Stratus Security Guides - Securing a Magento Store

Regardless of these efforts, an e-commerce store remains accessible by the public-at-large and therefore can be subject to additional attempts to compromise security.

To give your store additional protections,

• Don’t use the default admin or backend login path. Using /admin is a common path too often used by hackers to make repeated attempts to gain access. Magento 2 automatically creates an obscure admin path. For Magento 1.x stores, the default “admin” path should be changes to a obscure value resembling a very secure password (e.g., “Uy49kkT” or “j87PenM”).
• Install all updates and patches. The Magento Security Center is a Magento resource for recent and past updates. The community site, magesec.org, has open source scanning and patching tools.
• Many sites hosted on Mojo STRATUS use WordPress for their blog feature. Using Nginx Includes or the built-in STRATUS panel access restriction, restrict the WordPress login by IP and prevent brute-force attacks.

location ~* /wordpress/wp-login.php$ {
  allow 1.1.1.1;
  try_files $uri $uri/ /index.php?$args;
 location ~* \.php$ { try_files /dummy @proxy; }
  deny all;
}

• Remove all extraenous files from the Magento web root. Extra database dumps, un-needed files and test scripts, and other code that isnt necessary for production is often left exposed.
• Use strong passwords!
• Block countries for which shipping is not available.

Feedback

Was this page helpful?

Glad to hear it! Have any more feedback? Please share it here.

Sorry to hear that. Have any more feedback? Please share it here.