Blog Post View

How to secure Magento website

Magento is one of the most widely used eCommerce platforms behind Shopify and WooCommerce. With popularity comes with increased security risks, and many Magento sites often become the target of hacker's attack as customer data amassed from online stores is worth a lot in the black market. Magento has a scalable architecture with many plugins to offer features not available on other platforms, but the biggest problem for average webmasters is keeping the website secure from hackers. In recent years, many Magento sites are converted to Shopify due to security and maintenance reasons. In this article, we'll discuss a few simple steps to secure Magento Websites.

Update Magento regularly

Every open-source software including Magneto publishes updates and security patches on a regular basis. Hackers learn about security vulnerability before anyone else and they use known vulnerability to attack outdated websites. Keeping your website to use the latest Magento version will prevent automated bots from detecting backdoors used to attack your website.

Disable directory listing with .htaccess

This applies to not only Magneto, but should be configured for most websites not "purposely" requiring directory listing. Hackers already know a lot about files and directories used by Magento, so they will try to exploit known files but opening door to let them see everything under the hood will make it even easier for hackers to explore your website.

Move admin panel to a new location

The default admin page is {}/admin. The hackers already know your admin URL and use the brute-force attack to guess your admin login. By moving "/admin" to a new location, it makes it harder for a hacker to find your admin page. You can change your admin path by modifying local.xml on Magento v1, and env.php file in Magento v2. This is one of the reason why you must turn off "directory listing" as described above.

Backup your website regularly

Even the largest organization oftentimes becomes a victim of cyberattacks. As an owner of a small online shop, you must have an offsite backup plan to archive files and databases on a daily basis. In recent years, many websites become target of ransomeware and removes its data in exchange for fraction of a bitcoin. Having an up-to-date backup will help you recover your data without hassle in the event of a hack or system crash.

Use SSL and serve only https

Using SSL will encrypts data whenever information is being transmitted from point A to point B. The unsecure nature of Internet allows anyone in between point A and B to intercept the data and peep your credentials. In Magneto, it is easy to encrypt HTTPS traffic by merely checking the option in the system configuration menu.


Using open-source software such as the Magento always require updating its software on a regular basis. Hackers are the first ones to learn about a vulnerability on every open-source software, and they use it to attack outdated websites with known tactics. This is one of the drawbacks of using open-source software, but Magento is one of the very popular software used by many store owners. Keep yourself involved in the Magento Community, update software regularly, and making a routine backup of the website will help you maintain your website secure. For more information about securing the Magento website, please follow Magento Security Best Practices.

Share this post

Comments (0)

    No comment

Leave a comment

All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.

Login To Post Comment