Magento Issues Guidance to Prevent Brute Force Guessing Attacks

Magento issues guidance for helping to prevent Brute Force guessing attacks - 

Common Sense

On March 25th, Magento reported that it has seen an increase in Brute Force attacks on Magento installations and has issued guidance on securing your site.

A lot of the guidance is common sense stuff.:

  • Use strong passwords
  • Don't use 'admin' or 'administrator' for your username

and

  • Apply security updates
  • Check System->Permissions->Users for any unknown accounts.

Remember folks, if you use a weak or guessable passwords and username combinations even if no hacker has a particular interest in your business there are machines and humans out there crawling the web and trying common combinations to gain access to your installation.

Other Solutions

Whitelisting

IP Whitelisting works by only allowing certain computers, or computers in certain locations from accessing areas of your installation. If you have (or if you acquire) dedicated IPs this is a no brainer, but if you have a small operation and move around a lot, have variable IPs or use different machines in different locations this is trickier.

Filtering

Filtering software can help to stop unusual or unwanted behaviour.

Changing Admin and Downloader Locations & Names

Changing the location and name (in Magento 1) of the admin and downloader area means its harder for robots and people to find the login pages. If they can't find them easily they are likely to move on to try someone else's installation unless they have a really good reason to target your particular website.

Other measures

Whilst securing your installation takes time, expertise and usually cost, on an ecommerce platform, customer data can be compromised, so even if you don't store credit card information then to protect your customers' data like names, addresses and emails it's important to take security measures.

If your site has been secured using these steps, the majority of hackers will quickly move on to sites where the door has been left wide open.

But even so, taking regular backups means that if your site is ever compromised, it can be restored to a previous state. On an ecommerce site where orders are coming thick and fast and products are updated regularly, you will want this to be an automated process that takes backups at least daily so all that data isn't wiped out when you revert.