21 Ways to Improve Magento security in 2017

Improve Magento security

Is your Magento website secure? There is no doubt Magento has a collection of inbuilt security features that keep your website safe. However, there are some more steps you should take to make your Magento store safe.

We have searched 21 different security ways to protect Magento website from security breaches and hackers. Here are they:

Two-Factor Authentication

With Two-factor authentication extensions, you can make sure that only trusted devices can access your Magento backend. With this extra layer of security needs to know your unique username and password, along with a security code that you have to randomly generated every 30 seconds on your smart application and that can be purchased from the Magento Connect Marketplace.

With this process, hackers unable to login to your Magento backend, as they need unique admin login page, your secure username and password and your smartphone in their possession.


Change Passwords Before & After Working with Outside Developers


Many a time, we need help outside developers to enhance Magento store. It is advisable to change your admin and FTP password before allowing them access and also change it again once the work is done. No matter you are keeping your Magento and FTP passwords safe, it doesn’t mean you’re hiring Magento Development Company kept safe like you.

Change Your File Permissions


You have to make sure that your folders and files are not writable except you. You just have to make some changes to your file permissions to 644 and folders to 755. Additionally, if you find 777 or 666, then fix it immediately. You can quickly do this by using below given snippet in SSH:

find . -type d -exec chmod 775 {} \;

find . -type f -exec chmod 664 {} \;

You will only find caution with the media and var folders which should remain 775. Note that this process can be a little tricky as file permissions are dependent upon your hosting environment and Magento version.

Use the Latest Version of Magento

Latest Version of Magento

The latest Magento versions come out to patch searched security risks in the software and thus, it is advisable to try updating and stable version as soon as possible.

Keep Updated Anti-Virus Software

Updated Anti-Virus Software

There are many Magento store providers updated their anti-virus software once a quarter. However, you have to ensure to use commercial grade anti-virus software that updates on the daily basis, so hacker doesn’t set a key-logger on your laptop.

Don’t Make Mistake to Save Your Password on Your Device

Don’t Make Mistake to Save Your Password

In order to add an extra security level, you don’t have to allow your browser or password manager software to save your password on your device. There are cloud based services that can access all your passwords from any computer you want, however, their most sensitive data is out and hackers are waiting for catch. Keeping the password on your laptop (saving in word, excel) gets hacked or stolen.

Lockdown Your Magento Connect Manager

If you want to install this program quickly, then Magento’s Connect Manager is the best option. However, it also has a security risk due to the entry point for brute force attacks. It is recommended to change the /Downloader/ path just like an admin path to make it harder for hackers to crack your store. You can also restrict the new downloader path through IP address for extra security.

Choose Multifaceted & Long Admin Username and Password

It is recommended to choose almost impossible to crack username and password as there is a still a chance that a hacker will find your admin login page. Your password should be of at least 15 characters long that contain punctuation, numbers, a mixture of upper and lower case. Some of the examples are:



    )j%djk ~9cU=f[p[VBq4

Disable Any Unsafe PHP Functions

Ensure to add the following rule to your php.ini file: disable_functions = proc_open, phpinfo, show_source, system, shell_exec, passthru, exec, popen to avoid exploitation of the PHP functions that can be potentially unsafe.

Do not Use Your Magento Admin Password for Other Account

Ensure to have a 100% unique and solely dedicated Magento Admin password. It is advisable to avoid using the same password with other websites as it will invite hackers to get access to your usual password and thus, can be used to hack websites.

Restrict Admin Access to Only Approved IP Addresses

Another important precaution is to restrict admin access to only the IP addresses you have white listed. You can easily achieve via .htaccess, however, preferable is the Apache directive LocationMatch:


<LocationMatch "admin">

Order Deny,Allow

Deny from All

Allow from



Use Secure FTP

Secure FTP

Guess or intercept an FTP password is one of the simplest and easiest ways to hack a Magento eCommerce store. If you don’t want it happens to you, then simply use secure FTP passwords and FTP-SSL (Explicit AUTH TLS) or SFTP (SSH File Transfer Protocol). Even, for high security level, use SFTP and a Public Key Authentication.

Disable Directory Indexing

You have prevented a potential hacker from viewing all the files in a folder on your site to stop him/her to know what files you have in a particular folder that makes quite difficult for them to search the vulnerabilities in your site. You just have to add the following to your .htaccess file to prevent a potential hacker from seeing all the files located in a folder on your web server. You have to ensure to click on the return key to ensure that the file ends with a blank line.

Use Trusted Magento Extensions Only

Many advantages of an active community of developers and rule of security have been delivered by the Magento core code. But, the same doesn't apply to all the extensions that have been developed for it. Magento store takes vulnerability in one extension to deliver a hacker complete access and control over your website.

Thus, here we recommended you to use tested extensions that have proven track record of dependability. Moreover, you also have to update your extension like Magento store when new versions come out.

An Encrypted Connection is Must

Avoid sending data over an unencrypted connection. One might be more vulnerable to hackers, so unless to configure Magento to use secure logins. One can also have to need login information that can be sent over a secure connection by changing your setting available in the system configuration menu.

Avoid cPanels

No doubt cPanels serve well in managing your Emails, FTPs and monitor resources, but they really secure? When your cPanel is used by someone, it creates a threat to your data from hackers. If you are using cPanel then adding cloud hosting is best option to access admin panels and power dashboards on your custom Magento website.

Obscure Your Admin Path

If you have found your admin path like “your-site.com/admin” then you have made incredibly easy for hackers and password-guessing robots to guess your password. You can choose another word Instead of having the address end in “admin” to make the admin path more secure.

Utilize a Private Email

Magento will send your administrator’s password through email, if you have forgotten. Additionally, you have to use an email address, which is not publicly known to other people. Your mail address should be connected with a security question that it would be not possible for anyone to guess.

Secure Hosting

Secure Hosting

Using shared hosting seems like a good idea, however, when you setup your store, it is quite difficult to connect with something that is more secure and stable. With cloud hosting, you will get stability along with it saves you from being redundant. Your data is more secure with cloud hosting.

Backup Your Magento Store Regularly

Backup Your Magento Store Regularly

One can have to backup their Magento files and database on a regular basis to minimize the amount of damage that an attack can cause. Ensure to remember to back up a different server than where your Magento store is hosted.

Update your PC Regularly


Update your PC Regularly

You would receive updates and new patches at regular basis, if you are part of Magento community. Such updates are needed to make sure your store and PC is secure at all times. With new patches that available in the community site will make your store secure.

So, these are some remarkable tips that help your Magento store stay away from hackers. If you want to develop a secure Magento website then contact Magento Design Studio.

Images designed by: freepik.com