2. 2www.nbs-system.com 2www.nbs-system.com
e-Commerce: the 60% rules
• >60% of web traffic is non-human
• >60% of attempts to steal databases target e-Commerce sites
• >60% of growth for identity theft over three years
• A 2012 study showed Retailer websites are at risk 328 days/year
• An IP address is scanned around 40 times per day
4. 5www.nbs-system.com 5www.nbs-system.com
A different time scale
Seconds Minutes Hours Days Weeks Months Years
Time between
compromising and
discovery of it
Time between attack
launch and
compromising
Statistics made based on large corporations in 2012 (Verizon Databreach report)
18. 19www.nbs-system.com 19www.nbs-system.com
PHP: two versions behind, really?
88% are outdated and not
supported anymore…
No security fixes.
(and +12% to +40%
performances to gain)
PHP versions in use, in our parc:
20. 21www.nbs-system.com 21www.nbs-system.com
Magento Support giving dangerous advices
• “Chmod 777 your document root…” *REALLY* ?
• “Magento is not compatible with Reverse proxies.” *Woot* ?
• “Give me your root password so we can look” *NO KIDDING*?
• Etc…
When Magento support is being creative…
Don’t go to a car dealer to fix a bad tooth…
21. 22www.nbs-system.com 22www.nbs-system.com
Leaving your logs accessible, especially Debug one
Leaving payment gateway logs accessible to all
Not hiding Magento, PHP, Apache versions
Use a minimum of unaudited extensions, a lot are BAD
Weak passwords, along with no locking policies are a plague
Classical mistakes that cost…
22. 23www.nbs-system.com 23www.nbs-system.com
Leaving import/export scripts, reindexers, crontabs accessible
Try calling pages that load very slowly
Access directly the API to import / export
Etc.
Applicative level D.o.S attacks
25. 26www.nbs-system.com 26www.nbs-system.com
Securing recent flaws
Example with Magmi (using Apache)
RewriteCond %{REQUEST_URI} ^/(index.php/)?magmi/ [NC]
RewriteCond %{REMOTE_ADDR} !^192.168.0.1
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
Example with Magmi (using Nginx)
location ~* ^/(index.php/)?magmi {
allow 192.168.0.1;
deny all;
location ~* .(php) {
include fastcgi_params; } }
26. 27www.nbs-system.com 27www.nbs-system.com
Protect your backoffice & updater
Example using Apache
<Location /wp-admin>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/access/htpasswd
Require valid-user
Order deny,allow
Allow from [MY_IP]
Satisfy any
</Location>
Then, just add a user:
htpasswd –c /etc/apache2/access/htpasswd [user]
27. 28www.nbs-system.com 28www.nbs-system.com
Leveraging native Magento security
• Use HTTPS in Backoffice & order tunnels access
• Change your backoffice default URL
• Do *NOT* use a weak password (no « tommy4242 » is not safe)
• Put some limits to number of failed login attempts
• Put a password expiration time and change it every 3 months
• Enforce use of case sensitive password
• Disable email password recovery
29. 30www.nbs-system.com 30www.nbs-system.com
Organizational security
• Get a security review
• Keep track of vulnerabilities on Magento ecosystem
• Have serious passwords, change them every 3 months
• Do not keep informations unless they are needed
• Pick a PCI/DSS certified hosting company
• Use 3D secure
• Keep up to date versions of Magento & PHP
31. 32www.nbs-system.com 32www.nbs-system.com
Host level security
• Change default backoffice URL
• Disable directory indexing
• Have correct permissions : file=644, directory=755
• No follow, no index on preprod
• Use the best practices mentioned before
It’s the job of your managed services provider.