Securing Your Store

The WAF rules in front of Stratus help protect every site.  However, there are still other ways for malicious software and un-authorized users to get into your site.  At the end of the day, your site is viewable to the public and will always be at risk.  But a few simple steps can help keep you safe.

  • Don’t use the default admin or backend login path for anything /admin is really bad.  Magento 2 does not use that as its default.
  • Keep your site patched.  The Magento Security Center from Magento is the best place to see recent and past updates.  The community site magesec.org has open source scanning and patching tools.
  • IP restrict your WordPress admin.  Many sites hosted on Mojo Stratus have additional blogs.  Their login’s are often exposed.  Using Nginx Includes or the built-in Stratus panel access restriction, you can restrict the WordPress login by IP and prevent brute-force attacks.
    location ~ /wordpress/wp-login.php$ {
       allow 1.1.1.1;
    try_files $uri $uri/ /index.php?$args;
    location ~ .php$ { try_files /dummy @proxy; }
    deny all;

}

  • Don’t leave junk lying around in your web root. Extra database dumps, un-needed files and test scripts, and other code that isn’t necessary for production is often left exposed.  You never know what vulnerability might exist there, keep your data safe!
  • Use strong passwords!
  • Block countries you do not ship to