Protecting your Magento store from malware

Various forms of cybercrime exist all over the web and across all industries, and ecommerce websites are no exception. The data potential from these sites makes them particularly attractive to attackers, and malware attacks are on the rise.

This should make security a top priority for ecommerce, yet between 2014 and 2015 the industry fell victim to even more cybercrime activities than any other. While cybercrime and malware attacks continue to rise, many merchants continue to be caught out by common and often easily rectified oversights.

Ecommerce sites and malware

Even the most basic of customer data can be potentially dangerous in the wrong hands, making ecommerce sites a key target for attackers. The checkout process and the data required to close a sale, from personal customer information to payment and credit card details, offer tempting opportunities to cyber attackers.

Even sites that don’t directly process card transactions can be compromised, with customers redirected to a false page. Alternatively, orders might be altered before they reach the payment processor.

Fortunately, these problems have brought security to the forefront of ecommerce, with platforms such as Magento now offering more advanced security measures and patches to reduce vulnerability. Additionally, merchants have access to more advice and support than ever before, with detailed guidelines for staying secure online. Further support on this can also be found through the PCI Security Standards Council.

Consequences of malware attacks

For customers, the theft of payment information can often lead to financial loss, while personal data such as addresses and online account information can result in identity theft. For merchants, malware attacks can be damaging to their business operations and reputation.

It’s likely that customers who fall victim to malware will take their business elsewhere, with many likely to discourage other potential customers for buying from your ecommerce store. A bad reputation, particularly with regards to security and customer information, is difficult to rectify and can have long-term negative effects.

The consequences of a breach make it vital for merchants to follow the best security practices designed to keep the secure ecommerce infrastructure free from vulnerabilities. With the right awareness and regular maintenance, merchants can keep their ecommerce sites free from malware and safe for customers.

Top tips for protecting your Magento site

As one of the most popular ecommerce platforms, Magento sites often rank top of the most effected platforms for malware attacks. Despite superior security options offered by Magento, malware continues to be a major problem for merchants using this platform. The majority of cyber-attacks stem from improper and poorly maintained security practices where the merchant, hosting provider or developer fail to keep the website up to date.

The good news is that this makes most malware activity preventable. With some of the following security measures and best practices, you can start protecting your Magento store & reputation online.

Password protection

Often the most basic advice is the most ignored, and therefore the most important. Creating a strong and unique username and password should be your first security measure. Magento also recommends changing your password every 90 days; both Magento 1 and 2 provide password lifetime settings to this effect.

On a similar note, it’s also worth renaming the admin path. Renaming the /admin address can help prevent automated scanners finding it. Although this security measure isn’t infallible, it can help to stop some basic attacks.

Keep up to date

A recent report highlighted that 96% of Magento CMS were out-of-date at the point of infection in Q2 2016, so make it a top priority to check your system and keep it up to date on a regular basis. It should become a habit to install patches as soon as possible rather than waiting and letting updates lapse. If you haven’t already, subscribe to Magento security alerts and make sure you stay informed on the latest releases.

You can also scan your store with MageReport, a free service that can help detect malware and identify missing patches. Make it a monthly task to scan your store and take proactive measures to prevent malware attacks as, potential security problems are better identified sooner rather than later.

This advice is also true for all software and applications installed on the server. Vulnerabilities in other applications, for example a WordPress blog, can be used to exploit your Magento store.

Third party access

Third party access can be a key area of vulnerability for your ecommerce store. To help limit the potential damage from third parties, it’s important to utilise Magento’s admin permission settings. Create user roles and limit access accordingly on a case by case basis.

Along with your monthly scan and password update, it’s also a good idea to review admin user accounts. Remove any accounts that you don’t recognise or are no longer valid to prevent risks from dormant accounts.

Get the right set-up

It’s also important to check that your system file permissions are configured according to Magento 1 and Magento 2 best practice guidance and that core Magento and directory files are set to read-only. Incorrect setups can allow modifications to Magento core files, allowing attackers to directly inject malware through these vulnerabilities. While ensuring the right set up is a straightforward prevention technique, SQL injection remains one of the most popular attack techniques and continues to rise.

Beyond your system

As well as regular security maintenance, it’s also important to practice security prevention beyond your Magento system. Pay attention when choosing Magento extensions and only use extensions from trusted sources; never pay for extensions from torrent or alternative sites. For added security, do a basic background check on any extension, such as speaking with the provider and testing for security issues before installing.

Additionally, always stay alert for potential security threats in your day to day activities. Avoid clicking on suspicious links or opening any suspect email, report any suspicious instances as soon as they occur. Always be wary of disclosing your passwords and never do so unless necessary.

Dealing with malware

There are some contingencies to help in the case of a malware attack. Ensure your server and database are backed up to a secure, external location. We’d recommend daily backups of order and sales data with a full backup or your entire website and database run weekly.

It’s also important to have a recovery plan to help guide the business in the aftermath of a malware attack. Your plan should include how to respond in the first instances of identifying malware and how to uncover the extent of the attack. This should help to minimise any long-term damage and restore business operations back to normal as quickly as possible. This plan can also provide some reassurance to customers and allow you to respond to concerns quickly.

Magento offers a comprehensive guide to security best practices that also includes a basic outline of a malware recovery plan to help you get started. You can also review e-commerce security guidelines from the PCI Security Standards.

While there are many resources to guide security prevention, the real key to protecting your Magento store is consistency. Security maintenance should be a regular and ongoing activity and needs to be a priority for partners, employees and third parties.

If you’re concerned about your current security measures and want to know more about protecting your Magento store from malware, contact one of our team today.

Katy Smith

Katy Smith

Digital Marketing Executive

Katy is a Digital Marketing Executive at Netmatter with a degree in Marketing. She has so far gained experience in various areas of marketing including email, copywriting, social media and SEO.

Comments and feedback

Have something to add? Join the discussion and let us know your thoughts via the comments.