Dear Mementia Customer,
We have assembled a short article with an outline of Security Best Practices for operators of Magneto websites based on the official Magneto Security Best Practices article. While Mementia takes care to ensure a secure development process and security of sites we host and support, there is a number of steps that you as a site owner and operator can take in order to guard against certain types of malicious activity.
Although Mementia takes care to ensure and maintain security of your development and working environments, there is one item that is user-configurable and we do not typically modify on our own - the URL of your admin page. If you do change the admin URL, please make sure to let us know so our QA can update the project documentation.
- Use a unique, custom Admin URL instead of the default “admin” or the often-used “backend,” Although it will not directly protect your site from a determined attacker, it can reduce exposure to scripts that try to break into every Magento site. (Never leave your valuables in plain sight.)
Ensuring strong password security is another way that you can increase security of your site. While Mementia actively protects your site against various forms of password-based attacks and we take full responsibility for accounts we use to access your site’s backend, it is ultimately the responsibility of the site owner to manage users and accounts used to operate the site.
- Use strong, long, and unique passwords, and change them periodically.
- Do not disclose the password to your server or to the Magento Admin, unless you are required to do so.*
- Use two-factor authorization for Admin logins. There are several extensions available that provide additional security by requiring an additional passcode that is generated on your phone, or a token from a special device.
* This typically occurs when a third party requires access to your site. It is best to create a new account just for them and disable/delete the said account once it’s no longer required. Administrator Desktop
Compared to the server environment your production and development sites reside on, it is very likely that computers used to access your store are less secure by several orders of magnitude. This provides another vector a malicious entity can potentially use to compromise your store. Please make sure to keep your workstation safe and secure to prevent this.
- Make sure that the computer that is used to access the Magento Admin is secure.
- Keep your antivirus software up to date, and use a malware scanner. Do not install any unknown programs, or click suspicious links.
- Use a strong password to log in to the computer, and change it periodically. Use a password manager such as LastPass, 1Password, or Dashlane to create and manage secure, unique passwords.
- Do not save FTP passwords in FTP programs, because they are often harvested by malware and used to infect servers.
- Delete user accounts for employees or contractors who no longer work with you. A large number of intrusions can be attributed to insider knowledge.
Article based on: