In this section of the guide, you will learn how to manage Admin sessions and credentials,
implement CAPTCHA, and manage website restrictions.
Magento Security Best Practices
All eCommerce sites are attractive targets to hackers because of the personal and payment
information that is required to complete a sale. Even if the system does not directly process
credit card transactions, a compromised site might reroute customers to a false page, or alter
an order before it is transmitted to the payment processor.
A compromised site can have long-term consequences for both customers and merchants.
Customers might suffer financial loss and identify theft, while merchants can face damage to
their reputations, loss of merchandise, higher processing fees, revoked privileges with financial
institutions, and the threat of lawsuits.
This guide outlines a multifaceted approach to improve the security of your Magento
installation. Although there is no single way to eliminate all security risks, there are many
things that you can do to make your site a less attractive target. It is crucial for hosting
providers, system integrators, and merchants to work together to establish and maintain a
secure environment, implement methods for early detection, and determine a plan of action in
the event of a breach. To learn more, see Best Practices in the Magento Security Center.
Make sure to stop by our Magento Security Center, and sign up for the Security Alert Registry to
receive notification from our security team of any emerging issues and solutions.
Work with reliable hosting providers and solution integrators. When evaluating their
qualifications, ask about their approach to security. Verify that they have a secure software
development life cycle in accord with industry standards such as The Open Web Application
Security Project (OWASP), and that they test their code for security issues.
If you are starting a new site, consider launching the entire site over HTTPs. Taking the lead on
this issue, Google now uses HTTPs as a ranking factor.
For an existing installation, plan to upgrade the entire site to run over to a securely encrypted,
HTTPs channel. Although you will need to create redirects from HTTP to HTTPs, the effort will
future-proof your site. We recommend that you plan to make this change sooner, rather than
Protect the Environment
Protecting the environment is the most critical aspect of ensuring the security of your store.
Keep all software on the server up to date, and apply security patches as recommended. This
applies not only to Magento, but to any other software that is installed on the server, including
database software and other websites that use the same server. Any system is only as secure as
the weakest link.
Your effort to protect your Magento installation starts with the initial setup, and continues
with the security-related configuration settings, password management, and ongoing
Follow Your Disaster Recovery Plan
In the event of a compromise, work with your internal IT security team if available, or hosting
provider, and system integrator to determine the scope of the attack. Taking into consideration
the type of compromise and the size of the store. Then, adjust the following recommendations
to your business needs.
1. Block access to the site, so the attacker cannot remove evidence or steal more information.
2. Backup the current site, which will include evidence of the installed malware or compromised
3. Try to determine the scope of the attack. Was credit card information accessed? What
information was stolen? How much time has elapsed since the compromise? Was the
information encrypted? Typically you can expect the following types of attack:
Defacing of Site – Site access is compromised, but often the payments information
is not. User accounts might be compromised.
Botnetting – Your site becomes part of a botnet that sends spam email.
Although data is probably not compromised, your server is
blacklisted by spam filters which prevents email that you send to
customers from being delivered.
Direct Attack on Server – Data is compromised, backdoors and malware are installed, and
the site no longer works. Payment information—provided that it
is not stored on the server— is probably safe.
Silent Card Capture – In this most disastrous attack, intruders install hidden malware
or card capture software, or possibly modify the checkout process
to collect and send out credit card data. Such attacks can go
unnoticed for extended periods of time, and result in major
compromise of customer accounts and financial information.
4. Try to find the attack vector to determine how the site was compromised, and when. Review
server log files and file changes. Note that sometimes there are multiple different attacks on the
5. If possible, wipe and reinstall everything. In case of virtual hosting, create a new instance.
Malware might be hidden in an unsuspected location, just waiting to restore itself. Remove all
unnecessary files. Then, reinstall all required files from a known, clean source such as files from
your own version control system, or the original distribution files from magento.com.
6. Apply all the latest security patches necessary.
7. Reset all credentials, including the database, file access, payment and shipping integrations,
web services, and Admin login.
8. If payment information was compromised, it might be necessary to inform your payment
9. Inform your customers about the attack and the type of information affected. If payment
information was compromised, they should look for unauthorized transactions. If personal
information, including email addresses was compromised, they might be targeted with
phishing attacks or spam.
Parts of this article were inspired by real-world solutions that were shared by community
members. The resulting article incorporates content from the community, with input from our
team. We’d like to thank the following people for contributing to this article:
- Bryan (BJ) Hoffpauir for sharing his insight on the Magento forum, and for contributing
recommendations in the Attack Response Plan section of this article. See the original post by
beejhuff for more information.
- Anna Völkl (@rescueann), Magento developer at LimeSoda.
- Robert Mangiafico (@robfico) CTO at LexiConn.
- @dracony_gimp for his security presentation, Being Hacked is Not Fun.
- Willem de Groot for providing a sample Nginx configuration.