Magestandard

A Complete Tutorial On Configuring Admin Security In Magento 2 Admin Panel

Configuring Security In Magento 2 Admin Panel is an important work. The first thing you have to do after installed Magento on the server implements a custom admin URL. In the default installation of Magento, the admin password must be seven or more characters long including uppercase, lowercase, numbers, and symbols.

For higher security, you can implement two-factor authentication that generates a token on the mobile device.

The Admin Security Configuration allows store administrators to add a secret key to URLs, require a password to be case sensitive, restrict admin sessions length, the lifetime of the password, the number of login attempts before the system lock admin user account. For additional security, the Admin login can require a CAPTCHA.

Follow these steps to configure Admin security:

On the admin sidebar, click Stores. Under Settings, click Configuration.
On the left of the panel under Advanced, click Admin.
Open the Security tab and do these steps:

Set Admin Account Sharing to “No” so admin cannot login from the same account on different devices.
To set the method that is used to manage password reset requests, set Password Reset Protection Type:

By IP and Email	You can reset the password online after received a response from the notification is sent to the email address integrated with the Admin account.
By IP	You can reset the password online without additional confirmation.
By Email	You can reset the password only by responding by email to the notification that is sent to the email address integrated with the Admin account.
None	Only the store administrator can reset the password.

Recovery Link Expiration Period (hours): enter the number of hours a password recovery link remains valid.
Max Number of Password Reset Requests: determine the maximum number of password requests that can be submitted per hour.
Min Time Between Password Reset Requests field: enter the minimum number of minutes that must pass between password reset requests.
Add Secret Key to URL: Append a secret key to the Admin URL as a precaution against exploits, set to “Yes.”
Set Login is Case Sensitive to “Yes” to require that the use of uppercase and lowercase characters in any login processes entered match what is stored in the system.
Admin Session Lifetime (seconds): determine the length of an Admin session before it times out, the value must be 60 seconds or higher.
Maximum Login Failures to Lockout Account: Enter the number of times a user can log in to the Admin account before it is locked. In the default installation, six attempts are allowed. Empty the field for unlimited login attempts.
Lockout Time (minutes) field: enter the minutes that an Admin account is locked when reached the maximum number of attempts.
Password Lifetime (days): Enter the number of days a password is valid to limit the lifetime of Admin passwords. For an unlimited lifetime, leave the field blank.
Set Password Change to one of these options:

Forced	Requires to change Admin users passwords after the account is set up.
Recommended	Recommends changing Admin users passwords after the account is set up.

Click Save Config

Admin Password Requirements

FIELD	DESCRIPTION
Password	An Admin password must be at least seven characters long including uppercase, lowercase, numbers and symbols.

A Fast Action Plan For Magento 2 Security

On the previous article, we described a complete guideline of security best practice for Magento 2 platform users. However, sometimes you forget to check the security of your website and hackers can break into your website and compromise your business. In this article, we will describe an action plan, so you will know what you have to do when suspect that your site is compromised.

	DIAGNOSE. Scan your website to establish the security status of your Magento store. MageReport.com is a recommended service for free to all Magento users.
	CLEAN. Contact a qualified consultant or online service to clean your site of all malicious code. The most recommended from Magento users is Sucuri Website Malware Removal. Remove the leftover executable code in /media folder. Remove unknown Admin users and reset all Admin passwords.
	PROTECT. Update your Magento installation and security patches Subscribe to Magento Security Alerts. Review and follow Magento Security Best Practices.
	REPORT. If you have found a vulnerability in Magento, send a description of the problem with technical details to security@magento.com.
	UPGRADE. For additional peace of mind that comes from 24/7 support, plan your upgrade now to Magento Commerce Cloud.

Above is a fast action plan for Magento 2 security, we hope that you don’t have to use this action plan, or at least you can follow this list to defend yourself against hackers and protect your online store from malicious code. If you have more effective method to secure your online store, please leave a comment or contact us directly, and we will update this article as soon as possible. On the next blog post about Security For Magento 2, we will describe tutorial on configuring Admin Security. See you in the next blog post.

A Complete Guideline Of Security Best Practice For Magento 2 Platform Users

Because of the personal, payment and credit card information that is required to complete a sale, hackers are always aiming to eCommerce sites. When a website is hacked, customers might suffer money loss and private identity theft, and merchants suffer lost of merchandise, their reputations collapse. In this guideline, we will describe a multifaceted approach to enhance the security system of your Magento installation, so you can make your online store secure and avoid being hacked.

Start Right

Choose the reliable hosting providers and solution integrators. When checking their qualifications, check their approach to security. Make sure that they pentest their code for security issues, and they have a standard secure software development life cycle, for example, The Open Web Application Security Project (OWASP).

Launching your site or upgrade to run it over securely, encrypted HTTPs

Protect the environment

Update all software and security patches on your server, including other websites and database software.

Server Environment

	Secure the server operating system. Your hosting provider must ensure that they do not install any unnecessary software on the server.
	Manage files using SSH/SFTP/HTTPS, and disable FTP.
	To protect system files when using the Apache web server, Magento includes .htaccess files. If you use another web server such as Nginx, make sure to protect all system files and directories. For a sample Nginx configuration, see magento-nginx.conf on GitHub.
	Use secure and unique passwords (at least 20 characters including uppercase, lowercase, numbers, and symbols) and change them periodically.
	Update the software and security patches.
	Check any issues that are reported for software components used by your Magento installation, including the operating system, MySQL database, PHP, Redis (if used), Apache or Nginx, Memcached, Solr, and any other components in your specific configuration.
	Restrain access to the cron.php file to only required users. For example, restrict access by IP address. If possible, block access entirely and execute the command using the system cron scheduler.

Advanced Techniques

	Automate the deployment process, if possible, and use private keys for data transfer.
	Restrain access to the Magento Admin by list all IP address of computers that are authorized to use the Admin and Magento Connect downloader. To know how to whitelist IP addresses, please read: Secure Your Magento Admin.
	Do not install extensions directly on a production server. Block or remove access to the /downloader directory to disable the Magento Connect downloader on the production site. Use the same whitelisting methods if necessary.
	Use two-factor authorization for Admin logins. Some extensions provide additional security by requiring a generated passcode on your phone or a token from a particular device.
	Check your server for “development leftovers.” Clear all available log files, publicly visible .git directories, tunnels to execute SQL, database dumps, phpinfo files, or any other unprotected files that are not required, and might be used for hacking.
	Restrain outgoing connections to only those that are required, such as for payment integration.
	Use a Web Application Firewall to block all suspicious traffic, such as credit card information being sent to a hacker.

Server Applications

	Secure all applications running on the server.
	Try not to run other software on the same server as Magento, especially if it is accessible from the Internet. Vulnerabilities in blog applications such as WordPress can leak personal information from Magento database. Install such software on a different server or virtual machine.
	Update the software and security patches.

Admin Desktop Environment

	Secure the computer that is used to access the Magento Admin.
	Update your antivirus software, and use a malware scanner. Do not install any unknown programs, or click suspicious links.
	Use a password manager tool, for example, LastPass, 1Password, or Dashlane to create and manage secure, unique passwords. Use a secure password to log in to the computer (20 characters including uppercase, lowercase, numbers and special characters), and change it periodically.
	Do not save FTP passwords in FTP programs, because they are often penetrated by malware and used to infect servers.

Protect Magento

	Update the Magento installation and security patches to enhance security.
	Use a unique, custom Admin URL to avoid to scripts that try to hack into every Magento site. Check with your hosting provider before using a custom Admin URL. Some hosting providers require a standard URL to meet firewall protection rules.
	Block access to any development, staging, or testing systems. Use IP whitelisting and .htaccess password protection. When compromised, such systems can produce a data leak or be used to attack the production system.
	Use the correct file permissions. Set core Magento and directory, including app/etc/local.xml files to read-only.
	Use a secure password for the Magento Admin (20 characters including uppercase, lowercase, numbers and special characters).
	Use all security-related configuration settings of Magento for Admin Security, Password Options, and CAPTCHA.

Don’t be Taken for a Ride

	Only download and install extensions from trusted sources. Review extensions for security issues before installing them.
	Do not click suspicious links or email.
	Do not unveil the password to your server or the Magento Admin, unless you are required to do so.

Be Prepared!

	Build a disaster recovery/business continuity backup plan.
	Backup your server and database automatically to an external location. A typical setup requires daily incremental backups, with a full backup on a weekly basis. To verify that data can be restored, test the backup regularly.
	For a large site, simple text file dumps of the database take a long time to restore. To deploy a professional database backup solution, work with your hosting provider.

Monitor for Signs of Attack

To check for signs of attack, complete a security review periodically, and also when contacted by customers with security-related concerns.

Security Review

	Check for unauthorized Admin users periodically.
	Use automated log review tools such as Apache Scalp.
	To install and set up an Intrusion Detection System on your network and review server logs for suspicious activity, work with your hosting provider.
	Use a file and data integrity checking tool such as TripWire to receive notification of any potential malware installation.
	Monitor all system logins (FTP, SSH) for unexpected activity, uploads, or commands.

Follow Your Disaster Recovery Plan

In case your website is compromised, work with your IT security team, hosting provider and system integrator to decide the scope of the attack. Focus on consideration the type of compromise and the size of the store. Then, adjust the following recommendations to your business needs.

Block access to the site, so the hacker cannot erase evidence or steal more data.
Backup the current site, which will include evidence of the installed malware or compromised files.
Determine the scope of the attack. Was credit card data accessed? What type of data was stolen? Was the data encrypted? How much time has passed since the compromise? Typically you can expect the following types of attack:

Deface	Site access is compromised, but often the payments information is not. User accounts might be compromised.
Botnet	Hackers use your site as a botnet that spams email. Although data is not compromised, your server is blacklisted by spam filters.
Direct Attack on Server	Data is compromised, malware and backdoors are installed, and the site is down. Payment information – provided that it is not stored on the server – is probably safe.
Silent Card Capture (Phishing)	Hackers install hidden malware or card capture software or possibly modify the checkout page to phishing credit card data. Such attacks can go secretly for a long time, and result in a significant compromise of customer accounts and financial information.

Try to find the attack vector to decide how and when the site was compromised. Read server log files and file changes. Sometimes there are multiple different attacks on the same system.
If possible, format and reinstall everything. In the case of virtual hosting, create a new instance. Malware might be hidden in an unsuspected location, just waiting to restore itself. Remove all unnecessary files. Then, reinstall all required files from a known, clean source.
Update security patches.
Reset all credentials, including the database, file access, payment and shipping integrations, web services, and Admin login.
If payment information was compromised, it might be necessary to contact your payment processor.
Contact your customers about the attack and the type of information affected. If payment information was compromised, they should check for unauthorized transactions. If personal data including email addresses was compromised, they might be targeted with phishing or spam.

A Complete Guideline Of Security In Magento 2

In the previous articles, we described alternative media storage in Magento 2 including several tutorials on using the database and using the Content Delivery Network. In this article, we will describe security best practices, tutorial on managing Admin sessions and certifications, implement CAPTCHA, and maintain website restrictions.

For security reason, please visit a Magento Security Center and sign up the Security Alert Registry to receive the latest news about potential vulnerabilities and best practices. Don’t forget to set up a Security Scan for each domain in your Magento 2 installation.

A Security Scan provides a function to monitor each of your Magento sites for known security risks, and to receive patch updates and security notifications. From the Security Scan, store administrators can get the status of the real-time security in the store, schedule security scan weekly, daily, or on demand, receive reports with the results of security tests and the recommended actions for each failed test.

The Security Scan tool is in the dashboard of Magento account. For further information about security, please read the tutorial on how to run the security scan, security best practice and security action plan.

Above is an insight into the security system in Magento 2, we hope that you can find useful information from this article and build the best protection for your shopping website. In the next article, we will describe a complete guideline of security best practice in Magento 2 installation. Keep tracking Magestandard by subscribe us to read further information about security in Magento 2.

A Tutorial On Using A Content Delivery Network For Magento 2 Media Storage

As we said in previous articles, store administrators can use a Content Delivery Network (CDN) to store media files. Although the version of Magento that is installed “on-premise” does not include integration with any specific CDN, store administrators can choose and use their CDN. Magento Commerce (Cloud) consists of the Fastly CDN. To learn more, see Fastly in the Magento developer documentation.

After configuring the CDN, you must complete the configuration from the Admin. You can make the changes at either the global or website level. When a CDN is used for media storage, all paths to media on store pages are changed to the CDN paths that are specified in the configuration.

CDN Workflow

Browser requests media: A page from the web store opens in the browser, and the browser requests the media that is specified in the HTML.
Request sent to CDN; images found and served. First, the request is sent to the CDN. If the CDN has the images in storage, the media files will be served to the browser.
Media not found, request sent to Magento web server. If the media files are not available in the CDN, the request is sent to the Magento web server. If the media files are available in the file system, the web server sends them to the browser.

For security reason, JavaScript may not work correctly if the CDN is placed outside of the subdomain when a CDN is used as media storage.

Follow these steps to configure a content delivery network for Magento 2 media storage:

On Admin sidebar click Stores > Under Settings click Configuration > Under General click Web. Set Store View as needed, open the Base URLs tab and follow these steps:

Enter the URL of the location on the CDN where static view files are stored to the Base URL for Static View Files.

Enter the URL of the JS files on the CDN to the Base URL for User Media Files.

You can empty these field or can start with the placeholder: {{unsecure_base_url}}

Open the Base URLs (Secure) tab:

Do the same as above and click the Save Config