June 20, 2019 by Ben Chafetz

8 Security Tips to Keep Your Magento Store Safe from Hackers

The largest data breach compromised all 3 billion Yahoo user accounts in 2013.

In 2018, more than 445 million consumer records were exposed by data breaches – up from 197.6 million in 2017.

Cyber attacks are a growing problem both in America and worldwide.

Data breaches are also becoming more expensive to deal with, too. The average cost of a data breach is about $3.86 million – also up about 6.4% from 2017. Obviously, the cost of a breach at your store won’t be that high, but it’s still important to do everything you can to protect the data of your customers, and your reputation.

Wondering how?

Here are 8 useful Magneto security tips that you can use to help protect your store from hackers, data breaches, and other malicious cyber attacks. Read on, and make sure you’re protecting your store and your customers!

1. Migrate To Magento 2 (If You Haven’t Already)

If you haven’t done so already, you need to make a plan to migrate to Magento 2. Magento 1 is sunsetting and Support is ending for Magento 1 on June 30, 2020. Security patches will no longer be provided, leaving your site vulnerable to hackers. If you continue to use Magento 1 past this point, you’re putting your store and your customers’ data at risk.

In addition, as mentioned in one of our past blog posts, Magento 2 comes out-of-the-box with a ton of great security improvements and performance improvements, with additional security features including:

  • Support for SHA-256 cryptographic password hashing.
  • End-to-end AES-256 encryption for credit cards and personal data.
  • Clickjacking prevention.
  • XSS protection.
  • Session and cookie validation.

With Magento 2, you’ll be able to easily comply with PCI security requirements, and you’ll protect your store with all of the above features and more. If you’re not already on Magento 2, start thinking about your migration strategy today.

2. Keep Your Magento Version Up-To-Date

Even if you’re on Magento 2, it’s always important to keep your Magento installation updated.

Magento 2.3, for example, introduced two-factor authentication for additional protection of your administrative accounts, and added support for the Google reCAPTCHA service, which will help prevent brute force attacks from botnets.

Every release of Magento also includes plenty of bug fixes, patches and security updates intended to help protect your store.

3. Secure Your Store With Two-Factor Authentication

Two Factor Authentication, or 2FA, is an extra layer of protection used to ensure the security of your Magento, even if a hacker gets a hold of your username and password.

You can easily install two-factor authentication support on your store in a few minutes by following this guide from Magento. It supports four different two-factor authentication methods, including:

  1. Google Authenticator
  2. Authy
  3. U2F (Universal 2nd Factor) keys
  4. Duo Security

4. Set a Custom Admin Path to Discourage Brute Force Attacks

By default, your Magneto store’s admin path – the URL you use to log in as the administrator – will look like this:

  • Default base URLhttp://yourstore.com/magento
  • Default admin URL http://yourstore.com/magento/admin

As you may have already guessed, this makes it easy for hackers to figure out which URL to use to try to access your store – and they may use a brute force attack, which consists of algorithms and computers trying to guess your password and break into your Magento store.

Using 2-factor authentication will stop this, but another good security best practice is to set a custom admin path. You can easily change your admin login URL by following this guide from Magento.


It’s easy to set up your website to use HTTPS/SSL with Magento 2, which is a critical part of PCI compliance, and ensures that your customer’s web traffic is encrypted, and secured from those who may be trying to snoop on their connection.

To set it up, log into your Magento 2 backend, then perform the following steps:

  1. Choose Stores > Settings > Configuration
  2. Select “Web” under the “General” section on the left menu
  3. Expand the section marked “Base URLs (Secure)
  4. In the Base URL field, change “HTTP” to “https”
  5. Set the “Use Secure URLs” setting on Storefront to “Yes”
  6. Set the “Use Secure URLs” setting on the Admin menu to “Yes”
  7. Click the “Save Config” button to make your changes

6. Turn On Session Expiration

Your website isn’t just vulnerable to cyber attacks – but also to unauthorized people gaining access to your Magento admin panel after stealing your computer, or otherwise gaining access to your computer and your website.

A simple way to secure your website and make sure that you’re protected from this is to turn on session expiration and set a low time limit. Session expiration will log you out of your Magento admin panel after a set amount of inactivity – say, 5 minutes.

To configure and adjust, here’s what you’ll need to do:

  1. Log into the Magento admin panel
  2. Click Stores > Settings > Configuration from the left sidebar
  3. Select Advanced > Admin
  4. Under Security, look for the text box marked “Admin Session Lifetime (seconds). This indicates the length of time you’ll stay logged in, in seconds. A value of 1800, for example, will set your timeout at 30 minutes.
  5. Enter your desired time here. We recommend between 5-10 minutes, but you can experiment and see what works for you
  6. Click “Save Config” to save your changes

Once you log out and log back into your Magento account, your new timeout interval will be active.

7. Don’t Cheap Out On Web Hosting – Choose A Secure, Private Server

We don’t typically recommend cheap, shared web hosting plans for Magento stores, because a shared server can open you up to a few different security vulnerabilities:

  • If any single site on the shared server is compromised, the attacker may be able to access other websites hosted on the same, shared server.
  • A malicious attacker could buy hosting on a shared server, and then use their site to try to attack other sites on the same server.
  • When using a shared server, you do not have the same level of administrative access or ability to harden your own server against attacks.

A recent security flaw in cPanel, which is used by web hosting giants like Bluegator Godaddy, Siteground and more show the risks of a shared server. This flaw allowed any person using a shared server to view the activity of every other website on the server.

Using a dedicated, private server will not guarantee that you’re immune to hacks and cyber attacks – but it’s a good way to eliminate many common vulnerabilities.

8. Consider Investing in a Magento Security Assessment

If you’re not a cybersecurity expert, and you’re wondering what flaws or issues may be exposing your website to vulnerabilities, it may be time to turn to the experts.

Hiring a security consultant for a quick review of your Magento store is not expensive, and can provide you with some great, actionable goals that you can pursue to secure your website, and keep your customer’s information safe.

Follow These Tips to Lock Down Your Magento Store!

While it’s impossible to guarantee that your store won’t be targeted by a cyber attack, there are a lot of steps you can take to lock down your store, and protect it against the most common attack vectors and security flaws. Take another look at these tips and think about how you can use them to keep your Magento store safe.

If you need help assessing the security of your website, please contact us. We’d be happy to perform an initial assessment to gauge your store’s security level and uncover any vulnerabilities.

Get the latest eCommerce updates and resources.

Let's get started

Call 216.586.6656