1. Limit Admin Accounts
A potential vulnerability when running an e-commerce store is losing control of your Admin accounts. This risk can occur with simple oversights like an individual who recently left the company still having admin access, or handing over credentials to a developer that needs to support you with the installation of the latest and greatest extension [BTW – we do not recommend giving Admin passwords to extension developers]. It is critical to know who has an account to your site. Make sure Admin accounts are removed when individuals leave the company, development teams have completed an assignment, or if there are accounts you don’t recognize. It is important to have a handle on who can access your site.
2. Limit “Admin” Capabilities
Not everybody needs an Admin account. Sure there are some users that need full access to everything on the site, but there are many user roles that need a sub-set of functionality. For example, Customer Support Reps don’t need the ability to install new extensions. Magento has a lot of capabilities to configure user role capabilities. Use them. Setup roles with permissions that a user needs, and nothing more.
3. Use Strong Passwords
When was the last time you changed your password? If the answer is “I don’t remember”, then you need to change your password today. And when setting up a password, make sure it’s not something obvious, like the name of your favorite sports team, your company name + the year, or a date of significance (like birthday). A good rule of thumb is to make sure a password contains a random combination of letters (upper and lowercase), numbers and special characters and should be over 32 characters long. Having a password with that type of girth will make it difficult to “guess”, even with a brute-force attack.
If you’re in charge of running a Magento store, it is critical that you implement a business practice or extension that forces users with Admin Account Access to have a strong password and reset that password on an established frequency – like every 30 days.
4. Add Two Factor Authentication
If you want to go even further with security, you should set up what is called two factor authentication. This forces admins to log in with a standard username and password but also requires the submission of an additional one time only, security code. There are extensions available that provide this two factor authentication functionality. One highly recommended extension comes from Xtento and they provide an installation package that sends a one time code to your smartphone and recognizes that code upon sign in.
5. Add Account Verification by IP Lookup
A simple extension can be leveraged to ensure the individual who has an admin account is actually who they say they are upon login. Along with two factor authentication, there is another extension that assigns an IP address to an account – this means the site will ensure that an individual that signs in with an account is coming from a recognized IP address. All too often, unknown individuals will attempt to access stores using admin accounts but come from different IP address (even from different countries).
The Bottom Line
With e-commerce, it’s always better to be safe than sorry. Protect your e-commerce site by implementing these security best practices. Looking for answers to more security questions or concerns? We’re here to help!