You may not think that your site is vulnerable to attack, but the sad truth is that websites are compromised all the time. The majority of website security breaches may not even be to steal your data or vandalize your website, but attack your server. Since your site holds a mountain of sensitive data, it is your responsibility to keep on the lookout for anything that could cause a security vulnerability in your site.

Below is a list of things you can check as a Magento store owner or manager, as well as things for your developer to look into to keep on top of your site’s security.

What can you do?

Things you can do right now

Mage Report

View magereport.com to check that your site has all the security patches installed. The Magento security patches are extremely important to have. The short answer is: if there are items on Mage Report showing up in any color besides green, then talk to your developer.

Check Admin Accounts

Every so often, check all the admin accounts to your site. If a hacker can set up their own admin account, they will be able to make changes to your site. If you don't recognize an account, make sure to disable it immediately. Disabling instead of deleting will make it easier to track down their actions in the admin actions log. You can check your admin accounts by going to ‘System’ > ‘Permissions’ > ‘Users’ in the Magento Admin. To disable the account simply click on the user you want to disable, and in the bottom drop down titled ‘This account is:’ set to inactive.

Use the Admin Actions Log

Enterprise Edition of Magento has the Admin actions log that you can use to keep track of all changes that are made in the Admin. This helps identify what user made what change at what time of day. To check the Admin actions log, simply navigate to your Admin area of your site, then hover your pointer over ‘System’ > ‘Admin Actions Log’ > ‘Report’. By clicking on report you will see a list of all the recent Admin actions populate. NOTE this is only available in Enterprise Edition of Magento and not found in the Community Edition.

You might note that if the admin user was deleted, you can’t search for them in the dropdown, but their actions still show up in the log. It may take extra diligence to track down a deleted user’s actions.

New Strong Passwords

Consider having everyone reset their Admin user password. It is best practice for each person to have their own login. By resetting all passwords you're ensuring only the people you want to be accessing the site are able to do so. Also, encourage every user to use really strong passwords. Here is a helpful post from Microsoft on creating strong passwords: https://technet.microsoft.com/en-us/library/cc756109(v=ws.10).aspx

Disable Saved Credit Card Payment Method

Make sure the default saved credit card payment method is turned off. This payment method is completely insecure and does not hold up to the industry standards. Since it does not encrypt credit card data, it is not PCI compliant. Having this payment method enabled makes it much easier for credit card information to be compromised. Please protect your customers by using alternative methods like PayPal or authorize.net to save credit card information.

To make sure the Saved Credit Card is disabled, login to your Magento Admin. Go to ‘System’ > ‘Configuration’ > ‘Payment Methods’ > ‘Saved Credit Cards’

Make sure the ‘Enabled’ option is set to ‘NO’.

You may want to make sure that it is disabled on every scope (ie website scopes and store scopes). Remember you can change the scope you are viewing as in the top left of the page.

Don’t leave your site vulnerable to attack. Take action today, and if you’re interested in how we could help don’t hesitate to reach out.