Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Magento Security Measures

I was looking for tips for making Magento as secure as possible. I found this http://magplazza.com/2010/06/top-4-security-tips-for-your-magento-store-that-can-be-done-easily/ but I wonder if anyone has any more tips or links like the one above ..... or maybe Magento is pretty secure out of the box. ( I have done a lot of work with WordPress and there are plenty of things to do to vanilla WordPress to secure it so I was assuming Magento would have some too )

EDIT: NB: A commenter below has brought up a few issues with the quality of information contained in the above link.

like image 967
byronyasgur Avatar asked Oct 05 '11 16:10

byronyasgur


1 Answers

Wow, what a useless article you linked :-)

1) is obvious.

2) is more appropriately changed by overriding the frontName of the adminhtml module. This is done during Magento install or anytime by editing the admin/routers/adminhtml/args/frontName node in app/etc/local.xml. By the way, the admin frontName or the admin URL should always be something besides /admin - it's the cheapest impediment to bot attacks.

3) is TERRIBLE ADVICE. The secret key exposes nothing and should mitigate POST attacks.

4) is the only thing worthwhile item from the post.

Besides the above, everything else comes down to standard web server security. Patch your installs regularly, patch your software regularly, use sFTP if possible.

The only Magento-specific advice I can add is to ensure that you review any third-party modules before you install.

like image 122
benmarks Avatar answered Sep 30 '22 14:09

benmarks