Magento Forum

Good security practices
 
chuboi0924
Jr. Member
 
Total Posts:  11
Joined:  2012-05-31
 

Just launched magento 1.7 website with 7,000 products.  Was wondering if there are any decent free extensions with security options? Also I stumbled upon this article

Ten Tips

And was just asking for opinions about it.  I’d like to change the default /admin path to something different and in this article #4 states how to do so.  Is this the best method of accomplishing that?

Also on a few pages where my SSL is installed it says it’s secure but there are items which are not, is there a way to view which items are being sent over https and which ones are not?

Also should enabling HTTPS on admin backend be done for extra security?


Thank you

 
Magento Community Magento Community
Magento Community
Magento Community
 
elspood
Magento Team
 
Total Posts:  22
Joined:  2012-05-01
Magento
 

Changing the default admin path is more of a “security through obscurity” option, but it does provide some benefit against automated attacks.

It is much better as you suggest to simply ensure that all of your admin access is HTTPS vs HTTP. In general, you should try to run as much of your site as possible over HTTPS.

In order to identify your mixed content, in Firefox you can click Tools | Page Info and select the “Media” tab.

 
Magento Community Magento Community
Magento Community
Magento Community
 
chuboi0924
Jr. Member
 
Total Posts:  11
Joined:  2012-05-31
 

Thank you for your reply, I greatly appreciate it.  So you think changing the default admin path is a good idea?  Also the method to do so in the above link, is this the best way to accomplish this?  Also enabling HTTPS on the ADMIN area is probably smart too.

 
Magento Community Magento Community
Magento Community
Magento Community
 
elspood
Magento Team
 
Total Posts:  22
Joined:  2012-05-01
Magento
 
chuboi0924 - 30 November 2012 10:22 AM

So you think changing the default admin path is a good idea?  Also the method to do so in the above link, is this the best way to accomplish this?

Editing /app/etc/local is the right solution. It is a fairly simple change and hides your admin interface from automated attacks and unsophisticated attackers, so it is probably worthwhile.

 
Magento Community Magento Community
Magento Community
Magento Community
 
chuboi0924
Jr. Member
 
Total Posts:  11
Joined:  2012-05-31
 
elspood - 30 November 2012 10:34 AM

chuboi0924 - 30 November 2012 10:22 AM
So you think changing the default admin path is a good idea?  Also the method to do so in the above link, is this the best way to accomplish this?

Editing /app/etc/local is the right solution. It is a fairly simple change and hides your admin interface from automated attacks and unsophisticated attackers, so it is probably worthwhile.

Thanks for your input, I appreciate it ! Do you know of any free extensions they have to enhance security at all? I’ve done just a little research and did not find too much.

 
Magento Community Magento Community
Magento Community
Magento Community
 
elspood
Magento Team
 
Total Posts:  22
Joined:  2012-05-01
Magento
 
chuboi0924 - 30 November 2012 10:39 AM

Thanks for your input, I appreciate it ! Do you know of any free extensions they have to enhance security at all? I’ve done just a little research and did not find too much.

Based on my understanding of the extension model, it would be difficult for an extension to “enhance” the security of the Magento platform. What specific kinds of security features are you looking for?

 
Magento Community Magento Community
Magento Community
Magento Community
 
chuboi0924
Jr. Member
 
Total Posts:  11
Joined:  2012-05-31
 
elspood - 06 December 2012 08:58 AM

chuboi0924 - 30 November 2012 10:39 AM
Thanks for your input, I appreciate it ! Do you know of any free extensions they have to enhance security at all? I’ve done just a little research and did not find too much.

Based on my understanding of the extension model, it would be difficult for an extension to “enhance” the security of the Magento platform. What specific kinds of security features are you looking for?

Really I was just looking for any extra steps to take to secure magento and customer data.

 
Magento Community Magento Community
Magento Community
Magento Community
 
MagenX
Enthusiast
 
Total Posts:  791
Joined:  2008-05-26
Dublin
 

change your admin location,
setup your server to log every ip accessing real and fake admin location, and then after inject them into iptables.
not everyone but set some severity level. etc
dont forget to whitelist yourself.

protecting magento using magento itself is a bad idea.

 
Magento Community Magento Community
Magento Community
Magento Community
 
chuboi0924
Jr. Member
 
Total Posts:  11
Joined:  2012-05-31
 
MagenX - 06 December 2012 11:09 AM

change your admin location,
setup you server to log every ip accessing real and fake admin location, and then after inject them into iptables.
not everyone but set some severity level. etc
dont forget to whitelist yourself.

protecting magento using magento itself is a bad idea.

Thanks I appreciate the tips and I’m sure others will too!

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top