How to Protect Magento From Malware Attacks

Protect Magento From Malware Attacks

Security for E-commerce website is a very serious matter. From time to time the security methods and systems are always improving, but so the viruses and hacker’s attacks. It is indeed hard to win the battle. In order to receive a strong and dependable website security system, you need to make a careful review and right decision.
Due to the fact that viruses and malware attacks keep growing every day, you can not lose your focus, even if you did well in the past. With just one simple mistake, you may unknowingly make your website become vulnerable to future attacks.
It does not matter what kind of platform you use, security should always  become your first concern. However, because we are a certified Magento developer, so Magento is the platform we are focusing on.
There are several kinds of hacks which you need to be aware of. Each of those attacks come with their own signature. Malware attacks which targeting E-commerce website is not a new thing anymore. Sly hackers keep inventing new ways to online shopper’s credit cards and personal information from their online transaction.
In most cases, those hackers do not develop a way to force path into Magento website. Instead, they are taking advantage of unpatched vulnerabilities, weak ownership and weak password system to get their way in. Those are all the things you can control, so start to take action now!

Suspicious activities which may attack your online store are :

• Spamming
• Stealing user’s private data like telephone numbers or address.
• brute-force attack
• phishing

 
Every hacker have their own hacking methods, but some of the most common attacks are :
 

• XSS or Cross-Site Scripting

In this attack, the malicious script would be injected into a trusted website. This attack happens when an attacker uses a web application to send a malicious browser side script to a different end-user. The end-user has no way to ensure whether the script is safe to use or not, and will execute it. Because the user forced to think that the script comes from a trusted source, the script can freely access any session tokens, cookies, or other private information which stored inside that browser. Sometimes the script can even be written into HTML page.

• SQL Injection

SQL injection attack can destroy your database. This is a method where the hacker can inject their own SQL command into an SQL statement via web page input. It can damage your back-end and allow full access to all restricted areas.

• Session Management And Breaking Authentication

All aspects of handling user authentication and managing active sessions are included in the session management and authentication process. Hackers will attack this process to make it weaker, so they can easily gain access to your accounts.

• DDoS (Distributed Denial Of Service) Attacks

DDoS attack is an attempt to overload a particular website or online service from multiple sources at the same time thus make it unavailable. DDoS attack itself comes in different kinds of forms, such as Teardrops, Smurfs, or Ping of Death.

• Remote Command Execution

Remote command execution or command injection is a kind of malicious hacker attack where the hacker executes the command on the host operating system via the vulnerable application. This kind of attack become possible when an application is able to pass unsafe user-supplied data to the system shell. It usually happens because of an insufficient input validation.

Those are some kind of malicious hacker attacks which you may find in your Magento store. Now, how to protect your website from all those attacks? There are some methods which can help to secure your website :

1. Upgrade your Magento into the latest version

Magento always improves their security and features with every new release. This act might be simple, but doing this will prevent the hackers to break into your store. Do not forget to always update your security patch too.

2. Backup your store in regular basis

There is no perfect method to secure your online store from malicious attack, but there is one way which can help to make you a bit safer. Doing regular backup can help you to solve many issues. You need to regularly backup your copies and do not store them on the same server as your main site. Restore your backup on a sandbox on a regular basis to ensure they are working fine.

Storing your backup data on the same server as your original site is not a smart move because it is not secure at all. Your main server can get down anytime and the hacker may get access into your server. You do not want the hackers to get their hand on your backup data too, right?

 

3. Create a stronger password

Some people usually are too lazy to create a complex and proper passwords and use generic passwords like 00000 or 12345 instead. Keep in mind that Admin username and password are the last defense for your Magento security. That is why it is very important to create a strong password.

an easy password is easier to get brute-force attack from the hacker, so you better create a password which contains more than 10 characters, combine lowercase, and uppercase, and use several special characters like %&$#@ if possible. This way, your password will be a bit hard to hacked.

 

4. Using one password for one account

Most people afraid to forget their passwords, that is why they prefer to use one single password for all their accounts, so it will be easier to remember. This is actually a critical mistake. You can not use the same password for your personal account and business account. Doing this will raise the risk for your business account to get hacked. So, it will be better if you use one password for one account. Remember to make each password unique.

 

5. Use two factors authentication system

If you think that a strong password is still not enough, then you can try to use two-factor authentication system for your Magento security. There are some available extensions which can run two-factors authentication system for your Magento store, so you do not have to worry about the safety of your website anymore.

 

6. Do not save or store passwords in your computer

There is a particular kind of trojan virus that can steal your saved passwords. You need to be extra careful with browsers and FTP clients because most of the time passwords were stolen from them. Do not even try to save passwords with it without the master password.

 

7. Set up custom path for your Admin Panel

Usually, you can access your Magento Admin Panel via my-site.com/admin. That is the default path for admin panel. However, with that path, it will be very easy for a hacker to find your admin panel login page and start guessing the username and password.

You can prevent that from happening by customizing the path. Doing this also can prevent a hacker to find your admin panel login page even when they somehow manage to get your username and password. Do the following steps to customize your admin panel path :

• locate the /app/etc/local.xml
• Find <![CDATA[admin]]>
• Change the term “admin” with anything you want.

 

8. Utilize firewall

To make your website become more secure, you need to set your firewall to deny all public accesses to everything except web server. If for some reason you do not have a permanent IP address, then you can use VPN.

 

9. Get encrypted connection (SSL/HTTPS)

When you send data like login details via a non-encrypted connection, there is always a risk that data will get intercepted halfway. This interception process will allow someone else to take a peek at your data and use the information for their own benefit. In order to prevent that, you need to use a secure connection.

You can get a secure connection by checking the tab “Use Secure URLs” in your Magento system configuration menu.

 

10. Change password regularly

The password should not be used for a long time. It would be the best to change your password for every 3 or 6 months. That way, even if your password has been leaked, password change will make the old one become useless. If there are more than one people who have access to your website and they have their own accounts, make sure they change their passwords regularly too.

 

11. Look for any suspicious activities or errors in logs

You need to check your logs on a regular basis. There are some extensions for that purpose, like “Admin Action Log Magento”.

 

12. Disable Directory Indexing

This method is an another way to harden your Magento security. When you disabled it, you can hide the obvious pathway where your domain is stored. This will protect your website from cyber crooks who want to access your Magento website’s core files. But keep in mind that they can still access your file if they can get their hand on your full path where you store your files.

 

13. Use antivirus software

For an extra security power, use a trustworthy antivirus software and do not forget to update the database and the software regularly. This can help protect your files and website from malware attacks.

 

14. Get a regular security review

Get your website checked by a professional Magento security expert in a regular basis. Keep in mind that not all Magento developers have expertise in Magento security. Yes, most of them know the basic, but only a few focus on security alone. Once or twice a year, you need to get your website analyzed.

 

15. Use a secure hosting for your Magento

Cloud hosting, dedicated server or virtual private server are the best choices for your Magento hosting. DSH or VPN Cloud hosting usually offer a more advanced security system with low rate, including firewall application to prevent SQL injection attack.