If you use Magento as your ecommerce platform, your business may be at risk of falling victim to cybercrime.
Based on research conducted in Q2 of 2019, cybersecurity firm Foregenix found that 87% of small and medium-sized businesses on the Magento platform were at high risk of an attack — compared to less than 10% of websites on other popular platforms.
Let’s take a look at four of the most critical security risks, how the end-of-life for Magento 1 will impact security, and ways to increase store security on the platform.
4 of the Most Critical Magento Security Risks
Why is the third most popular ecommerce platform so vulnerable to attack? In part, it’s because Magento is an open source platform. For some businesses, having the customization and in-house control of open source is attractive — but along with it comes greater risk.
1. Credit card hijack
Credit card hijacking refers to criminals fraudulently obtaining other people’s credit card information. This is often the result of a data breach of a website that handles people’s payment information — like an ecommerce website.
2. Server attacks
If your Magento website lives on a server under your control, it can be vulnerable to server attacks, also known as distributed denial of service (DDoS) attacks. A DDoS attack purposely overwhelms your server with traffic, causing the website to go down.
3. Website defacement
Website defacement is more about causing havoc through changing the visual appearance of your website, as opposed to stealing any sensitive information — but it can impact user accounts. It can also reduce customer trust by sending a message to your website visitors that your security is lacking.
4. Botnetting
The whole purpose of botnets is to perform mundane tasks automatically, and they are not, by definition, malicious. But in some cases, they can be used to add your machine to their web of connected machines, putting it under someone else’s control. At that point, the botnet can be used to carry out malicious activity — for example, sending spam emails from your address to millions of internet users.
Magento End of Life: Increased Risks
After the Magento 1 end of life, set for June 1, 2020, the platform will no longer be issuing security patches or updates. You will also no longer be able to open any support tickets with Magento.
There are many reasons that this should concern any merchants still using Magento 1, but one of the most significant is that, without taking additional security measures, you will no longer be in compliance with PCI DSS requirements.
There can be legal fines and penalties for falling out of compliance, and at least one major payment provider has already said they will no longer work with merchants who remain on Magento 1 unless additional security measures are taken.
Magento 2: Risks Continue
For merchants who choose to move on to Magento 2, you’ll be in better shape, but the original risks remain. You will still be fully responsible for keeping up with all software updates and security patches released by Magento and maintaining PCI compliance.
Even if you use Magento’s hosting, the platform is PCI compliant if the code remains exactly as it was out of the box (which defeats the purpose of using an open source solution, and you would be hard-pressed to find someone using a Magento store with zero changes to the source code).
How to Prevent Magento Security Risks
The best way to avoid falling victim to a security breach on your Magento website is to be as proactive as possible in your approach. Don’t wait until you suspect a vulnerability or breach, and respond quickly to all updates and security patches.
1. Sign up for security alerts and install all Magento security patches.
You’ll want to make sure you stay tapped into all information coming out from Magento. And never assume a security patch doesn’t apply to you. Respond immediately.
2. Add Magento security extensions.
There are a number of security extensions built just for Magento that you can install to help reinforce the security on your website.
3. Monitor Magento Security Scan.
Magento’s Security Center offers a free scan you can use to monitor for security risks, update malware patches, and detect any unauthorized access to your website.
4. Use a WAF.
A WAF is a web application firewall. Using this can help prevent a number of different kinds of attacks by filtering out malicious web traffic.
5. Enable two-step authentication.
Two-step authentication is a way to protect your login to a system. Instead of just signing in with a password, users will be prompted to confirm their identity through a second factor like entering a unique code sent to the user’s email.
6. Migrate to a new ecommerce platform.
One way to protect against many of these risks is to migrate to a SaaS ecommerce platform such as BigCommerce. One of the benefits of SaaS is that the software is maintained by the provider. The platform takes care of all software updates and security patches, protecting you from server attacks and maintaining your PCI compliance. If you decide to take this route, you can read more about our Magento 1 to BigCommerce migration scope.
Executive Summary
Magento’s open source ecommerce platform can be a good choice for businesses who need a great deal of flexibility, and who also have access to a large team of developers. But it’s important to understand the risks that come along with that flexibility.
If you’re already using Magento, make sure you’re taking all the proper precautions and being as proactive as possible with your security approach. And, if you’re looking to replatform, consider switching to a flexible and open SaaS platform so you can worry less about securing your ecommerce website and focus more on growing your business.