Work with reliable hosting providers and solution integrators. When evaluating their qualifications, ask about their approach to security. Verify that they have a secure software development life cycle in accord with industry standards such as The Open Web Application Security Project (OWASP), and that they test their code for security issues.

If you are starting a new site, consider launching the entire site over HTTPs. Taking the lead on this issue, Google now uses HTTPs as a ranking factor.

For an existing installation, plan to upgrade the entire site to run over to a securely encrypted, HTTPs channel. Although you will need to create redirects from HTTP to HTTPs, the effort will future-proof your site. We recommend that you plan to make this change sooner, rather than later.

Protecting the environment is the most critical aspect of ensuring the security of your store. Keep all software on the server up to date, and apply security patches as recommended. This applies not only to Magento, but to any other software that is installed on the server, including database software and other websites that use the same server. Any system is only as secure as the weakest link.

• Server Environment

  	Make sure that the server operating system is secure. Work with your hosting provider to ensure that there is no unnecessary software running on the server.
  	Use only secure communications protocol (SSH/SFTP/HTTPS) to manage files, and disable FTP.
  	Magento includes .htaccess files to protect system files when using the Apache web server. If you use a different web server such as Nginx, make sure that all system files and directories are protected. For an sample Nginx configuration, see: magento-nginx.conf on GitHub. For .htaccess protection to work correctly, your web server must read .htaccess through the AllowOverride All directive in its configuration. To verify, try the following request: http://www.yoursite.com/app/etc/local.xml. If you get the contents of the local.xml file, you must change the web server settings.
  	Use only the minimum required permissions for a given task. As an example, do not use the root or administrator account to send mail from Magento. Use only limited privileges for database account.
  	Use strong, long, and unique passwords, and change them periodically.
  	Keep the system up to date, and immediately install patches when new security issues are discovered.
  	Closely monitor any issues that are reported for software components used by your Magento installation, including the operating system, MySQL database, PHP, Redis (if used), Apache or Nginx, Memcached, Solr, and any other components in your specific configuration.
  	Limit access to cron.php file to only required users. For example, restrict access by IP address. If possible, block access completely and execute the command using the system cron scheduler.

• Advanced Techniques

  	Automate the deployment process, if possible, and use private keys for data transfer.
  	Limit access to the Magento Admin by updating the whitelist with the IP address of each computer that is authorized to use the Admin and Magento Connect downloader. For examples of how to whitelist IP addresses, see: Secure Your Magento Admin.
  	Do not install extensions directly on a production server. To disable the Magento Connect downloader on the production site, either remove or block access to the /downloader directory. You can also use the same whitelisting methods.
  	Use two-factor authorization for Admin logins. There are several extensions available that provide additional security by requiring an additional passcode that is generated on your phone, or a token from a special device.
  	Review your server for “development leftovers.” Make sure there are no accessible log files, publicly visible .git directories, tunnels to execute SQL helper scripts, database dumps, phpinfo files,or any other unprotected files that are not required, and that might be used in an attack.
  	Limit outgoing connections to only those that are required, such as for a payment integration.
  	Use a Web Application Firewall to analyze traffic and discover suspicious patterns, such as credit card information being sent to an attacker.

• Server Applications

  	Make sure that all applications running on the server are secure.
  	Avoid running other software on the same server as Magento, especially if it is accessible from the Internet. Vulnerabilities in blog applications such as Wordpress can expose private information from Magento. Install such software on a separate server or virtual machine.
  	Keep all software up to date, and apply patches as recommended.

• Admin Desktop Environment

  	Make sure that the computer that is used to access the Magento Admin is secure.
  	Keep your antivirus software up to date, and use a malware scanner. Do not install any unknown programs, or click suspicious links.
  	Use a strong password to log in to the computer, and change it periodically. Use a password manager such as LastPass, 1Password, or Dashlane to create and manage secure, unique passwords.
  	Do not save FTP passwords in FTP programs, because they are often harvested by malware and used to infect servers.
  	Delete user accounts for employees or contractors who no longer work with you. A large number of intrusions can be attributed to insider knowledge.

Your effort to protect your Magento installation starts with the initial setup, and continues with the security-related configuration settings, password management, and ongoing maintenance.

• Your Magento Installation

  	Use the latest version of Magento to ensure that your installation includes the most recent security enhancements. If for any reason you cannot upgrade to the latest version, make sure to install all security patches as recommended by Magento. Although Magento issues security patches to fix major issues, new product releases include additional improvements to help secure the site.
  	Use a unique, custom Admin URL instead of the default “admin” or the often-used “backend,” Although it will not directly protect your site from a determined attacker, it can reduce exposure to scripts that try to break into every Magento site. (Never leave your valuables in plain sight.) Check with your hosting provider before implementing a custom Admin URL. Some hosting providers require a standard URL to meet firewall protection rules.
  	Block access to any development, staging, or testing systems. Use IP whitelisting and .htaccess password protection. When compromised, such systems can produce a data leak or be used to attack the production system.
  	Use the correct file permissions. Core Magento and directory files should be set to read only, including app/etc/local.xml files.
  	Use a strong password for the Magento Admin. To learn more, see: Creating a strong password.
  	Take advantage of Magento’s security-related configuration settings for Admin Security, Password Options, and CAPTCHA.

• 	Install extensions only from trusted sources. Never use paid extensions that are published on torrent or other sites. If possible, review extensions for security issues before installing them.
  	Do not click suspicious links, or open suspicious email.
  	Do not disclose the password to your server or to the Magento Admin, unless you are required to do so.

• 	Develop a disaster recovery/business continuity plan. Even a basic plan will help you get back on track in the event of a problem.
  	Ensure that your server and database are automatically backed up to external location. A typical setup requires daily incremental backups, with a full backup on a weekly basis. Make sure to test the backup regularly to verify that it can be restored.
  	For a large site, simple text file dumps of the database take an unacceptable amount of time to restore. Work with your hosting provider to deploy a professional database backup solution.

If your system is not immediately patched after a major security breach, there is a high probability that your site is already compromised. Complete a security review periodically to check for signs of attack, and also when contacted by customers with security-related concerns.

• Security Review

  	Check periodically for unauthorized Admin users.
  	(Magento Enterprise only) Check the Admin Actions Log for suspicious activity.
  	Use automated log review tools such as Apache Scalp.
  	Work with your hosting provider to review server logs for suspicious activity, and to implement an Intrusion Detection System (IDS) on your network.
  	Use a file and data integrity checking tool such as TripWire to receive notification of any potential malware installation.
  	Monitor all system logins (FTP, SSH) for unexpected activity, uploads, or commands.

In the event of a compromise, work with your internal IT security team if available, or hosting provider, and system integrator to determine the scope of the attack. Taking into consideration the type of compromise and the size of the store. Then, adjust the following recommendations to your business needs.

• Defacing of Site	Site access is compromised, but often the payments information is not. User accounts might be compromised.
  Botnetting	Your site becomes part of a botnet that sends spam email. Although data is probably not compromised, your server is blacklisted by spam filters which prevents email that you send to customers from being delivered.
  Direct Attack on Server	Data is compromised, backdoors and malware are installed, and the site no longer works. Payment information—provided that it is not stored on the server— is probably safe.
  Silent Card Capture	In this most disastrous attack, intruders install hidden malware or card capture software, or possibly modify the checkout process to collect and send out credit card data. Such attacks can go unnoticed for extended periods of time, and result in major compromise of customer accounts and financial information.