While all online services must be wary of cyberattacks, eCommerce is a rich target for hackers and scammers. Since Magento is one of the largest eCommerce ecosystems with hundreds of thousands of stores handling over $100B in global sales, online stores must stay up to date on best practices to ensure Magento compliant security.
It didn’t take long for hackers to take advantage of Magento 1’s end of life on June 30, 2020. Between September 11 and 14, nearly 2,000 Magento 1 stores were hacked in the largest campaign since 2015.
The impacts of attacks on eCommerce stores can go far beyond temporarily lost revenue, potentially risking the privacy of customer payment information and opening the store to liability. Learn what threats to keep in mind when migrating to Magento 2, and what new security features to expect.
As with any web-based service, server attacks can significantly harm the security and brand of your store. These range from simple distributed “denial of service” attacks to attempting to extract private information. While payment details are usually not directly at risk depending on how your portal is set up, improperly encrypted passwords or other plain text information may be available to hackers, who can then compromise user accounts, place false orders, and wreak additional havoc on your brand.
Server vulnerabilities open up your network for email botnets, which use your servers to send out massive volumes of spam email. While this doesn’t directly impact you or your customers, over time this will begin to hurt your server’s email deliverability. It can be hard to detect until you start seeing your email delivery rate dropping unexpectedly, at which point it is too late.
Even more severe than a basic server attack is the risk of a silent card capture attack. These attacks involve hackers installing malware to reroute credit card details from customers during transactions. Much like skimmers on credit card readers, this allows attackers to intercept customer payment details while still allowing the transaction to go through. The most dangerous part of this scheme is that you and your customers may not realize it for weeks or months. The resulting risk to your reputation can be significant.
Image via Flickr by Rawpixel Ltd
Fortunately, Magento 2 security offers several improvements over Magento 1. Two of the most impactful ones are improved admin security and strengthened password hashing algorithms.
The new admin security features give store owners more options for ensuring that site access is always authorized. For example, Magento 2 allows you to restrict log ins to only one user at a time, providing an automatic safeguard against unauthorized log ins while the main administrator is logged in.
Magento 2 finally rolled out the rollout of the SHA-256 hashing algorithm for password protection. Even if your servers do become compromised, attackers will be unable to steal customer or admin accounts and place false orders.
Another meaningful change is the use of a non-default admin URL to defeat attackers’ automated password guessing before it even starts. Instead of the previous default “/admin” URL, Magento will generate a random custom URL that only you know, thus minimizing your exposure. This corrects a previous Magento security vulnerability by default.
The most critical security aspect to consider, however, is the discontinuation of Magento 1 support back in June 2020. There are no longer official updates or security patches available from the Magento security team. Only Magento 2 will continue to receive real-time security updates as new threats become known. Make sure your store has a migration plan in place to avoid being left without protection any longer.