Posted By: mattl
Last Updated: Monday June 20, 2016
Below are some no-downside tips for securing your Magento store against most of the currently known attacks.
Oh No, He’s Pwned Our RAMs!
You should never rely on security by obscurity as your primary means of locking up your store, but hiding key folders can stop you from getting hit by automated attacks when security vulnerabilities pop up.
First change your admin location by opening /app/etc/local.xml. Change the code in red to something you can easily remember and save the file.
You may need to clear your cache after this by deleting the files in /var/cache/, or by going to System -> Cache Management in your admin area.
While you’re moving things around it also makes sense to rename the /downloader/ folder to anything else. If you ever need to use the Magento Connect installer just rename the folder back to downloader while you’re using it.
This is a no brainer but make sure you use a password that is bare minimum 10 alphanumeric and symbol characters. LastPass will generate a sufficiently secure password if needed.
Also of importance is not using the same password anywhere else. No site should be considered safe from being hacked and having passwords leaked, just asked LinkedIn & Adobe.
Backups wont save you from being hacked but they will make your life easier if it ever does happen. Hawk Host Magento hosting does automated rolling backups, but you should also do manual backups often just in case.
You can run manual backups in your admin section at System -> Tools -> Backups. You need to click the “System Backup” button as well as the “Database And Media Backup” one. You should do these at least monthly but also before you do something like…
In the last year a half dozen of major vulnerabilities have been released for Magento, yet you’d be surprised by how many people don’t regularly update their shop. Don’t fall into the trap of thinking that your store is too small to be targeted. “Hackers” run scripts that scan Google results for vulnerable Magento shops and will exploit your site if you’re Wal-Mart or BobsDiscountFish.com and everyone in between.
Did I miss something? Let me know below!