Site Maintenance

Keep Wordpress Up to Date

Part of staying on top of security is keeping your Wordpress installation, and any plugins, up to date. This is especially true if you have both Wordpress and Magento on the same server because if someone can compromise your Wordpress installation, they have access to your Magento installation as well.

Keep Your Extensions Up to Date

For the same reason as above, you want to keep third party extensions up to date to reduce the risk of someone finding a security loophole and getting access to your server.

Restrict Access to the Downloader

Restricting access to the Downloader is something we recommend for everyone. If a hacker can get into the Downloader, they will have to ability to install extensions and code on your site. This is obviously a major security concern. You should talk to your developer about restricting it to certain IP addresses in the .htaccess.

If you do not use the Downloader (and instead use Magento Connect) consider having it removed entirely. You may find that you don't need this area at all. And by removing it, you are eliminating a possible gateway for your site to be severely compromised.

Protect Your Magento Admin URL

The baseurl/admin is the default location of the Admin section for all Magento installations, so many hackers already know where to login. Have your developer restrict this page to only allow a list of cleared IP addresses so that only the people you have allowed get access. If you do not want to restrict access by IP address, consider changing the Admin URL so it is not as easy to guess.

Consider Implementing a File Checker

Consider having your developer implement some type of scan that will check to see if there are any changes to files. The scan can email someone on your team to check in on those files to make sure they are not malicious. Similarly, you should highly consider using a version control system that would keep track of all the changes to any files on your site. Therefore, if you notice changes that you did not authorize, then you can revert back to a safe state.