This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

CloudwaysCDN — a powerful solution that offers superior performance and satisfied global audience for your business. Read More

13 Magento Security Tips to Keep Your Ecommerce Store Safe

Updated on  February 15, 2018

6 Min Read
Reading Time: 6 minutes

Magento has become a force to be reckoned within the e-commerce industry because of its regularly updated features. In April 2015, Hivemind’s Ecommerce Survey reported a 26.0% share for Magento after studying 56,000 e-commerce websites inside the Alexa Top 1 Million. It gives Magento the largest size of the e-commerce pie. It clearly shows that if anyone is thinking about starting an e-commerce store, they first consider Magento. However, these ecommerce merchants rarely care about Magento security practices.

Magento Security

Honestly speaking, wherever there are shops, there are thieves; and e-commerce has its share of crooks. These cybercriminals are always on the prowl to find any weakness in the code or any loophole left by the user through which they can wiggle in.

Usually, these bad elements invade websites to conduct suspicious activities like:

  • Spamming
  • Phishing
  • Stealing user data

Even though Magento gets patched for security reasons on a regular basis, there are Magento security best practices that website administrators should follow to keep their efforts protected.

Cloudways Magento Hosting For Non-Technicals

Magento Security Checklist: How to protect your Magento Webstore?

A secure e-commerce website is a trusted e-commerce website. Trust plays an important part when you have an online store. By following this checklist, you can prevent (and to some extent, fix) Magento security issues. Here are the 13 Magento security tips to keep your ecommerce store safe:

  1. Use the latest Magento version
  2. Use two-factor authentication
  3. Set a custom path for the admin panel
  4. Acquire encrypted connection (SSL/HTTPS)
  5. Use Secure FTP
  6. Have an active backup plan
  7. Disable directory indexing
  8. Be wise with your Magento password
  9. Eliminate e-mail loopholes
  10. Invest in a sound hosting plan
  11. Prevent MySQL injection
  12. Get a Magento security review done
  13. Get in touch with the Magento Community

Use the latest Magento version

Many times, you will be told that latest is not the best. Most times, it is a lie. Magento consistently gets updated at a good pace. Subsequent Magento versions fix security issues of the preceding ones. Hence, it is very important to stay informed about the latest Magento version. Once a stable release is out, test it and get it implemented.

Use two-factor authentication

In today’s world, a secure Magento password is sadly not enough. To discourage attacks, it is best that you use a two-factor authentication for your Magento site security. There are a few extensions that deliver two-factor authentication so that you don’t have to worry about password-related Magento security risks anymore.

Rublon is an excellent two-factor authentication extension which provides a layer of stealth. It only allows trusted devices to access Magento backend by using a smartphone app. The app is available for all popular mobile OS platforms.

Another extension which is worth mentioning is Two-Factor Authentication by Extendware. The extension allows you to implement complex authentication mechanisms which include limiting log-in attempts.

Cloudways customers don’t need any extensions! The Managed Cloud Web Hosting Platform introduced two-factor authentication for its esteemed clients in 2015.

Set a custom path for the admin panel

You access your Magento admin panel by going to However, it is very easy for hackers to get on to your admin log-in page and start guessing passwords.

You can prevent this by /admin with a customized term (for e.g. “Store Door”). It also prevents hackers from getting on to your admin login page even if they somehow get hold of your password. You can change your Magento admin path by following these steps:

  • Locate /app/etc/local.xml
  • Find <![CDATA[admin]]>
  • Replace the term “admin” with your desired word or code

Acquire encrypted connection (SSL/HTTPS)

Whenever you send data, like your login details, across an unencrypted connection, there are risks of that data being intercepted. This interception can give assailants a peep into your credentials. To eliminate these issues, it is essential that you use a secure connection.

In Magento, you can get secure HTTPS/SSL URL simply by checking the tab “Use Secure URLs” in the system configuration menu. It is also one of the key elements in making your Magento website compliant with the PCI data security standard and in securing your online transactions.

To obtain an SSL certification, try Let’s Encrypt to get started. It will also help you in becoming PCI compliant.

Use Secure FTP

One of the most commonly used methods to hack a site is by guessing or intercepting FTP passwords. To prevent happening it with you, it’s essential that you use secure passwords and use SFTP (Secured File Transfer Protocol) which uses a private key file for decryption or authenticating a user.

SFTP access is already available on Cloudways.

Have an active backup plan

Although it is great that you take strict preventive measures for Magento security, it is equally essential to have an active backup plan, including hourly offsite backups and downloadable backups. If for any reason, your website gets hacked or even if it crashes, a backup plan ensures the continuity of your services.

You can prevent data loss by storing your website backup file(s) off-site or by arranging for backup through an online backup provider. Data backup results in minimal (and sometimes, no) data loss.

It is always wise to check with your hosting provider if it has a backup strategy. We, at Cloudways, take serious steps to ensure timely and sufficient backups.

Disable directory indexing

Disabling directory indexing is another way through which you can harden the security of your Magento site. Once disabled, you can hide the distinct pathways via which the files of your domain are stored.

It prevents cyber crooks from accessing your Magento-powered website’s core files. However, they can still access your files if they already know what the full path of your files is.

Be wise with your Magento password

A password is a key to your Magento store. That’s why you need to pay particular care while deciding a password. While devising a password, use one which has a mix of upper and lower case alphabets, numbers, and special characters like ?, >, etc. (Use a password management service if you have a problem of remembering a difficult one.) Furthermore, never use your Magento passwords anywhere else. Just like two locks can’t have the same key, keep your Magento password different from the rest of the passwords.

[Read: Deflect Ransomware attacks by adopting proactive security measures]

Eliminate e-mail loopholes

Magento provides its users a great password recovering facility through preconfigured e-mail address. But if that e-mail ID gets hacked, your whole Magento store becomes vulnerable. You need to make sure that the e-mail address you use for Magento is not publicly known and it is protected with two-factor authentication.

Invest in a sound hosting plan

We believe that shared hosting can be the cheapest means for hosting a website. Typically, for Magento startups too, shared hosting seems like a good option. However, investing in shared hosting means you are compromising on Magento security.

Dedicated hosting can be an option too, but it may prove to be insufficient for your needs as you will be restricted to a single server. It limits your resources, and if there is a sudden spike in your traffic, the website has a good chance of going down.

On the contrary, Managed Magento Hosting Platforms can be your best choice—one that guarantees robust security with frequent patches at server-level.

Remember, the dime-a-dozen hosting plans promise features that they can’t deliver (at least, not at low prices). Stay away from such plans, as they do not have a clue about Magento security issues.

Prevent MySQL injection

Although Magento provides great support to outmaneuver any MySQL injection attacks with its newer versions and patches, it is not always an ideal approach to rely only on them. We suggest that you add web application firewalls such as NAXSI to keep your site and your customers safe.

[Read: How To Protect A PHP Website From SQL Injection Attacks]

Get a Magento security review done

Magento developers are not necessarily security experts. Yes, many of them are good at coding, but only a few know the intricacies of Magento site security. That’s why once (or perhaps, twice) a year, you should get your website analyzed for apparent loopholes and security shortcomings. If properly done, these reviews help in further hardening of your Magento security measures.

[Read how Cloudways can help with a Magento site security review]

Get in touch with the Magento Community

Magento has a thriving community of techies who are always there to help you in the time of need. You can search and post queries regarding any security issues of Magento or its features. The Magento Community members also release security reports on various versions of Magento, so look out for those as well.

Move to Cloudways Managed Magento Hosting

There is no doubt that Magento is a robust ecommerce development solution. However, it comes with a lot of complex issues. Even though we have tried to give you the ultimate Magento security checklist, there are many complexities which you may face on a regular basis. That’s why we suggest that you move to Cloudways Managed Magento Cloud Hosting. We make every effort to ensure foolproof security of your servers. However, Magento website security is your responsibility. We provide blazing fast performance with 99.99% uptime based on the Varnish HTTP accelerator, Memcached and optional Redis caching systems, and Apache-Nginx stack.

Lastly, do share your Magento security tips and tricks in the comments section given below.

Share your opinion in the comment section. COMMENT NOW

Simplified Managed Cloud Hosting for Ecommerce Stores.

Convert traffic into buyers with managed Ecommerce Cloud hosting.

About The Author

Zain Imran

Zain Imran is a Digital Content Producer at Cloudways. He is an engineer and loves to learn about technologies. He is a sports and fitness freak.

Stay Connected:

Get Our Newsletter
Be the first to get the latest updates and tutorials.


  • Top ten security settings for magento store.
    1. Choose a secure password
    2. Require HTTPS/SSL for all pages with logins
    3. Don’t use your Magento password for anything else
    4. Use a custom admin path
    5. Close email loopholes
    6. Use secure FTP
    7. Limit unsecured FTP access
    8. Don’t save passwords on your computer
    9. Keep up-to-date anti-virus software
    10. Restrict admin access to only approved IP addresses

  • Alta Noble

    These are great tips in ensuring Magento security. Thanks for posting this helpful article.

  • Thank you for sharing these helpful tips about Magento security. It is very useful. Cheers!

  • CTO

    Thank you! valuable information, Keep up the good work!

  • Thanks! tutorials are great information.

  • John Rogers

    I’d recommend Magento 2-factor authentication from Human Element.

  • Excellent post!

  • BorateBomber

    Install SUPEE-6788 so that “TIP# 3: Set a custom path for the admin panel” actually works.

    Up until now changing the admin path has been a feelgood NOP instruction.

  • Sarah Robertson

    You’ve shared great tips!
    I would also add Cloudflare as it saved my (store) at some point.
    Two-factor authentication also provides higher level of security, in addition to the solutions listed by you in the article I would also add this plugin

  • Yevhen L.

    > TIP# 3: Set a custom path for the admin panel
    This is hard way. What happened if my IP will be changed? And what about /downloader directory ?

    I usually use IOCheck Secure Module – very simple and strong protection /admin and /downloader directories.