10.5 Tips to Protect Your Magento Store from Smart Hacker

E-commerce and financial websites stand first in the list of possible victims of cyber crime, as these websites deal with the monetary transactions. Being one of the most popular ecommerce platforms, Magento is also under threat of hacking attacks and unauthorized logins. Magento comes with various built-in security features, still there is always more that can be done in order to protect your online store from the smart hackers. With rich expertise in enhancing Magento security, I want to share with you some tips that will help you to protect your online store and keep hackers at bay.

1.Customize the admin path

First step you should do to enhance security of your e-store is to customize the admin path because unchanged path makes it quite easy for hackers to navigate to admin page and use ‘Brute Force Attacks’ to start guessing your password and username. Hacking software can guess username and password combinations 8 million times a second. Therefore, it is always a good idea to change your admin path as soon as possible. For example, instead of having your admin login page at “yoursite.com/store/admin”, try to change it to anything you want, such as “yoursite.com/store/Jdk25X”

While changing the admin path, you should not change the “Admin Base URL” setting in the admin section of the system configuration because it will break Magento by preventing you from accessing the admin panel.

2.Choose strong admin username and password

If your password is easy to guess or not unique, then hackers can crack it in no-time. Make sure to use a password which is almost impossible to crack. Ideal password should be at least 15 characters long, and it should be the combination of upper and lower case, punctuation and numbers. In this way, your password will not be hacked as even with latest hacking software because it will take years to find a match.

3.Do not use Magento password anywhere else

According to passwordresearch.com, over 15% users choose identical passwords for more than one service. Using identical passwords for several services or logins brings the risk of losing all of your accounts at once. Try to make a unique password for your Magento store.

4.Using Two-factor Authentication is a good idea

Read more: How SSL encryption gives a false sense of security

A strong and unique password is not enough unless you do not use two or multiple layers of authentication in order to mitigate the risk of online security attacks. The extra security layer works by requiring you to not only know your unique password and username, but also enter a unique security code that is randomly generated in every 30 seconds.

Magento offers its users a wide array of extensions. There are various extensions, such as Rublon, available in Magento Connect Market that helps you to employ two-level or multiple level of authentication so that you do not have to feel nervous about the password related threats.

5.Forget FTP

The protocol FTP was created at the early stage of Internet, when security was not the issue. Now these days, FTP usage is unwanted because in this authorization is performed with the plain text which can be intercepted easily. Instead, you should use SFTP protocol because it will also relieve you from the issues related with IP streaming (NAT). In order to configure SFTP for your Magento e-store, you can follow this guide. This protocol calls for a private file submission and it also uses a special key for the authentication of user.

6.Update Magento on regular basis

You should use the latest version of Magento because it often comes out to patch recently discovered security risks in the software. If you update your Magento with the latest stable version, you can easily mitigate the problems of old security threats.

7.Create Backups regularly

In addition to robust preventive measure against the online security threats, you should have an active backup plan for your Magento e-store. If your site is being hacked by the hackers, then your backup plan ensures continuity of your website.

Read more: Cyber crime in financial institutions

8.Restrict Admin Access

In case above mentioned precautions were not enough for you (perhaps due to PCI compliance requirements), you can restrict the access of admin to only the selected IP addresses. It can be achieved via .htaccess, but it is recommended to use the Apache directive LocationMatch:

In this example, make sure to change “admin” to your new unique admin login page. In addition, you should change above mentioned subnet to your own subnet or your specific IP address. The only problem in this extra level of security is that if you want to make a quick update from home, you are going to have to update the Apache directive above with the new IP address that you are using at that time.

9.Use HTTPS/SSL for all login pages

Encrypted connection saves your site from the hacker. Without encrypted connection, there is always risk of being intercepted by the hackers. You can eliminate this possibility by requiring HTTPS/SSL for all your login pages. It can be done by following way:

  • Click on the “System” tab in the main toolbar
  • Choose “Configuration” from the drop down menu
  • Click on the “Web” tab in the left hand navigation 
  • Then choose “Secure” in the main window
  • Now you should change the Base URL of your store from http://… to https://… 
  • Choose “yes” for both “Use Secure URLs in Frontend" and "Use Secure URLs in Admin”. 
  • Now, click the “Save Config” button at the top of the page

10.Use latest and paid antivirus software

You should use trusted and paid antivirus software and regularly update it to the new version, as they add fresh information about new malware and phishing attacks to their databases. Paid version of antivirus comprises more features and it will keep you safe from the malware that steals information and sends it to the cyber criminals.


Security is one of the major concerns of every online store. If you want to guard your online business, you should follow the above mentioned ten security tips so that you can protect your online store from the possible malicious activities.

Join the CSO newsletter!

Error: Please check your email address.

Tags MagentofinancialHTTPS/SSLe-commerceLocationMatchBrute Force AttacksSmart Hackerusername and passwordinternetMagento security

More about ApacheClick

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Linda Phillips

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts