COVID-19 Notice: Our Software, Web Development & Digital Marketing Services are running as normal. Please get in touch with us on 02033710101.

KOL Blog

Tips, tricks and all the goings-on here at KOL Limited.

Security Checklist in Magento 2

March 03, 2020
Security Checklist in Magento 2

Security is one of the primary concerns while launching your Magento 2 website. Whether you decide to accept the data of the credit card directly on your website or on the pages of payment provider - you need to achieve PCI compliance.
Otherwise there’ll be risk of your business getting banned from using payment gateways. And of course that is a risk you cannot afford to take. Hence, building a best Magento Web Design is our definite recommendation.
Let’s take a look at security checklist in Magento 2 servers to give ultimate security lift to them without compromises.

  • Use a Dedicated or VPS Server

It is quite common that shared hosting is not secure. If you’re hosted with Bluehost, Siteground, Dreamhost, Godaddy,etc. There is a huge possibility that you are on a shared hosting plan and these plans are vulnerable to attacks from neighbour accounts from the similar physical server. Additionally, shared hosting is worst for performance. Shifting away from shared to a dedicated or VPS server will not only provide security benefits but will also increase performance.

  • Run a Secure Operating System with Minimum Softwares

Red Hat Enterprise Linux is perfect for running Magento 2. This OS is known for its security and stability. Avoid installing any web panel like cPanel. This will bring vulnerabilities and ruin your performance. Running on the minimal stack is the most secure and efficient approach.

The de-facto standard stack for Magento 2 consists of the following softwares:

  • NGINX
  • Varnish
  • PHP-FPM 7.x (go with the highest your Magento 2 version supports)

Make sure you upgrade to the latest Magento Ecommerce.

  • ModSecurity

With the arrival of libmodsecurity, you can, and should, use NGINX ModSecurity connector module. It is now easy to install ModSecurity to your existing NGINX installation. It is your shield from incoming attacks.

  • Apply Security Headers

You can find security headers HTTP response of your website. They’re used typically to protect your website from XSS attacks. Make sure you only add the necessary headers to non-HTML files.

  • Remove HTTP Headers Software

Hiding server version information is not sufficient. The best option is having no disclosure of the information done by HTTP headers. We highly recommend using server headers and any other headers as well that directly report of the headers you use.

  • Pub is your webroot

Setup your web server’s web root to point to pub directory of your Magento 2 installation. This will ensure that the only entrypoint PHP files required for running Magento will be accessible for public access.

  • Whitelist Authorised PHP Files

In order to complement the previous item, make sure that only whitelisted set of .php files can be run from your web root directory.

  • Run Magento 2 under special user

You have to allocate a special Linux user account on your server that will own and “run” Magento files. That same user account will be the one that PHP-FPM pool runs under.

Get in touch with the best web development company to get the perfect Magento 2 Website.

By KOL Limited