Criminal hackers target eCommerce websites all the time. They are adding sniffers to get credit card information, run carding attacks to search for active accounts, and do other malicious activities.

As a site owner you need to be protective. In this article, I will show you how to secure a Magento 2 website.

I’ll give you 5 tips. Some of them you can apply to other eCommerce platforms to stay safe and secure.

1. App, pub, vendor, setup, and lib folders under GIT

Git is a version control system. It helps keep track of file/directory changes. It’s free to use and can be installed almost on all operating systems. It helps developers and companies offering Magento development services work better and more efficiently.

Git could track code file changes and notify you of unauthorized edits.

Here is how to set it up. Once Git is installed, go to the Command terminal and switch to the Magento root folder. Then

$ git init .

$ git commit -m “initial commit”

OK, now the root folder is under version control. We want to be notified of file changes and this simple command could do it:

$ git diff app vendor lib setup pub | mail -S ‘daily file changes’ [email protected]

Put this command in cron to run every day (or every hour to be extra safe) and let the server tell you of any suspicious activity. The command will also tell you of any new files added to those important folders.

2. Upgrade to the latest version of Magento 2 and run the latest PHP

You can’t be secure if you run an outdated Magento 2 version. Follow release news and upgrade immediately. As a part of a Magento optimization service, I also recommend running the latest version to make a site faster.

Thanks to the Adobe team, now they release security patches regularly. Installing a patch is a lot easier than doing a full upgrade yet it has all the security fixes.

Upgrade could be done with a composer program. Do the following:

$ composer require magento/product-community-edition=2.4.6-p3 –no-update
$ composer update
$ php bin/magento setup:upgrade
$ php bin/magento deploy:mode:set production

After that test the site’s features and fix bugs if need be.

Make sure you also upgrade PHP on the server to the latest supported version. Adobe usually mentions supported versions in release notes.

There is other software that could be upgraded as well - database (mysql or mariadb), elasticsearch or opensearch, nginx or apache and redis and varnish (if you use the last two).

3. Compare the checkout page HTML against a saved copy to look for injected skimmer JavaScript

This trick will help you stay clean of malicious code aimed at duplicating credit card information.

Here is what you need to do. Go to your Magento 2 website and add a few items to the cart. Then proceed to the checkout page with a URL /checkout.

Then click on View Source and copy all HTML code into a special file - original.html. View Source button could be in different locations in different browsers - You may use our HTML Source Viewer tool to view source code by copying the checkout URL and paste it onto the tool.

Now you have an original HTML source that you could periodically compare to the current checkout HTML to see if there are any differences.

You can automate the procedure with the use of Selenium WebDriver. You can write a simple script that will open a browser window, go to the website, place an item in the cart, proceed to the checkout page, and get its source code. Then the script will compare it against original.html and notify you of any mismatches.

Here is just an example of such a script written in PHP:

namespace Facebook\WebDriver;
use Facebook\WebDriver\Remote\DesiredCapabilities;
use Facebook\WebDriver\Remote\RemoteWebDriver;
require_once('vendor/autoload.php');
$host = 'http://localhost:4444/';
$capabilities = DesiredCapabilities::chrome();
$driver = RemoteWebDriver::create($host, $capabilities);
$driver->get('https://yourstore.com/checkout');
$driver->wait()->until(
                    WebDriverExpectedCondition::titleContains('Checkout')
                        );
$driver->get('view-source:'.$driver->getCurrentUrl());
$paymentPage = $driver->getPageSource();
$originalHTML = file_get_contents(‘original.html’);
If($paymentPage != $originalHTML)
   mail(‘[email protected]’,’Alert’,’hack attemp!’)

You might need to add logic that adds an item to the cart and adjust the script to your environment.

4. Turn admin 2FA on and use custom permission roles for non-admin users

Magento 2 implements two-factor authentication (2FA) for admin access. It’s on by default.

You will need a Google Authenticator application to set it up. I’d suggest enabling it for all admin users to tighten up security.

Another recommendation would be not assigning Administrator Access Roles to all users.

Create custom roles with custom Resource Access. Grant only necessary permissions, for example, there is no need for a data entry team to have full access.

5. Disable /magento_version URL

The Magento 2 site can display its current version if you visit storedomain.com/magento_version. It shows something like this:

Magento/2.4 (Community)

Public access to this information could be beneficial to hackers and online scammers.

To turn it off you would need to disable the Magento_Version core extension. Do the following on a Command line:

php bin/magento module:disable Magento_Version

There is no need to recompile afterward, /magento_version path should now result in a 404 (not found) page.