2016/10/31

Secure your shop against brute force attacks!

Magento published a post which says that some URLs in your Magento installation may vulnerable to brute force attacks and they talk about an increasing number of attacks on Magento stores.

Secure /admin path

This URL leads you to your adminpanel with a default Magento installation. You should change that path URI to something cryptic to increase your security level.
You can do that in your Magento system configuration: Advanced > Admin.
Additionally you can secure it by denying all access by .htaccess except your IP:

order deny,allow
deny from all
allow from x.x.x.x

 

Secure /rss/catalog and /rss/order

This can be done by adding new rewrite conditions to your .htacces.
Add these lines to your /magento_root/.htaccess:

## block access to admin rss feed
    RewriteCond %{REQUEST_URI} ^.*/rss/catalog[OR,NC]
    RewriteCond %{REQUEST_URI} ^.*/rss/order[NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/ [R=302,L]

This will redirect the /rss/ feed directly to your homepage. If you have no SSL change the last line to

RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

But you should add SSL to your shop.

Secure /downloader 

This path is used to install or uninstall modules in your shop. To secure this place from unauthorized access we have to deny access with the .htaccess in the /downloader folder. Add these lines to your /downloader/.htaccess file:

order deny,allow
deny from all

If you want to use the downloader, you can temporary comment these lines or whitelist your IP, if you add this line:

allow from x.x.x.x

Check other vulnerabilities.

To be sure you secured all known vulnerabilities, this page is good to check states of all available patches: https://www.magereport.com/

No comments:

Post a Comment