration.
  4. The system locates media in database: A PHP script sends the files from the database to the file system and sent to the browser.

If the server is supported and web server rewrites are enabled for Magento, the PHP script runs only when the requested media files are not in the file system.

If the server is not supported or web server rewrites are disabled for Magento, the PHP script runs even if the requested media files exist in the file system.

To configure a database for media storage, please follow these steps:

On the admin sidebar click Stores, under Settings click Configuration, under Advanced, click System. To apply the configuration at the global level, set Store View to Default Config. Open the Storage Configuration for Media tab and follow these steps:

Storage Configuration for Media (Database)
Storage Configuration for Media (Database)
  • Uncheck the Use system value checkbox
  • Set Media Storage to “Database.”
  • Set Select Media Database to the database you want to use.
  • Click Synchronize, enter the Environment Update Time and click Save Config.

In the next article, we will describe tutorial on using a CDN as a media storage for Magento 2 online store. Keep tracking Magestandard and see you in the next blog post.