Securing a Magento Store
Magento stores on Webscale STRATUS are protected by a Web Application Firewall (WAF). Every request to a store must first pass a host of WAF rules designed to repel hackers and other attempts to compromise a store.
Regardless of these efforts, an e-commerce store remains accessible by the public-at-large and therefore can be subject to additional attempts to compromise security.
To give your store additional protections,
- Don't use the default admin or backend login path. Using /admin is a common path too often used by hackers to make repeated attempts to gain access. Magento 2 automatically creates an obscure admin path. For Magento 1.x stores, the default "admin" path should be changes to a obscure value resembling a very secure password (e.g., "Uy49kkT" or "j87PenM").
- Install all updates and patches. The Magento Security Center is a Magento resource for recent and past updates. The community site, magesec.org, has open source scanning and patching tools.
- Many sites hosted on Mojo STRATUS use WordPress for their blog feature. Using Nginx Includes or the built-in STRATUS panel access restriction, restrict the WordPress login by IP and prevent brute-force attacks.
location ~* /wordpress/wp-login.php$ {
allow 1.1.1.1;
try_files $uri $uri/ /index.php?$args;
location ~* \.php$ { try_files /dummy @proxy; }
deny all;
}
- Remove all extraenous files from the Magento web root. Extra database dumps, un-needed files and test scripts, and other code that isnt necessary for production is often left exposed.
- Use strong passwords!
- Block countries for which shipping is not available.