How to Improve the Security of Your Magento Store

Is your Magento website secure? Magento has built in security features that keeps your website safe but there are more steps you can take to…
  • Alyssa Schaad
  • Support Operations Manager
  • March 28, 2016 Estimated reading time: 4 minutes

How to improve the security of your Magento store
Is your Magento website secure? Magento has built in security features that keeps your website safe but there are more steps you can take to help secure your Magento store. Here are some of the best ways you can keep your Magento website secure and your customer’s information safe.

Upgrade to the latest version of Magento

There are several reasons why you should update your site to the latest version of Magento. Updating any software or application typically follows the best practices for security, but upgrading Magento provides new features, bug fixes and other important upgrades. Doing an upgrade could save you time looking into an issue that was correct in a recent update.

Change Passwords

The best practices for a password policy include

  • Use a password that is not easily guessed or decoded
  • Establish complexity requirements
  • Change your password on a regular basis
  • Do not reuse the same passwords
  • Change passwords before and after working with outside developers

There are several password generators available that can assist in a hard to guess password.

Don’t Use Your Magento Password Elsewhere

This goes for any password protected data you own. According to, more than 15% of users choose identical passwords for more than one service. Using identical passwords for several logins in fact brings the risk of you losing all your accounts at once. All passwords must be unique! Also, don’t save or store your passwords on your computer, there is software available for hackers to steal your saved passwords. Use a master password that encrypts the rest of the passwords while saving access details.

If you need help with your Magento store, call 845-656-3000 or Contact us here ?

Two-Factor Authentication

With Two-Factor authentication extensions, you can ensure that only trusted devices can access your Magento backend. This extra level of security to your admin panel login can ease any worries you have about password related Magento security risks.

With this process, hackers are unable to login to your Magento backend, as they need a unique admin login page, a secure username and password and your smartphone in their possession.

Use Secure FTP

Guess or intercept an FTP password is one of the simplest and easiest ways to hack a Magento eCommerce store. If you don’t want it happens to you, then simply use secure FTP passwords and FTP-SSL (Explicit AUTH TLS) or SFTP (SSH File Transfer Protocol). Even, for high security level, use SFTP and a Public Key Authentication.

An Encrypted Connection is a Must

Avoid sending data over an unencrypted connection. Requiring HTTPS/SSL for all your login pages is a must so you don’t run the risk of being intercepted by a hacker.

Use Trusted Magento Extensions Only

Since your Magento store is only as secure as your weakest link, it only takes one vulnerability in one extension to provide a hacker complete access and control over your website. It is recommended that you only use well-tested extensions that have a track record of dependability. Extensions have to be updated like your Magento store when new versions comes out.

Backup Your Magento Store Regularly

Backup your Magento files and database on a regular basis to minimize the amount of damage that an attack can cause. Keep the backup on a different server than where your Magento store is hosted. Ideally, keep a copy on your local computer and a separate USB external hard-drive as well.

Restrict Admin Access to Only Approved IP Addresses

An important precaution is to restrict admin access to only the IP addresses you have whitelisted.

Take Advantage of User Roles

Not all administrative users need to be given access to all administrative areas of the website. Limit access to certain tools and features on a per-admin basis. To add on to that, every administrative user should have a different user account. This serves two purposes, the first being with the limited roles, if an account is compromised less damage can be done, the second being, that, it is easier to trace which account got compromised and limit the amount of damage being done.

Block Unwanted Countries

If you’re not shipping worldwide, think about blocking other countries. If you ship to US only, block all other countries – this will protect yourself from any attacks – for instance, a lot of malicious traffic comes from China, and by blocking it you prevent any breach attempts from Chinese IPs.

No eCommerce site is 100% un-hackable but by implementing the security improvements above, it will seriously decrease the amount of vulnerabilities that can be exploited.

Related Services