Recommended Magento Security Settings
Magento users welcome to our comprehensive guide on optimising the security of your Magento or Adobe Commerce website. Understanding and implementing these settings is crucial for maintaining a robust defence against online threats. Let’s dive into why these recommended Magento security settings are essential and how to apply them effectively to your Adobe commerce website.
In an era where digital security is crucial, we’ve selected key measures to protect your e-commerce site. These recommendations aim to enhance your site’s security and reduce data breaches. Suitable for businesses of all sizes, these settings provide a solid security foundation for your website. Let’s dive into these essential practices for a safer online presence.
Why Are Magento Security Settings Important?
Magento security settings are crucial as they safeguard your e-commerce site against cyber threats, data breaches, and unauthorised access. While ensuring the protection of sensitive customer data and compliance with regulatory standards like PCI and GDPR. This robust security framework not only maintains customer trust but also upholds the integrity and smooth operation of your online business.
- Compliance with PCI and GDPR: These settings help you stay in line with important regulations.
- Malware and Data Leak Prevention: They significantly reduce the chances of malware entry and data breaches.
- Complementary to Maintenance Plans: These settings assume you already have a website maintenance plan as part of your hosting and support setup.
We’ve curated a list of essential Magento security settings that we highly recommend to our e-commerce clients and can be applied to any e-commerce website.
The Magento Security Settings We Recommend
These measures are designed to fortify your site against various cyber threats, ensuring compliance with industry standards, and minimising risks such as data breaches and malware attacks. Whether you’re running a small business or a large enterprise, these settings will provide a robust security framework for your Magento or Adobe Commerce website.
Enable Two-Factor Authentication (2FA)
Use Google Authenticator App: Enabling Two-Factor Authentication (2FA) through the Google Authenticator App is a critical measure in fortifying the security of your Magento admin accounts. This added layer requires users to provide two forms of identification: something they know (like a password) and something they have (like a code from the Authenticator app). By implementing 2FA, you significantly lower the risk of unauthorised access, as it becomes much harder for attackers to breach accounts with just a stolen password. This method effectively combines ease of use with enhanced security, ensuring only verified users can access sensitive areas of your site. It’s an essential step in creating a more secure and resilient e-commerce environment.
Enable Google reCAPTCHA
For Front-End and Admin Area: Enabling Google reCAPTCHA on both front-end and admin areas of your Magento site is crucial for safeguarding against automated attacks. This tool effectively blocks bots and malicious software, particularly on sensitive sections like login and registration pages. Its customisation options allow you to tailor security levels to different site areas, ensuring a strong defence without compromising user experience. This approach not only secures your site but also enhances user trust in your platform’s security.
Regular Data Reviews and Deletions
Customer and Order Data: Periodically review and purge unnecessary data to minimise the risk of sensitive information being compromised. Regular reviews and deletions of customer and order data on your Magento site are crucial for security and compliance. This routine process involves identifying and removing outdated or unnecessary information, minimising the risk of sensitive data exposure in a breach. It’s not just about data removal; it’s also about maintaining data accuracy and relevance, aligning with regulations like GDPR, which emphasise minimal data retention. This proactive approach not only enhances security but also improves site performance and user experience by keeping your database streamlined.
Admin User Management
Delete Old Accounts, Change Passwords Every 3 Months: Regularly removing inactive admin accounts and enforcing password changes enhances security. This routine helps prevent potential security breaches by limiting the usefulness of compromised credentials. Magento’s feature for mandatory periodic password updates reinforces this security measure, ensuring all admin users comply with best practices. These steps not only protect against external threats but also manage internal access, ensuring only current, authorised personnel have admin access, thereby maintaining a secure e-commerce environment.
Role-Based Access Control (RBAC)
Assign Permissions Based on Job Roles: Limit access to sensitive areas of your site by assigning specific roles and permissions to admin users. This approach restricts access to sensitive areas, minimizing data breach risks and streamlining workflows. RBAC is also key for compliance with data protection regulations, ensuring only authorised personnel access sensitive data. Regular updates to roles and permissions are crucial to align with evolving organisational needs and maintain secure and efficient access.
Password Reset for External Applications
Payment Providers and Integrations: Regularly update passwords for external applications linked to your e-commerce site, such as PayPal, Stripe, or EPOS systems. This practice protects sensitive financial data and maintains a secure transaction environment. Using unique passwords and considering two-factor authentication for these applications can further enhance security. Staying vigilant with these updates is key to preventing unauthorised access and safeguarding your e-commerce operations. keeping a regular schedule for password updates and monitoring for any unusual activity in these external applications can help in the early detection and prevention of potential security breaches.
Web Application Firewall (WAF) Settings Review
Provider Like Cloudflare: Regularly optimising your WAF settings, especially with providers like Cloudflare, is vital for your Magento site’s security. A well-configured WAF acts as a shield, filtering out harmful traffic and threats specific to your site. Customising its rules and sensitivity is crucial to balance security and user experience, and adapting to new cyber threats ensures continuous protection. Integrating the WAF with other security tools can further strengthen your site’s defence, maintaining a secure environment for your customers.
User Training and Awareness
Focus on Phishing and Social Engineering: Educate your admin users and employees about security best practices and common threats such as recognising phishing attempts and understanding social engineering tactics, is crucial. Conducting training sessions and simulated exercises helps reinforce strong password practices and cautious handling of emails. This not only keeps security awareness high but also turns staff into active defenders against cyber threats, enhancing your site’s overall protection.
Disable Admin Account Sharing
Ensure Individual Accountability: Disabling admin account sharing in Magento is crucial for security and accountability. Individual accounts allow for precise tracking of user actions, essential for auditing and resolving security incidents. This approach not only enhances site security through clear audit trails but also promotes responsibility among users. Additionally, it facilitates easier management of user permissions and ensures up-to-date access rights, especially when roles change or employees leave. Overall, this policy significantly strengthens your site’s security against internal threats and maintains operational integrity.
Enable Magento System Settings: This small setting can add an extra layer of security to your login process. Enabling the case-sensitive login feature in Magento is a simple yet effective security enhancement. This requires that the case (uppercase or lowercase) of letters in user passwords be considered, adding complexity to password combinations. This makes it more difficult for unauthorised individuals to guess or crack passwords, as they now need to consider the case variation of each character. While it may seem like a minor adjustment, case sensitivity significantly strengthens the password’s resistance to attacks, providing an additional layer of security to protect user accounts.
Incident Response Plan
Develop and Be Prepared: Developing an Incident Response Plan is a critical security measure for any Magento site. This plan prepares your team to respond quickly and efficiently in the event of a security breach. Having a structured response strategy in place minimises the impact of the breach, allowing for rapid containment and mitigation of potential damages. It ensures that all team members know their roles and responsibilities during an incident, leading to a coordinated and effective response. This readiness not only helps in protecting sensitive data and maintaining customer trust but also in fulfilling legal and regulatory obligations related to cybersecurity incidents.
This video also covers some need-to-know Magento security practices for protecting your online store.
Using Strong Passwords
Ensuring the security of your Magento platform is paramount, and one critical aspect is safeguarding your admin accounts. Unauthorised access can have detrimental consequences, making it essential to implement robust security measures.
Utilise Strong and Resilient Passwords
One fundamental step in fortifying your Magento admin accounts is the use of strong passwords. A strong password acts as a formidable barrier against potential intruders. It is recommended to adhere to the following guidelines:
- Length Matters: Aim for passwords that are a minimum of 12 characters long. Longer passwords provide an additional layer of security.
- Diverse Composition: Construct passwords that include a combination of uppercase and lowercase letters, numbers, and special characters. This diversity makes them significantly more challenging to crack.
- Password Managers: Encourage your admin users to leverage password management tools. These tools not only facilitate the generation of complex passwords but also securely store them. This way, users can easily manage multiple strong passwords without the risk of forgetting them.
Implement Password Policies
In addition to promoting strong passwords, consider implementing password policies that bolster your security posture further:
- Regular Password Updates: Encourage your admin users to periodically update their passwords. This practice reduces the risk associated with prolonged use of a single password.
- Prevent Password Reuse: Enforce a policy that prevents the reuse of previous passwords. By doing so, you ensure that admin users continually create new and unique passwords, enhancing the overall security of your Magento admin accounts.
By adhering to these best practices and cultivating a culture of security awareness among your admin users, you significantly reduce the vulnerability of your Magento platform to unauthorised access and potential threats.
Review and apply all of the above on your staging + dev sites where applicable too. Not just on the live site.
On a similar theme, be sure to read through our e-commerce checklist after running website updates for your site.
How Can Your E-Commerce Agency Help with Security?
For e-commerce website owners, navigating the complexities of cybersecurity can be daunting, with threats evolving as rapidly as technology itself. This is where our e-commerce solutions come into play. Designed with the understanding that security is paramount, our services offer robust protection against a multitude of online threats. From safeguarding your customer’s data to ensuring uninterrupted business operations, we provide a comprehensive security framework. Our tailored e-commerce solutions and Magento security settings provide peace of mind and a competitive edge in the bustling online marketplace.
- Regular Magento Updates – Keep your Magento version up-to-date for enhanced security.
- SSH Access Restriction – Limit SSH access to specific IP addresses.
- Use HTTPS – Ensure your domain has an SSL certificate installed.
- Security Scanners – Tools like Sucuri can provide additional security checks.
- Regular Backups – Maintain frequent backups of your Magento site. If you are a Primal Space client, your Magento site is already being backed up daily. We store backups for 14 days both on the server and off the server in a separate location for added security.
- Enable CSP (Content Security Policy) in Magento – This requires manual configuration by your Magento agency within the website code and is crucial for security.
- Security Extensions – Install a dedicated security extension built for Magento. Contact us for recommendations on Magento-specific security extensions as we have a few that we use frequently with our e-commerce clients.
- CSRF (Cross-Site Request Forgery) Protection – Magento includes built-in CSRF protection to prevent these types of attacks. Ensure that it’s properly configured.
- Security Headers – Implement security headers, such as HTTP Strict Transport Security (HSTS) and X-Content-Type-Options, to enhance security and prevent certain types of attacks.
- Server Security – Regularly update your server’s security features. Secure your server environment by regularly applying security updates, configuring firewalls, and implementing intrusion detection systems (IDS). Again, if you have your Magento website hosting with Primal Space, then we have you covered out of the box here!
- Update Your Code Regularly – Keep your codebase, including plugins and themes, updated when new modules are released. Ensure the codebase is updated to the latest versions as soon as possible. For Magento, this includes the application core, plugins and sometimes the theme if it’s not a custom theme built from scratch.
- Latest PHP Version – Ensure your Magento code is updated to the latest version of PHP available. We have a separate post which talks about why you should update PHP to the latest version for your website.
- Unique Admin Panel URL – Again, if you are benefitting from website support from us, this security setting will already be in place.
- Configure Security.txt – Follow this guide for support and advice on configuring security.txt in Magento 2.
- Password Protect Staging and Dev Sites – Add a username and password popup to the front-end and admin area of your Magento staging and dev sites. This prevents anybody from being able to access it if they know or guess the URL. This also prevents search engines from being able to pick up on the existence of either area.
Our specialised e-commerce solutions offer an essential layer of security, designed to mitigate risks, protect your customer data, and ensure the integrity of your online presence. By choosing our services, you leverage cutting-edge security measures, proactive threat detection, and seamless integration with Magento’s architecture. This not only elevates your security posture but also enhances your brand’s reputation and customer trust. As the digital landscape continues to evolve, partnering with a provider that prioritises your security is not just a strategic move—it’s a necessity. Your chosen digital agency should be there to help you navigate the complexities of e-commerce security. Enabling you to achieve and maintain the highest standards of protection for your business and your customers.
Magento Security Resources
We’ve included some further reading for more detailed insights on the topic of security for Magento and Adobe Commerce. Check out the following resources:
Maintaining Your E-Commerce Site Security
By implementing these security settings and staying informed, you can significantly enhance the safety and integrity of your Magento platform.
Key practices like enabling two-factor authentication, enforcing unique admin accounts, and regularly updating passwords strengthen your site’s defences. Additionally, educating your team about cyber threats and having a solid Incident Response Plan is vital. These measures not only protect sensitive data but also build customer trust, a vital aspect of your e-commerce success. Your effort in maintaining these security settings can significantly safeguard your online business against cyber risks.
Partnering with a trusted Magento agency also has its benefits, in providing expert guidance and ongoing support for your Magento security strategy. Ensuring your e-commerce site is consistently updated and protected against the latest cyber threats. This collaboration brings specialised knowledge and resources to enhance your site’s security, giving you peace of mind and allowing you to focus on growing your business.
Check out our blog for more e-commerce guides and support, as well as Magento-specific resources.