Tips for hardening your Magento Instances
These are just a few tips that we have added to our standard security hardening service over the years. Some of them are fairly easy to do, while other might require some developmental effort.
WordPress
If possible, make sure your wordpress blog is NOT on the same server as your magento instance. WordPress has a great deal more vectors of attack and if your webserver is compromised from WordPress, the bad guys can easily get to your code.
If you have to have it on your server (SEO), be sure to keep it up to date and remove ALL older plugins that you do not use anymore. Be sure to have your hosting company run maldet (free/open source) on the server to detect any suspicious files that may already be on the server.
Web Application Firewall:
Anyone running Magento really needs to be running a WAF (web application firewall). There are so many services out there for different price ranges that are all effective in stopping most malicious bot attacks (Sucuri, Incapsula, Cloudflare). We highly recommend that everyone runs one.
The benefit of these services is that you can also do some very powerful restrictions. For instance, for WordPress, you can lock down the “wp-admin” (WordPress) or the “index.php/admin” (magento) folder to a very specific IP address (office/home). Regardless of what scanning/hack tool that the bad guys are using, if they are not in your office/house, then they cannot get to your admin sections. Its a simple, but very powerful tool.
Another benefit is that you can GEO restrict traffic to your site, depending on your business needs. You can easily restrict your site to say the EU or US, and block all other traffic. This prevents bad actors in other countries from ever attempting anything.
If you have the tool, be sure to examine the logs daily and add any bad bots to the log. Don’t worry about Google/Bing bots. Most of the web application filters are VERY sensitive to those bots, and ensure they always get in (if they are legit).
Some of the firewalls even support two factor authentication from Google for specific directories. So not only could you restrict your admin login locations, but also force it to use 2factor authentication.
Server Side Scans:
Make sure your hosting company performs server side malware and virus scans on your code nightly, so that you are notified immediately if something gets in. A good combination of tools for self-hosted services is Maldet and Clamav (Installation Tips here).
Access:
Limit access to your production webserver to only your full time developers and/or staff. If you need plugins installed, have another development server setup and have the remote plugin authors use that to do testing.
Passwords:
Always use strong passwords. One of the best tools is Last Pass (Here). Change your passwords frequently. Make sure you change your FTP/SSH passwords as well.