Magento Security

There is something that is rarely talked about during the initial phases of a Magento build. It’s just not that sexy. Beautiful design excites people, and cool features may give your marketing department a racing heart, and then there’s this other thing, which happens to be a nebulous cloud of worries for most folks or perhaps even an afterthought.

Yep, that something is SECURITY.

Rather than step down and explore the various Magento exploits, attacks, and protocols, this article is aimed at a pragmatic approach to security – the 30,000-foot view which just might get the attention of decision makers.

First of all, there are always breaches, exploits and attacks on all systems. For example: In 2015, $75 billion…that’s right “seventy-five billion”…was spent on cybersecurity. For all that, it is generally assumed that almost all Fortune 500 companies have ongoing security breaches of some kind. That’s the reality.

Wow, that’s scary. What now?

Rather than living in a constant state of trepidation there are approaches you can take to mitigate the risk. Your company should be budgeting for a solid security program. This will keep your site as profitable and as healthy as possible within your budget and available resources.

I’m ready, where do I begin?

Let’s frame this discussion properly. Most Magento development and design companies are not security companies. Sure, a lot of web agencies understand security and build sites in as safe a way as we know how. We apply patches as soon as they’re released and we’re versed in firewalls and best practices. But development agencies are generally not security experts.

Here is an overview of what you should be aiming for with regards to Magento security. Make sure to fold this into your overall website plan and budget. There may be more steps depending on size and risk of your company.

Step 1: Security / Data Protocols

Let’s start with you, the client. Yup, that’s why this is number one. Clients need to establish proper website protocols and contingencies in case of data theft, site breach or site disablement. This should be shouldered by the business. Also, be sure to adhere to PCI compliance in-house, store as little customer/order data as possible, use tokenization, maintain strong complex passwords, obfuscate the admin entry gate, don’t write credit card data down anywhere, etc. etc. There are many companies that can help write a proper protocol for your business.

Step 2: Magento Hosting (e.g. Nexcess)

Always aim for a Magento-optimized host. It’s not only important for optimization and troubleshooting; it’s essential for security. What does a host (https://www.nexcess.net/about/security) do? Well, for starters they are responsible for OS-level patches, physical security, back-ups and network-level security (depending on the plan). Most Magento hosting companies (e.g. Nexcess) worth their salt are also hyper-familiar with the Magento code base. They can help triage outages and platform oddities.

Step 3: Magento Corp.

Magento, the corporation, is constantly releasing patches (https://magento.com/security) for vulnerabilities in the Magento core libraries/themes but they generally occur are made available after they have been identified (hopefully by friendlies). The Magento programmers are constantly rewriting, refactoring and reviewing code vulnerabilities. Keep abreast on these updates. We’ll do the same as your advocate. (https://magento.com/security/best-practices)

Step 4: Magento Extension Companies

Every extension that has been pulled down from the Magento Connect/Marketplace is prone to vulnerabilities. Respectable and “active” companies will provide updates to their extensions as soon as new Magento releases or exploits have been identified (again, hopefully by friendlies). Keep up with these releases. Sign-up for support and read those emails!

Step 5: Magento Development Agencies (Hey, That’s Us!)

Our role is to apply Magento patches as they are made available either by extension developers or from the Magento mothership. We will also implement any needed upgrades or updates from the extension marketplace. We are constantly implementing best practices with our code and proactively helping (when applicable) our clients make good/better decisions.

Step 6: Monitoring

Lastly and perhaps most importantly, determine which business-appropriate risk management suite (such as https://sucuri.net) you want to use. These security companies use all sorts of technologies to protect you against attacks, breaches, exploits, injections, etc. They also can run various analysis and reporting for you. If you do find a breach, the good outfits can help you clean it up. Definitely a win/win here.

Starting the conversation internally and have a plan. Those proactive steps will help temper the worries, reduce the risk and, really, it’s just good business. Enjoy time away from work when your security plan is robust and working while you’re not.