Sansec has investigated thousands and thousands of hacked online stores, which gives us great visibility into the latest attack methods. If you implement the counter measures below, your store will be in the top-1% of most secure stores on the Internet.
Restrict access to the Magento backend Allow access for your office/staff IPs only. It is best to use a plugin for your system (see also free plugins we recommend for Magento 1 and Magento 2). If you are unable to use a plugin, second best is to use the IP filter in your webserver or CDN/WAF (it may leave some admin routes open though). If your staff uses dynamic IPs, we recommend to use a VPN service, so that you can tunnel all of your authorized store’s backend usage via a single IP. If you use a CDN/WAF, make sure that your application server only accepts traffic from your CDN/WAF, or attackers can easily bypass your protection. If you use Magento 1, make sure to disable module compatibility mode or attackers will be able to bypass your regular backend login page.
In case of malware infection, change ALL admin & database passwords immediately. You should assume attackers have intercepted all passwords. Unfortunately, we often see re-infection of stores where attackers use the same stolen passwords to re-enter & infect. We recommend using a computer-generated password of at least 10 characters. See our example script to change all passwords for Magento. You should also change the database password (and don’t forget to update local.xml/env.php/wp-config.php). You should also change the password for your server/hosting account.
Activate 2FA. We recommend to enforce two-factor-authentication (2FA) on all staff accounts. While there are ways to circumvent 2FA, it is a significant hurdle for potential attackers. For Magento 2: 2FA is bundled with the base install. If you are using Magento 1, we recommend the JetRails 2FA plugin.
Train your staff to deal with spearphishing. Many stores get hacked because a staff member clicked a link in the wrong message. Criminals are known to target larger stores by finding all employees on Linkedin and sending them phishing mails for weeks or months on end. It only takes a single click for your admin passwords to leak. Also, make sure all your staff devices are using an anti virus product.
Use a malware & vulnerability monitor. Preventing an incident is of course the best strategy. To do this, you need live visibility into vulnerabilities of your system and all third party components. It is practically impossible to monitor this manually, so you need an automated vulnerability scanner like eComscan. It will alert you right away when a new issues is discovered. Second, an automated scanner will also alert you immediately to suspicious activity, malicious software and rogue admin accounts.
This page was last updated at May 27th, 2022