Skip to content

Securing a Magento Store

Magento stores on Stratus are protected by a Web Application Firewall (WAF). Every request to a store must first pass a host of WAF rules desired to repel hackers and other attempts to compromise a store.

Regardless of these efforts, an e-commerce store remains accessible by the public-at-large and therefore can be subject to additional attempts to compromise security.

To give your store additional protections,

  • Don't use the default admin or backend login path. Using /admin is a common path too often used by hackers to make repeated attempts to gain access. Magento 2 automatically creates an obscure admin path. For Magento 1.x stores, the default "admin" path should be changes to a obscure value resembling a very secure password (e.g., "Uy49kkT" or "j87PenM").
  • Install all updates and patches. The Magento Security Center is a Magento resource for recent and past updates. The community site, magesec.org, has open source scanning and patching tools.
  • Many sites hosted on Mojo Stratus use WordPress for their blog feature. Using Nginx Includes or the built-in Stratus panel access restriction, restrict the WordPress login by IP and prevent brute-force attacks. 
location ~* /wordpress/wp-login.php$ {
  allow 1.1.1.1;
  try_files $uri $uri/ /index.php?$args;
 location ~* \.php$ { try_files /dummy @proxy; }
  deny all;
}
  • Remove all extraenous files from the Magento web root. Extra database dumps, un-needed files and test scripts, and other code that isnt necessary for production is often left exposed.
  • Use strong passwords!
  • Block countries for which shipping is not available.