If you’ve been here before, you already know we like Magento due to its flexible architecture and security focus, and we speak highly of it, as we believe it has the potential to satisfy the individual needs of any business. This is the main reason we chose Magento as a core service of our agency, instead of other frameworks.*smile
However, if you are new to our blog, Magento is one of the most popular e-commerce platforms worldwide, used by reputable brands and startups alike, and as you may imagine, security is a major aspect Magento does not take lightly.
BuiltWith statistic on e-commerce usage distribution in the top 10k sites by traffic, shows that 15% of the total sites are built on Magento, referring to both Magento Community Edition and Magento Enterprise Edition.
Magento Commerce is the leading provider of cloud commerce innovation to merchants and brands across B2C and B2B industries, with more than $155 billion in gross merchandise volume transacted on the platform annually.
Magento Commerce is the #1 provider to the Internet Retailer Top 1000, the B2B 300 and the Top 500 Guides for Europe and Latin America.
Though robust, as with any online platform, security issues are prone to happen especially since e-commerce platforms process personal and payment information in the purchase operation.
However, Magento alongside the Magento community are constantly on the lookout and security patches are released when vulnerabilities and threats are discovered in an effort to prevent attackers to exploit them.
On top of that, Magento is regularly introducing new features and functionalities and today released the news that Google reCAPTCHA and 2FA functionalities have been added to all Magento Open Source versions 2.1 and above in an effort to provide enhanced security and protect your Magento instance by reducing unauthorized access; it is also advocated that SPAM will be significantly reduced.
Enhanced security with Google reCAPTCHA: Easy on Humans, Hard on Bots
It’s basicly a general truth that everybody hates SPAM. In our quest to prevent it, we use various measures to tell humans and bots apart. From adblockers to math questions and image recognition, we jump through all sort of hoops to have our shops as SPAM free as possible.
As Google tells it, reCAPTCHA, which comes in the form of a widget that is easily added to a platform, is a free service that protects your site from spam and abuse.
It uses advanced risk analysis techniques to tell humans and bots apart and with the new API, a significant number of valid human users will pass the reCAPTCHA challenge without having to solve a CAPTCHA. Or a math problem for that matter. *smile
Google reCAPTCHA technology was introduced by Magento to help restrict access to your Magento Admin or store to humans only, not bots. The reCAPTCHA module provides enhanced security when compared to the Magento CAPTCHA module and includes support for invisible reCAPTCHA, as well.
Magento has added Google reCAPTCHA functionality to all Magento Open Source versions 2.1 and above.
You can find a complete installation guide in the Magento Open Source User Guides:
Enhanced security with Two-Factor Authentication (2FA)
Wikipedia explains multi-factor authentication (MFA) as being a method of confirming a user’s claimed identity in which a computer user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism:
- knowledge (something the user and only the user knows),
- possession (something the user and only the user has),
- and inherence (something the user and only the user is).
Two-factor authentication (also known as 2FA) is a type (subset) of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors:
- something they know,
- something they have,
- or something they are.
Magento explains in their newsletter that 2FA Authentication adds support for software authentication apps and hardware authentication devices provided by Google Authenticator, Authy, U2F devices, and Duo Security, among others.
As with the case of Google reCAPTCHA, Magento has added Two-Factor Authentication functionality to all Magento Open Source versions 2.1 and above.
You can find a complete installation guide in the Magento Open Source User Guides:
Additional security best practices, straight from Magento
A compromised shop is bad for business, obviously and will expose you to potential lawsuits, loss of merchandise and associated profits, not to mention bad reputation and a toll on your customer care strategy. At the same time, customers may suffer financial loss and wasted time having to contact banks and identify theft.
Hence, you might want to consider the following resources coming directly from Magento’s Security Center in the effort of maintaining your shop secure:
- Security best practices
- 5 immediate actions to protect against brute force attacks
- Remediating your site after a malware attack
My shop’s security is compromised – what do I do?
Prevention is always better than treatment. So, to stay ahead of cybercriminals, you might want to consider an Ongoing Magento Support Package that will maintain your Magento shop healthy. *wink
Being hacked is never fun, so, if you discover your shop has been attacked, you ought to reach out to your agency or developer to analyze, audit and clean your shop of all malicious code.
Furthermore, update all your credentials and install any missing security patches to protect your shop against brute force attacks and additional potential vulnerabilities.
It’s also best to evaluate your security process and develop an official plan that everyone should follow in case things go bad. Take your time and be sure to think of all aspects that can protect your shop from malware. While you are at it, elaborate a contingency plan, as well, just in case you need it.
Once the plan is finalized, train your team so that you ensure the protocol is followed. You know what they say – strategy without execution will get you nowhere.