5 ways to protect your Magento site from hackers

5 ways to protect your Magento site from hackers

Nowadays, hacking is all the rage. Whether it is money motivated, for a bit of fun or other reasons, people generally love doing it and it shows no signs of slowing down. Everyone’s heard stories about hackers and what they’ve done, like the time Sony got hacked and their PS3 servers down (which is still haunting gamers to this day). We all think we’re safe from it until it happens to us and then we’re already victims. It’s always good to prevent disasters from happening, especially if they’re fairly easy to prepare for. Here are my 5 ways to protect your Magento site from hackers:

 

Choose a complex Admin Username/Password:

As obvious as it sounds, it is really necessary. If hackers have found your unique admin login page, it’s only a matter of time before they crack your username and password. Make their job more difficult for them by simply having a complex username and password. It should be at least 15+ characters in length (mixing upper/lower case, punctuation and numbers). Example:

34fIo#’1!AG4e`/

67adAf’-*0046Ef

 

Use two-factor authentication:

Having a complex password is always great, however it simply isn’t enough. In order to have better security for your site, a two-factor authentication method is necessary. Say goodbye to having to worry about hackers guessing your password, and hello to better security! The easiest way to set this up is installing a module then integrating it with your website. There are many of these available, just from quickly browsing the Magento connect store I have found a few which you may find useful:

• Two-Factor Authentication by Amasty
• Two-Factor Authentication by Extendware
• Two-Factor Authentication by Miniorange

 

Never save your password on your PC:

To be extra careful, never click “save password” when your browser (or password manager) asks you to. Some of these services will be cloud based to allow you to access these passwords wherever you are, however this also means that your passwords are roaming around in the cloud waiting to be potentially found by hackers. Even storing it on your desktop is a bad idea as it can be stolen/hacked. The best way to keep your most sensitive data is simply writing it down on a notepad. No-one can hack a piece of paper 😉

 

Never use a public e-mail address:

One of the biggest mistakes you could possibly make is setting up your Magento account and connecting it with your public e-mail. A quick search on your public profile can easily reveal your e-mail to hackers and from there on it’s all plain sailing as they only need to know your e-mail password to reset your Magento password. Once they’ve got the “reset password” e-mail, they can click it, instantly changing your Magento admin password. They now have full control over your Magento site! A scary thought, right? Well to prevent this, use a super secret e-mail which isn’t displayed publicly anywhere on the internet. A good example is something like this “h83nfog@company.com”.

 

Restrict admin access to only approved IP addresses:

Restricting admin access is a really great way of taking that extra pre-caution to ensure your website is safe. You can do this via the .htaccess. Here are the steps for restricting your IP address:

• Connect to your server (where your website files are).
• Navigate to your admin folder.
• Create a new file called “.htaccess”, if one is already there just open it up!
• Add the code below to your .htaccess file.

1. Order deny, allow
2. Deny from all
3. Allow from 4.5.6.7

• Save and upload the file (remember to replace “4.5.6.7” with your IP addresses).

NOTE: If you want to allow several IP addresses, just add new “allow from …” lines and insert more IPs.

 That’s it for this installment, I hope you enjoyed the read. Comment your favourite hack prevention methods below! Don’t forget to have a nice day too 🙂