While keeping your Magento installation up-to-date, using strong passwords and implementing secure connections are essential security measures. There are other strategies you need to use to further protect your self-hosted Magento store. In this blog, we’ll explore three critical ways to enhance your store's security and protect your business and customers.
Enable Two-Factor Authentication (2FA)
Two-factor authentication requires users to provide two different forms of identification to access your Magento admin panel. As a result, 2FA makes it more difficult for unauthorized users to gain access, even if they manage to obtain your password. It is also worth noting that 2FA is a requirement for PCI-DSS which many payment processors require you to implement.
How To Enable 2FA in Magento:
- Install the Magento_TwoFactorAuth module: This official module provides the necessary functionality for 2FA. You can install it through the Magento Marketplace or by using Composer.
- Configure 2FA: Navigate to Stores > Configuration > Security > 2FA in your Magento Admin Panel after installing the module. From here, you can enable 2FA, select the authentication providers (such as Google Authenticator or Authy), and configure the settings according to your needs.
- Train your team: Ensure your team members are familiar with using 2FA and understand its importance in protecting your store.
Regularly Audit User Roles and Permissions
Regularly reviewing and updating user roles and permissions is crucial to Magento security. By ensuring that each user has access only to the necessary resources and features, you can minimize the potential damage in case of a security breach.
How To Audit User Roles and Permissions:
- Review existing roles: Navigate to System > Permissions > User Roles in your Magento Admin Panel. Examine each role and ensure the assigned permissions are appropriate for the users' tasks.
- Update and remove roles as needed: Adjust the permissions for each role, or remove unused roles. For example, it is common to use 3rd party Magento developers to perform development or maintenance tasks. When 3rd parties are no longer working on a project for your store or when staff turns over, you need to remove these roles.
- Regularly review user accounts: When hackers exploit particular vulnerabilities in Magento, they might create a backdoor account that looks like a regular employee. Therefore, ensure the accounts and roles reflect who should be in your Magento store. Remove any accounts that do not conform to your active roster of authorized store admins.
Use a Web Application Firewall (WAF)
A Web Application Firewall (WAF) is a security solution that filters and monitors incoming HTTP traffic to your Magento store. By detecting and blocking potential attacks, such as SQL injection, cross-site scripting (XSS), and other common exploits, a WAF helps protect your store from various threats.
How To Implement a WAF for Your Magento Store:
Choose a WAF solution: A broad selection of WAF solutions is available. Here at Meticulosity, we recommend that our clients use Cloudflare (https://cloudflare.com), but all three major public cloud providers have WAF offerings with their hosting services.
Configure the WAF: Configure your WAF solution according to your store's needs and security requirements. For example, create custom rules to block specific attack types or set up rate-limiting to prevent DDoS attacks. You will also want to restrict your traffic to the countries of origin where you sell products and services through your store.
Monitor and maintain your WAF: Regularly review your WAF logs and adjust your configuration to address emerging threats or false positives.
Conclusion
Securing your Magento store requires constant vigilance and a multi-layered approach. By implementing essential security measures like two-factor authentication, regular user roles and permissions audits, and a Web Application Firewall, you can further protect your store from potential threats and create a safer environment for your customers to consume products or services.
