Hardening refers to the practice of improving the security of your system.

We developed this checklist & guidelines to help you to ensure your application is set up to defy a wide range of attacks.

Check your Iogly hardening score!

Your Score

Keeping your site up to date is probably the most important aspect of hardening your Magento installation.

Sign up for the Magento security mailing list (From our experience the mailing list is not very reliable. Often it takes days after the patch has been released till emails go out. We recommend signing up with multiple emails).

When a new patch becomes available immediately install it. If a patch contains a remotely exploitable vulnerability, this vulnerability will be actively exploited by attackers on the day of the patch release.

Patches can be found here

There are a lot of Magento extension vendors out there. Only use extensions from reputable vendors.

When picking a vendor check if they regularly update existing extensions. Also make sure that they are responsive to support requests. When purchasing an extension analyze the code and see if there are any obvious issues.

Set up regular extension update schedule (at least once a month). Limit the amount of extensions installed to the bare minimum.

For Magento 2 using composer is a must. Composer allows you to update extensions directly from the command line. Any reputable extension vendor will make their extensions available via composer. We highly advice against installing extensions from a zip file as this will make future updates difficult.

Running your site with SSL encryption is a must for basically any website these days.

To enable SSL in Magento follow these steps:

  • Set secure base url to https://yourdomain.com/
  • Enable "Use Secure URLs on Storefront" and "Use Secure URLs in Admin"

Let'sEncrypt provides free SSL certificates that automatically re-new every 90 days.

You can easily verify your SSL setup with the SSL Labs SSL Test

In addition to Magento's admin authentication you should IP restrict the entire "/admin" path. A lot of Magento vulnerabilities target the Magento admin. If you lock down the entire admin area this class of attacks will become much harder.

Some sources recommend to set a different path for admin but "security through obscurity" is never a good practice. Purposefully restricting access is the preferred way.

Apache example:

    <Location /index.php/admin>
        AuthType Basic
        AuthName "Protected"
        AuthUserFile /path/to/.htpasswd

           Require ip
        Require valid-user

You should additionally secure the admin area by enabling two factor authentication (2FA).

You can find detailed instructions here.

Who has access to your install and what they can access is an important factor in securing your system. A user with access to the CMS can easily add a credit card miner to your install. Keep in mind that if someone with admin access gets hacked, the attacker will have their access privileges. Phishing a user with admin access and then exploiting the system using the Magento admin is a common attack vector.

You should:

  • Keep the list of admin users as small as possible
  • Change passwords frequently
  • Use roles to limit access to whatever this particular user needs to have access to

Remove the /downloader directory (Magento 1). Attackers have used the Magento Downloader to upload malicious code. In general using the Downloader to manage your extensions is considered bad practice. You should use a SCM system instead. We recommend to delete the entire /downloader path from your system. This may cause problems with security patches trying to patch the files in the /downloader directory. If that happens simply remove the relevant lines from the patch.

Disallow PHP execution in media and var directories. Attackers often "hide" their code in these directories as these are often not under source control. If you have non-standard paths in your web root you should adjust this list to reflect your setup.

M1 example:

    <Directory /media/|/var/|/images/>
        <FilesMatch "(?i)\.(php|php3?|phtml)$">
            Order Deny,Allow
            Deny from All

By making /pub your web root you can drastically limit what components of your site are publicly available.

You can find detailed instructions here

Lock down your web server with a firewall and only leave ports absolutely required for operation open to the public (ideally only port 80 & 443). If you use multiple servers make sure that only the web servers are publicly accessible. Any other server in the cluster should communicate via a private network.

You can use a tool like nmap to scan the open ports on your system.

Ensuring secure remote access to your web server is essential to make sure your system is secure.

  • Do not allow access to the server via insecure methods like FTP
  • Restrict SSH to key based authentication
  • Use a strong password for your SSH key
  • IP restrict connections to the SSH port

Attackers often use directory listings (indexing) to get the lay of the land. Disabling directory listings is generally a good practice.

Directory listing/indexing documentation for Apache & Nginx

It goes without saying but you should have recent backups of your data. You should also test re-installing your system from backups to ensure your backup strategy works.

Install a real-time intrusion detection system. If an attacker manages to breach your system despite all your hardening efforts you want to know right away to limit damage, inform your customers and implement counter measures.

We recommend Iogly for that.

Start for Free

You should regularly validate your setup. We recommend to bookmark this checklist and go through it at least once every month. Changes in your deployment, staffing & role changes as well as updates to your infrastructure can weaken the security of your system. This is why we recommend regular re-validation.

Being aware whats going on in the ecosystem helps you to be aware of new developments and threats. We recommend the following community resources to stay up to date.