How Secure Is Magento 2?

Posted on: 8th June 2020
Magento Magento2 Security
How Secure Is Magento 2?

Although security is an important consideration for any website owner, eCommerce sites, in particular, are often targeted by hackers looking to steal sensitive financial information.

Thankfully, Magento has worked hard on security over the years, with Magento 2 containing a number of robust security features and enhancements that have further cemented its reputation as the most secure and flexible eCommerce platform on the market.

According to recent statistics from security specialists Sansec, around 2.5% of Magento stores contained malware in June 2020, which is down from just under 3.0% in January, and forms part of a downward trend that is largely due to stores migrating over to Magento 2 from Magento 1, which reaches end of life later this month. Quite simply, the latest Magento 2.3.5 is the most secure Magento version ever.

Magento 2 Security Enhancements

Magento gets more secure with each new release, which is one of the main reasons why it’s so important to keep on top of security updates.

Some of the main built-in security features in Magento 2 include:

1. Enhanced password management

While enforcing robust password standards helps protect user data by ensuring that users can only select secure and reliable passwords, of equal importance is the password lockup process used on the backend each time a user logs in to an account 

To this end, Magento has worked to strengthen the SHA-256 hashing algorithm used in its password management, along with support for Aregon2ID13 via the PHP sodium extension. You can find out more about password hashing in the Magento documentation.

2. Improved protection from Cross-Site Scripting (XSS) attacks

XSS attacks involve injecting malicious code into an otherwise legitimate website, often for the purposes of stealing financial information or hijacking user accounts.

Magento 2 includes a number of enhancements aimed at preventing this kind of attack, including conventions that regulate the escaping of data output, and support for Content Security Policy headers.

3. Flexible file permissions

As any developer will tell you, establishing correct file permissions and user authorisations is critical for securing a website and preventing unauthorised access to backend code and systems.

Unfortunately, automatic file permissions in Magento 1 sometimes made it difficult for organisations to have full control over their file system. From Magento 2.0.6 and onwards, the platform instead recommends certain file system permissions in the development and production environments, with the ability to gain precise and flexible control of permissions using a umask. 

4. Non-default Magento backend URL

Using a default admin/backend URL makes your website more vulnerable to automated password-guessing attacks.

To counter this, Magento now creates a random admin URL for each Magento installation. While this doesn’t prevent an attack in itself, it does help to stop large-scale automated attacks that rely on each site having the same admin area URL. More information on this can be found in the Magento documentation.

The Importance of Updating Your Magento Store

Each new Magento release usually includes a variety of security patches and fixes, and it’s very important to keep on top of these updates to keep your store as secure as possible. It’s also worth noting that Magento 1 will reach end of life on June 30th 2020, meaning it will no longer receive any new security updates.

Want to learn more about Magento security? Perhaps you need help migrating to Magento 2? Get in touch with our friendly team today for some expert advice.

Don’t be shy. Lets talk.

Start your journey towards a better website, our expert staff are happy to talk and answer your questions.