To protect passwords and other important data, Magento uses an encryption key. An industry-standard Advanced Encryption Standard (AES-256) algorithm is used to encrypt all data that requires decryption. This includes credit card data and integration (payment and shipping module) passwords. Besides, this algorithm is used to hash all data that does not require decryption.
During the process of installation, you are allowed to either let Magento generate an encryption key itself, or you can create one of your own. The Encryption Key tool allows you to change the key as needed. The encryption key should be turned on to improve security, as well as at any time the original key might be compromised. Whenever the key is changed, all legacy data is re-encoded using the new key.
For technical information, see Install the Magento software in the developer documentation.
In this article, we will describe how to make a file writable and how to change the encryption key in Magento 2 admin panel.
Step 1: Make the File Writable
Make sure that the file in
[your store]/app/etc/env.php is writable to change the encryption key
Step 2: Change the Encryption Key
On the Admin sidebar, tap System. Then under Other Settings, choose Manage Encryption Key.
Do one of these steps: To generate a new key, set Auto-generate Key to “Yes.” To use a different key, set Auto-generate Key to “No.” Then in the New Key field, enter or paste the key that you want to use
Tap Change Encryption Key.
Save a record of the new key in a safe place. It will be required to decrypt the data if any problems occur with your files.Above is a tutorial on how to use the encryption key in Magento 2 admin panel. We hope that you can make your web store secure. See you in the next post.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a verification method that makes sure that a human being is interacting with websites. It can be used for admin login and customer logins.
You can click the Reload button to reload the CAPTCHA. The CAPTCHA is configurable and can be set to display every time or only after some failed login attempts.
CAPTCHA can be added to the admin login box. Administrators can reload CAPTCHA by clicking the Reload icon
To configure an admin captcha, follow these steps:
Stores > Configuration > On the left of the panel, under Advanced, click Admin > Set Store View to “Default.” > Open the CAPTCHA tab and follow these steps:
Set Enable CAPTCHA in Admin to “Yes.”
Enter the Font for the CAPTCHA symbols. Default font: LinLibertine.
You can add your font by putting the font file in the same directory as your Magento instance, declare in the config.xml file of the Captcha module at app/code/Magento/Captcha/etc.
Select the Forms where the CAPTCHA is to be used:
Admin Forgot Password
Set Displaying Mode to one of these options:
CAPTCHA is always required to log in the Admin.
After a number of attempts to login
In the field Number of Unsuccessful Attempts to Login, enter the number of login attempts allowed. Input 0 to Displaying Mode to Always. This option does not cover the Forgot Password form. If CAPTCHA is enabled and configured to display on this form, then it is always included on the form.
Enter the Number of Unsuccessful Attempts to Login before the CAPTCHA displays. If enter 0, the CAPTCHA is always used.
In the CAPTCHA Timeout (minutes) field, enter the number of minutes before the CAPTCHA expires. When the CAPTCHA expires, the user must reload the page.
Enter the Number of Symbols used in the CAPTCHA, the maximum number is eight.
In the Symbols Used in the CAPTCHA field, specify the symbols that can be used in the CAPTCHA.
Set Case Sensitive to “Yes” to require that users enter the characters exactly as shown
Click Save Config.
You can configure to force the customer to enter the CAPTCHA each time to login or after a certain time of login failed.
Follow these steps to configure a Storefront CAPTCHA:
Stores > Configuration > Configuration > Customer Configuration > Open the CAPTCHA tab and do these steps:
Set Enable CAPTCHA on Frontend to “Yes.”
Enter the name of the font for CAPTCHA symbols.
Choose the Forms
Set Displaying Mode
Enter the Number of Unsuccessful Attempts to Login
CAPTCHA Timeout (minutes): Enter the minutes before the CAPTCHA expires
Enter the Number of Symbols in the CAPTCHA, the maximum number is eight.
Specify the symbols that can be used in the CAPTCHA in the Symbols Used in the CAPTCHA
Set Case Sensitive to “Yes” to include uppercase and lowercase in your CAPTCHA.
Configuring Security In Magento 2 Admin Panel is an important work. The first thing you have to do after installed Magento on the server implements a custom admin URL. In the default installation of Magento, the admin password must be seven or more characters long including uppercase, lowercase, numbers, and symbols.
For higher security, you can implement two-factor authentication that generates a token on the mobile device.
The Admin Security Configuration allows store administrators to add a secret key to URLs, require a password to be case sensitive, restrict admin sessions length, the lifetime of the password, the number of login attempts before the system lock admin user account. For additional security, the Admin login can require a CAPTCHA.
Follow these steps to configure Admin security:
On the admin sidebar, click Stores. Under Settings, click Configuration.
On the left of the panel under Advanced, click Admin.
Open the Security tab and do these steps:
Set Admin Account Sharing to “No” so admin cannot login from the same account on different devices.
To set the method that is used to manage password reset requests, set Password Reset Protection Type:
By IP and Email
You can reset the password online after received a response from the notification is sent to the email address integrated with the Admin account.
You can reset the password online without additional confirmation.
You can reset the password only by responding by email to the notification that is sent to the email address integrated with the Admin account.
Only the store administrator can reset the password.
Recovery Link Expiration Period (hours): enter the number of hours a password recovery link remains valid.
Max Number of Password Reset Requests: determine the maximum number of password requests that can be submitted per hour.
Min Time Between Password Reset Requests field: enter the minimum number of minutes that must pass between password reset requests.
Add Secret Key to URL: Append a secret key to the Admin URL as a precaution against exploits, set to “Yes.”
Set Login is Case Sensitive to “Yes” to require that the use of uppercase and lowercase characters in any login processes entered match what is stored in the system.
Admin Session Lifetime (seconds): determine the length of an Admin session before it times out, the value must be 60 seconds or higher.
Maximum Login Failures to Lockout Account: Enter the number of times a user can log in to the Admin account before it is locked. In the default installation, six attempts are allowed. Empty the field for unlimited login attempts.
Lockout Time (minutes) field: enter the minutes that an Admin account is locked when reached the maximum number of attempts.
Password Lifetime (days): Enter the number of days a password is valid to limit the lifetime of Admin passwords. For an unlimited lifetime, leave the field blank.
Set Password Change to one of these options:
Requires to change Admin users passwords after the account is set up.
Recommends changing Admin users passwords after the account is set up.
Click Save Config
Admin Password Requirements
An Admin password must be at least seven characters long including uppercase, lowercase, numbers and symbols.
On the previous article, we described a complete guideline of security best practice for Magento 2 platform users. However, sometimes you forget to check the security of your website and hackers can break into your website and compromise your business. In this article, we will describe an action plan, so you will know what you have to do when suspect that your site is compromised.
DIAGNOSE. Scan your website to establish the security status of your Magento store. MageReport.com is a recommended service for free to all Magento users.
REPORT. If you have found a vulnerability in Magento, send a description of the problem with technical details to email@example.com.
UPGRADE. For additional peace of mind that comes from 24/7 support, plan your upgrade now to Magento Commerce Cloud.
Above is a fast action plan for Magento 2 security, we hope that you don’t have to use this action plan, or at least you can follow this list to defend yourself against hackers and protect your online store from malicious code. If you have more effective method to secure your online store, please leave a comment or contact us directly, and we will update this article as soon as possible. On the next blog post about Security For Magento 2, we will describe tutorial on configuring Admin Security. See you in the next blog post.
Because of the personal, payment and credit card information that is required to complete a sale, hackers are always aiming to eCommerce sites. When a website is hacked, customers might suffer money loss and private identity theft, and merchants suffer lost of merchandise, their reputations collapse. In this guideline, we will describe a multifaceted approach to enhance the security system of your Magento installation, so you can make your online store secure and avoid being hacked.
Choose the reliable hosting providers and solution integrators. When checking their qualifications, check their approach to security. Make sure that they pentest their code for security issues, and they have a standard secure software development life cycle, for example, The Open Web Application Security Project (OWASP).
Launching your site or upgrade to run it over securely, encrypted HTTPs
Protect the environment
Update all software and security patches on your server, including other websites and database software.
Secure the server operating system. Your hosting provider must ensure that they do not install any unnecessary software on the server.
Manage files using SSH/SFTP/HTTPS, and disable FTP.
To protect system files when using the Apache web server, Magento includes .htaccess files. If you use another web server such as Nginx, make sure to protect all system files and directories. For a sample Nginx configuration, see magento-nginx.conf on GitHub.
Use secure and unique passwords (at least 20 characters including uppercase, lowercase, numbers, and symbols) and change them periodically.
Update the software and security patches.
Check any issues that are reported for software components used by your Magento installation, including the operating system, MySQL database, PHP, Redis (if used), Apache or Nginx, Memcached, Solr, and any other components in your specific configuration.
Restrain access to the cron.php file to only required users. For example, restrict access by IP address. If possible, block access entirely and execute the command using the system cron scheduler.
Automate the deployment process, if possible, and use private keys for data transfer.
Restrain access to the Magento Admin by list all IP address of computers that are authorized to use the Admin and Magento Connect downloader. To know how to whitelist IP addresses, please read: Secure Your Magento Admin.
Do not install extensions directly on a production server. Block or remove access to the /downloader directory to disable the Magento Connect downloader on the production site. Use the same whitelisting methods if necessary.
Use two-factor authorization for Admin logins. Some extensions provide additional security by requiring a generated passcode on your phone or a token from a particular device.
Check your server for “development leftovers.” Clear all available log files, publicly visible .git directories, tunnels to execute SQL, database dumps, phpinfo files, or any other unprotected files that are not required, and might be used for hacking.
Restrain outgoing connections to only those that are required, such as for payment integration.
Use a Web Application Firewall to block all suspicious traffic, such as credit card information being sent to a hacker.
Secure all applications running on the server.
Try not to run other software on the same server as Magento, especially if it is accessible from the Internet. Vulnerabilities in blog applications such as WordPress can leak personal information from Magento database. Install such software on a different server or virtual machine.
Update the software and security patches.
Admin Desktop Environment
Secure the computer that is used to access the Magento Admin.
Update your antivirus software, and use a malware scanner. Do not install any unknown programs, or click suspicious links.
Use a password manager tool, for example, LastPass, 1Password, or Dashlane to create and manage secure, unique passwords. Use a secure password to log in to the computer (20 characters including uppercase, lowercase, numbers and special characters), and change it periodically.
Do not save FTP passwords in FTP programs, because they are often penetrated by malware and used to infect servers.
Update the Magento installation and security patches to enhance security.
Use a unique, custom Admin URL to avoid to scripts that try to hack into every Magento site.
Check with your hosting provider before using a custom Admin URL. Some hosting providers require a standard URL to meet firewall protection rules.
Block access to any development, staging, or testing systems. Use IP whitelisting and .htaccess password protection. When compromised, such systems can produce a data leak or be used to attack the production system.
Use the correct file permissions. Set core Magento and directory, including app/etc/local.xml files to read-only.
Use a secure password for the Magento Admin (20 characters including uppercase, lowercase, numbers and special characters).
Only download and install extensions from trusted sources. Review extensions for security issues before installing them.
Do not click suspicious links or email.
Do not unveil the password to your server or the Magento Admin, unless you are required to do so.
Build a disaster recovery/business continuity backup plan.
Backup your server and database automatically to an external location. A typical setup requires daily incremental backups, with a full backup on a weekly basis. To verify that data can be restored, test the backup regularly.
For a large site, simple text file dumps of the database take a long time to restore. To deploy a professional database backup solution, work with your hosting provider.
Monitor for Signs of Attack
To check for signs of attack, complete a security review periodically, and also when contacted by customers with security-related concerns.
To install and set up an Intrusion Detection System on your network and review server logs for suspicious activity, work with your hosting provider.
Use a file and data integrity checking tool such as TripWire to receive notification of any potential malware installation.
Monitor all system logins (FTP, SSH) for unexpected activity, uploads, or commands.
Follow Your Disaster Recovery Plan
In case your website is compromised, work with your IT security team, hosting provider and system integrator to decide the scope of the attack. Focus on consideration the type of compromise and the size of the store. Then, adjust the following recommendations to your business needs.
Block access to the site, so the hacker cannot erase evidence or steal more data.
Backup the current site, which will include evidence of the installed malware or compromised files.
Determine the scope of the attack. Was credit card data accessed? What type of data was stolen? Was the data encrypted? How much time has passed since the compromise? Typically you can expect the following types of attack:
Site access is compromised, but often the payments information is not. User accounts might be compromised.
Hackers use your site as a botnet that spams email. Although data is not compromised, your server is blacklisted by spam filters.
Direct Attack on Server
Data is compromised, malware and backdoors are installed, and the site is down. Payment information – provided that it is not stored on the server – is probably safe.
Silent Card Capture (Phishing)
Hackers install hidden malware or card capture software or possibly modify the checkout page to phishing credit card data. Such attacks can go secretly for a long time, and result in a significant compromise of customer accounts and financial information.
Try to find the attack vector to decide how and when the site was compromised. Read server log files and file changes. Sometimes there are multiple different attacks on the same system.
If possible, format and reinstall everything. In the case of virtual hosting, create a new instance. Malware might be hidden in an unsuspected location, just waiting to restore itself. Remove all unnecessary files. Then, reinstall all required files from a known, clean source.
Update security patches.
Reset all credentials, including the database, file access, payment and shipping integrations, web services, and Admin login.
If payment information was compromised, it might be necessary to contact your payment processor.
Contact your customers about the attack and the type of information affected. If payment information was compromised, they should check for unauthorized transactions. If personal data including email addresses was compromised, they might be targeted with phishing or spam.