{"id":13475,"date":"2023-02-24T23:49:03","date_gmt":"2023-02-24T23:49:03","guid":{"rendered":"https:\/\/www.hostduplex.com\/blog\/?p=13475"},"modified":"2023-11-07T11:59:19","modified_gmt":"2023-11-07T11:59:19","slug":"magento-security-tips-and-practices","status":"publish","type":"post","link":"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/","title":{"rendered":"13 Essential Magento Security Tips to Protect your Store"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"overview\"><span class=\"ez-toc-section\" id=\"Overview\"><\/span>Overview<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Running an eCommerce store with Magento can be a highly lucrative venture. However, success comes with a price, and that price is ensuring the security of your website. Cyber-attacks are on the rise today, and Magento security is more critical than ever to protect your customers&#8217; sensitive information and your business&#8217;s reputation.<\/p>\n\n\n\n<p>As the saying goes, prevention is better than cure, so taking action and reinforcing your website&#8217;s security measures is essential. That&#8217;s why it&#8217;s vital to strengthen your site&#8217;s security and ensure its resilient against potential security breaches.<\/p>\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_62 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Overview\" title=\"Overview\">Overview<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#13_Best_Practices_to_Improve_Magento_Security\" title=\"13 Best Practices to Improve Magento Security \">13 Best Practices to Improve Magento Security <\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#1_Implement_a_Web_Application_Firewall\" title=\"1. Implement a Web Application Firewall\">1. Implement a Web Application Firewall<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#How_to_enable_Cloudflare_WAF_Protection\" title=\"How to enable Cloudflare WAF Protection?\">How to enable Cloudflare WAF Protection?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#2_Keep_Magento_Up_to_Date\" title=\"2. Keep Magento Up to Date\">2. Keep Magento Up to Date<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Install_All_Security_Patches\" title=\"Install All Security Patches\">Install All Security Patches<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Magentos_Latest_Version\" title=\"Magento\u2019s Latest Version\">Magento\u2019s Latest Version<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#3_Use_Magento_Security_Scan_Tool\" title=\"3. Use Magento Security Scan Tool\">3. Use Magento Security Scan Tool<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Scanning_Possible_Security_Risks\" title=\"Scanning Possible Security Risks\">Scanning Possible Security Risks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Setting_up_Magento_Security_Scan_Tool\" title=\"Setting up Magento Security Scan Tool\">Setting up Magento Security Scan Tool<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#4_Use_Non-Default_Admin_URL\" title=\"4.\u00a0Use Non-Default Admin URL\">4.\u00a0Use Non-Default Admin URL<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#5_Enable_reCAPTCHA\" title=\" 5.\u00a0Enable reCAPTCHA\"> 5.\u00a0Enable reCAPTCHA<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#ReCAPTCHA_Configuration\" title=\"ReCAPTCHA Configuration\">ReCAPTCHA Configuration<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#ReCAPTCHA_Configuration_for_the_admin\" title=\"ReCAPTCHA Configuration for the admin:\">ReCAPTCHA Configuration for the admin:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#ReCAPTCHA_Configuration_for_the_Storefront\" title=\"ReCAPTCHA Configuration for the Storefront:\">ReCAPTCHA Configuration for the Storefront:<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#6_Use_2FA_Two-Factor_Authentication\" title=\"6.\u00a0Use 2FA (Two-Factor Authentication)\">6.\u00a0Use 2FA (Two-Factor Authentication)<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Enabling_Two-Factor_Authentication_in_Magento_Site\" title=\"Enabling Two-Factor Authentication in Magento Site\">Enabling Two-Factor Authentication in Magento Site<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Supported_Authenticators\" title=\" Supported Authenticators\"> Supported Authenticators<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Managing_Two-Factor_Authentication_in_Magento\" title=\"Managing Two-Factor Authentication in Magento\">Managing Two-Factor Authentication in Magento<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Troubleshooting_Two-Factor_Authentication_Issues\" title=\" Troubleshooting Two-Factor Authentication Issues\"> Troubleshooting Two-Factor Authentication Issues<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#7_Audit_Admin_User_Accounts\" title=\" 7.\u00a0Audit Admin User Accounts\"> 7.\u00a0Audit Admin User Accounts<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Remove_Unknown_Admin_Accounts\" title=\"Remove Unknown Admin Accounts\">Remove Unknown Admin Accounts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Remove_Unused_Accounts\" title=\"Remove Unused Accounts\">Remove Unused Accounts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Change_Passwords_and_Usernames\" title=\"Change Passwords and Usernames\">Change Passwords and Usernames<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Manage_Admin_User_Accounts\" title=\"Manage Admin User Accounts\">Manage Admin User Accounts<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Create_a_User\" title=\"Create a User\">Create a User<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Assign_a_User_Role\" title=\"Assign a User Role\">Assign a User Role<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#8_Update_Admin_Account_Security\" title=\"8.\u00a0Update Admin Account Security\">8.\u00a0Update Admin Account Security<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Key_security_settings\" title=\"Key security settings\">Key security settings<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#9_Use_HTTPS_SSL_Encryption\" title=\"9.\u00a0Use HTTPS \/ SSL Encryption\">9.\u00a0Use HTTPS \/ SSL Encryption<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-31\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Implementing_HTTPSSSL_Encryption_on_Your_Magento_Store\" title=\"Implementing HTTPS\/SSL Encryption on Your Magento Store\">Implementing HTTPS\/SSL Encryption on Your Magento Store<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-32\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#1_Install_an_SSL_Certificate\" title=\"1. Install an SSL Certificate:\">1. Install an SSL Certificate:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-33\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#2_Update_the_Unsecure_Base_URL\" title=\"2. Update the Unsecure Base URL\">2. Update the Unsecure Base URL<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-34\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#3_Verify_Your_SSL_Setup\" title=\"3. Verify Your SSL Setup:\">3. Verify Your SSL Setup:<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-35\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#10_Implement_Security_Extensions\" title=\"10.\u00a0Implement Security Extensions\">10.\u00a0Implement Security Extensions<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-36\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#How_to_Choose_Security_Extensions\" title=\"How to Choose Security Extensions\">How to Choose Security Extensions<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-37\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Consult_a_Solution_Integrator\" title=\"Consult a Solution Integrator:\">Consult a Solution Integrator:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-38\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Use_Trusted_Vendors\" title=\"Use Trusted Vendors:\">Use Trusted Vendors:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-39\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Limit_the_Number_of_Extensions\" title=\"Limit the Number of Extensions:\">Limit the Number of Extensions:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-40\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Review_Extension_Code\" title=\"Review Extension Code:\">Review Extension Code:<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-41\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#11_Protect_Against_Data_Leaks_from_Browser_Extensions\" title=\"11.\u00a0Protect Against Data Leaks from Browser Extensions\">11.\u00a0Protect Against Data Leaks from Browser Extensions<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-42\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#What_is_DataSpii\" title=\"What is DataSpii?\">What is DataSpii?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-43\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Prevent_Browser_Extensions_from_Leaking_Sensitive_Data\" title=\"Prevent Browser Extensions from Leaking Sensitive Data\">Prevent Browser Extensions from Leaking Sensitive Data<\/a><ul class='ez-toc-list-level-5' ><li class='ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-44\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Monitor_the_use_of_browser_extensions\" title=\"Monitor the use of browser extensions:\">Monitor the use of browser extensions:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-45\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Review_the_permissions_of_installed_extensions\" title=\"Review the permissions of installed extensions:\">Review the permissions of installed extensions:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-46\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Limit_the_use_of_extensions_on_sensitive_pages\" title=\"Limit the use of extensions on sensitive pages:\">Limit the use of extensions on sensitive pages:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-47\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Remove_unnecessary_extensions\" title=\"Remove unnecessary extensions:\">Remove unnecessary extensions:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-5'><a class=\"ez-toc-link ez-toc-heading-48\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Avoid_including_sensitive_data_in_page_titles_and_URLs\" title=\"Avoid including sensitive data in page titles and URLs:\">Avoid including sensitive data in page titles and URLs:<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-49\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#12_Use_a_WAF_Web_Application_Firewall\" title=\"12.\u00a0Use a WAF (Web Application Firewall)\">12.\u00a0Use a WAF (Web Application Firewall)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-50\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#13_Secure_Ecommerce_Sites_with_a_Strong_Magento_Hosting_Plan\" title=\"13.\u00a0Secure Ecommerce Sites with a Strong Magento Hosting Plan\">13.\u00a0Secure Ecommerce Sites with a Strong Magento Hosting Plan<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-51\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/#Final_Thoughts\" title=\"Final Thoughts\">Final Thoughts<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<h2 class=\"wp-block-heading\" id=\"12-best-practices-to-improve-magento-security-br\"><span class=\"ez-toc-section\" id=\"13_Best_Practices_to_Improve_Magento_Security\"><\/span>13 Best Practices to Improve Magento Security<br><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.hostduplex.com\/urgent\/\" target=\"_blank\"><img decoding=\"async\" width=\"936\" height=\"285\" src=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/immediate-magento-security-help.webp\" alt=\"Immediate Magento Security Help\" class=\"wp-image-13508\" srcset=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/immediate-magento-security-help.webp 936w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/immediate-magento-security-help-300x91.webp 300w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/immediate-magento-security-help-768x234.webp 768w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><\/a><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"1-keep-magento-up-to-date\"><span class=\"ez-toc-section\" id=\"1_Implement_a_Web_Application_Firewall\"><\/span>1. Implement a Web Application Firewall<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Adding a top-level <a href=\"https:\/\/www.hostduplex.com\/blog\/wordpress-web-application-firewall-plugins\/\" target=\"_blank\" rel=\"noopener\">Web Application Firewall<\/a> (WAF) will provide protection by filtering and monitoring HTTP traffic between your Magento store application and the internet. This includes protection from cross-site scripting (XSS) attacks, SQL injections, and zero-day attacks. Recommended WAF providers include Cloudflare, Sucuri, and Incapsula.  We recommend Cloudflare&#8217;s Pro plan which is $25 per month per domain.  <\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_to_enable_Cloudflare_WAF_Protection\"><\/span>How to enable Cloudflare WAF Protection?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Log in and sign up for Cloudflare&#8217;s Pro plan<\/li>\n\n\n\n<li>Click on your domain name<\/li>\n\n\n\n<li>In the left-hand column, click DNS &#8211;> Records<\/li>\n\n\n\n<li>Edit the DNS record for your domain name and ensure the Orange Cloud is enabled. You will see the word &#8220;Proxied&#8221;<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/07\/cloudflare-enable-orangecloud.webp\" alt=\"\" class=\"wp-image-14973\" width=\"720\" height=\"202\" srcset=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/07\/cloudflare-enable-orangecloud.webp 1024w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/07\/cloudflare-enable-orangecloud-300x84.webp 300w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/07\/cloudflare-enable-orangecloud-768x216.webp 768w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><\/figure>\n\n\n\n<ol start=\"5\">\n<li>In the left-hand column, click Security &#8211;&gt; WAF<\/li>\n\n\n\n<li>Click the Managed Rulesets tab<\/li>\n\n\n\n<li>Enable your rulesets, we recommend Cloudflare Managed Ruleset.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/07\/Enable-cloudflare-waf-managed-ruleset.webp\" alt=\"\" class=\"wp-image-14974\" width=\"720\" height=\"82\" srcset=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/07\/Enable-cloudflare-waf-managed-ruleset.webp 1024w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/07\/Enable-cloudflare-waf-managed-ruleset-300x35.webp 300w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/07\/Enable-cloudflare-waf-managed-ruleset-768x89.webp 768w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Enabling WAF protection will offer great security benefits, protect your web site from attacks, and help thwart carding style attacks on e-commerce based sites like Magento.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"1-keep-magento-up-to-date\"><span class=\"ez-toc-section\" id=\"2_Keep_Magento_Up_to_Date\"><\/span>2. Keep Magento Up to Date<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Hackers are always looking for vulnerabilities in Magento stores to exploit, and outdated software provides an easy target. To prevent these security issues, Magento developers immediately monitor and release <a href=\"https:\/\/www.hostduplex.com\/blog\/magento-2-4-2-security-update\/\" target=\"_blank\">important Magento security updates<\/a> when they identify a risk.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Install_All_Security_Patches\"><\/span>Install All Security Patches<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Magento has released several important security patches to address security risks that could potentially compromise the security of your Magento site. Magento <a href=\"https:\/\/www.hostduplex.com\/blog\/prevent-brute-force-attack-in-magento-2\/\" target=\"_blank\" rel=\"noopener\">security patches aim to resolve the security risks of Magento sites<\/a> and prevent unauthorized access and malicious attacks.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"a-a-magentos-latest-version\"><span class=\"ez-toc-section\" id=\"Magentos_Latest_Version\"><\/span><a><\/a>Magento\u2019s Latest Version<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p><a href=\"https:\/\/www.hostduplex.com\/blog\/magento-2-4-7-beta1-release\/\" target=\"_blank\" rel=\"noopener\">Magento releases regular software upgrades<\/a> and security patches to enhance performance, fix issues and introduce new features to the platform. The latest version of Magento 2 is <a href=\"https:\/\/experienceleague.adobe.com\/docs\/commerce-operations\/release\/notes\/adobe-commerce\/2-4-6.html?lang=en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">2.4.6<\/a>, released on March 14, 2023. It includes enhancements and support for PHP 8.2, which will help with performance.<\/p>\n\n\n\n<p>The longer you delay upgrading to the latest version, the higher the risk of cyber-attacks and Magento site breakdowns. These <a href=\"https:\/\/www.hostduplex.com\/blog\/types-of-malware-injection-attacks\/\" target=\"_blank\" rel=\"noopener\">attacks are used to inject malicious JavaScript code<\/a> into online stores. Keeping your Magento store up to date ensures that your store is secure and stable and provides the latest features and enhancements.<\/p>\n\n\n\n<p>Simply put: whenever there are any updates or security patches available for your store (which happens often), make sure you download them without delay!<\/p>\n\n\n\n<p>Adobe Commerce has announced the release of version 2.4.5 in their official tweet:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/twitter.com\/AdobeCommerce\/status\/1557061575231651841\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" width=\"500\" height=\"652\" src=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/adobecommercetweet500x100.png\" alt=\"Adobe Commerce 2.4.5 Tweet\" class=\"wp-image-13795\" srcset=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/adobecommercetweet500x100.png 500w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/adobecommercetweet500x100-230x300.png 230w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><figcaption class=\"wp-element-caption\">Adobe Commerce 2.4.5 announcement &#8211; August 9, 2022<\/figcaption><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"2-nbsp-use-magento-security-scan-tool\"><span class=\"ez-toc-section\" id=\"3_Use_Magento_Security_Scan_Tool\"><\/span>3. Use Magento Security Scan Tool<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Using the <a href=\"https:\/\/experienceleague.adobe.com\/docs\/commerce-admin\/systems\/security\/security-scan.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Magento Security Scan Tool<\/a>, you can rest assured that your online store is actively monitored for potential security threats. It is a free tool provided by Adobe to help Magento store owners identify potential security risks and vulnerabilities in their websites. The tool scans your website for security threats and provides you with a report on the security status of your website.<\/p>\n\n\n\n<p>The scan results are presented in an easy-to-read report that shows the severity of security issues found, along with suggestions for how to fix them.<\/p>\n\n\n\n<p>Magento Security Scan is available to all Magento store owners, regardless of whether they use the free Community Edition or the paid Enterprise Edition. However, to use the tool, you must create an Adobe account and provide basic information about your website.<\/p>\n\n\n\n<p>With regular scans and historical reports, you can ensure that your own eCommerce platform or site stays secure and your customer\u2019s information remains safe.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Scanning_Possible_Security_Risks\"><\/span>Scanning Possible Security Risks<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>The security scan checks for various security risks, such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Malware and other malicious code<\/li>\n\n\n\n<li>Vulnerabilities in the Magento software or installed extensions<\/li>\n\n\n\n<li>Outdated software versions and security patches that attackers can exploit<\/li>\n\n\n\n<li>Weak passwords and other authentication issues<\/li>\n\n\n\n<li>Insecure server configurations<br><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"a-a-setting-up-magento-security-scan-tool\"><span class=\"ez-toc-section\" id=\"Setting_up_Magento_Security_Scan_Tool\"><\/span>Setting up Magento Security Scan Tool<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Here are steps to set up the <strong>Magento Security Scan Tool<\/strong>:<\/p>\n\n\n\n<p><strong>Step 1:<\/strong> Go to the Commerce home page and sign in to your Commerce account.<\/p>\n\n\n\n<p><strong>Step 2:<\/strong> Choose &#8220;Security Scan&#8221; in the left panel.<\/p>\n\n\n\n<p><strong>Step 3<\/strong>: Read and accept the Terms and Conditions.<\/p>\n\n\n\n<p><strong>Step 4:<\/strong> Add your website to the Monitored Sites list by generating a confirmation code and pasting it into the designated location in your storefront.<\/p>\n\n\n\n<p><strong>Step 5:<\/strong> Configure the Set Automatic Security Scan options for weekly or daily scans.<\/p>\n\n\n\n<p><strong>Step 6:<\/strong> Enter your email address to receive notifications of completed scans and security updates.<\/p>\n\n\n\n<p><strong>Step 7:<\/strong> Click &#8220;Submit&#8221; to complete the setup process.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"3-nbsp-nbsp-use-non-default-admin-url\"><span class=\"ez-toc-section\" id=\"4_Use_Non-Default_Admin_URL\"><\/span>4.\u00a0Use Non-Default Admin URL<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Using a default Admin URL, you&#8217;re practically rolling out a red carpet to hackers, inviting them to launch an automated password-guessing attack on your Magento admin panel. It&#8217;s like leaving the front door unlocked for intruders! Don&#8217;t fall victim to <a href=\"https:\/\/www.cloudflare.com\/learning\/bots\/brute-force-attack\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">brute force attacks<\/a>. Instead, change the default admin route to a unique name that is harder to guess. Avoid using easily guessable Magento admin login paths such as &#8220;\/admin\/&#8221; and choose a unique name that will be harder to crack.<\/p>\n\n\n\n<p>A simple admin URL makes it easier for hackers to launch large-scale automated attacks on your Magento site. While using a non-default admin URL will not fully secure your site, it can help prevent these attacks.<\/p>\n\n\n\n<p>To change the default admin URL:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>On the Admin sidebar, go to <strong>Stores<\/strong> &gt; <strong>Settings<\/strong> &gt; <strong>Configuration<\/strong>.<\/li>\n\n\n\n<li>In the left panel, expand Advanced and choose admin.<\/li>\n\n\n\n<li>Expand the Admin Base URL section.<\/li>\n\n\n\n<li>Set the configuration options for the custom URL:<ul><li>Set Use Custom Admin URL to <strong>Yes<\/strong>.<\/li><\/ul><ul><li>Enter the Custom Admin URL.<\/li><\/ul><ul><li>Set Custom Admin Path to <strong>Yes<\/strong>.<\/li><\/ul><ul><li>Enter the Custom Admin Path.<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li>Click <strong>Save<\/strong> <strong>Config<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>After making changes to the admin URL, it is recommended to clear the Magento cache for the changes to take effect.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"535\" src=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Using-Non-Default-Admin-Base-URL-for-Magento-Security-1024x535.webp\" alt=\"Securing Magento by changing admin URL\" class=\"wp-image-13549\" srcset=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Using-Non-Default-Admin-Base-URL-for-Magento-Security-1024x535.webp 1024w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Using-Non-Default-Admin-Base-URL-for-Magento-Security-300x157.webp 300w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Using-Non-Default-Admin-Base-URL-for-Magento-Security-768x401.webp 768w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Using-Non-Default-Admin-Base-URL-for-Magento-Security.webp 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Using Non Default Admin Base URL for Magento Security<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"br-4-nbsp-nbsp-enable-re-captcha\"><span class=\"ez-toc-section\" id=\"5_Enable_reCAPTCHA\"><\/span><br>5.\u00a0Enable reCAPTCHA<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>While the standard Adobe Commerce and Magento Open-Source CAPTCHA work fine, <a href=\"https:\/\/developers.google.com\/recaptcha\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google reCAPTCHA<\/a> provides enhanced security options and methods.<\/p>\n\n\n\n<p>Using Google reCAPTCHA is a foolproof way of blocking spam and keeping you safe from attackers. It works by determining if the access session being initiated on your site is done by a bot or human being to ensure genuine and secure site logins. Google reCAPTCHA provides <a href=\"https:\/\/www.hostduplex.com\/blog\/adobe-commerce-2-4-6-p2-security-patch\/\" target=\"_blank\" rel=\"noopener\">enhanced website security<\/a> with various display options and methods.<\/p>\n\n\n\n<p>Most website owners use it to defend against attacks like <a href=\"https:\/\/en.wikipedia.org\/wiki\/Dictionary_attack\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">dictionary attacks<\/a> and to ensure that search engine spiders only crawl essential pages on the site to avoid spam content that can put sensitive data or the database at risk of exploitation by malicious criminals.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"a-a-re-captcha-configuration\"><span class=\"ez-toc-section\" id=\"ReCAPTCHA_Configuration\"><\/span>ReCAPTCHA Configuration<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Google reCAPTCHA can be configured separately for the admin and storefront.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"re-captcha-configuration-for-the-admin\"><span class=\"ez-toc-section\" id=\"ReCAPTCHA_Configuration_for_the_admin\"><\/span>ReCAPTCHA Configuration for the admin:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>For the admin, it can be used on the Sign In page and when a user requests a password reset.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"re-captcha-configuration-for-the-storefront\"><span class=\"ez-toc-section\" id=\"ReCAPTCHA_Configuration_for_the_Storefront\"><\/span>ReCAPTCHA Configuration for the Storefront:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>For the storefront, it can be used in numerous locations, such as signing into a customer account and sending a message from the Contact Us page.<\/p>\n\n\n\n<p>Before configuring Google reCAPTCHA, check the necessary setting that may require developer assistance. Also, note that not all keys apply to all types of reCAPTCHA, and misapplying them could lead to unexpected behaviour.<\/p>\n\n\n\n<p>To <strong>enable reCAPTCHA<\/strong>, follow these steps:<\/p>\n\n\n\n<p><strong>Step 1:<\/strong> Navigate to <strong>Stores<\/strong> &gt; <strong>Configuration<\/strong> &gt; <strong>Security<\/strong> &gt; <strong>Google<\/strong> <strong>reCAPTCHA<\/strong>.<\/p>\n\n\n\n<p><strong>Step 2: <\/strong>Generate API keys by visiting the reCAPTCHA site and logging in to your account.<\/p>\n\n\n\n<p><strong>Step 3: <\/strong>Choose the type of reCAPTCHA you want to use and enter your store&#8217;s domain.<\/p>\n\n\n\n<p><strong>Step 4: <\/strong>Clear the Use system value checkbox for each field you want to configure in the admin panel.<\/p>\n\n\n\n<p><strong>Step 5: <\/strong>Enter the website key and secret key that was created for your reCAPTCHA type.<\/p>\n\n\n\n<p><strong>Step 6: <\/strong>Choose the size and theme of the reCAPTCHA box, as well as the language code you want to use.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"535\" src=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Enable-recaptcha-for-Magento-Security-1024x535.webp\" alt=\"Adding an extra layer of security with reCAPTCHA for Magento\" class=\"wp-image-13550\" srcset=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Enable-recaptcha-for-Magento-Security-1024x535.webp 1024w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Enable-recaptcha-for-Magento-Security-300x157.webp 300w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Enable-recaptcha-for-Magento-Security-768x401.webp 768w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Enable-recaptcha-for-Magento-Security.webp 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Enable recaptcha for Magento Security<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"5-nbsp-nbsp-use-2-fa-two-factor-authentication\"><span class=\"ez-toc-section\" id=\"6_Use_2FA_Two-Factor_Authentication\"><\/span>6.\u00a0Use 2FA (Two-Factor Authentication)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Implementing Two-Factor Authentication (2FA) Admin logins in Magento is a simple yet effective way to improve the Magento admin login security. 2FA is a security measure that requires users to provide two forms of identification (such as a password protection and a security code) before granting access to sensitive data or systems. By adding an extra layer of security, you can protect sensitive customer data, making it harder for hackers to gain unauthorized access.<\/p>\n\n\n\n<p>In Magento, 2FA is a security extension that applies to Admin UI users only; it does not apply to storefront customer accounts.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"a-a-enabling-two-factor-authentication-in-magento\"><span class=\"ez-toc-section\" id=\"Enabling_Two-Factor_Authentication_in_Magento_Site\"><\/span>Enabling Two-Factor Authentication in Magento Site<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>To enable 2FA in Magento, follow these steps:<\/p>\n\n\n\n<p><strong>Step 1:<\/strong> Log in to the Admin panel of your Magento store.<\/p>\n\n\n\n<p><strong>Step 2:<\/strong> Navigate to <strong>Stores<\/strong> &gt; <strong>Configuration<\/strong> &gt; <strong>Security<\/strong> &gt; <strong>2FA<\/strong>.<\/p>\n\n\n\n<p><strong>Step 3:<\/strong> Select the checkbox &#8220;Enable Two-Factor Authentication&#8221; to enable it.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"535\" src=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Enable-2FA-for-Magento-Security-1024x535.webp\" alt=\"Strengthening Magento security with two-factor authentication\" class=\"wp-image-13551\" srcset=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Enable-2FA-for-Magento-Security-1024x535.webp 1024w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Enable-2FA-for-Magento-Security-300x157.webp 300w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Enable-2FA-for-Magento-Security-768x401.webp 768w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Enable-2FA-for-Magento-Security.webp 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Enable Two-Factor authentication<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"br-supported-authenticators\"><span class=\"ez-toc-section\" id=\"Supported_Authenticators\"><\/span><br>Supported Authenticators<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p><a href=\"https:\/\/www.hostduplex.com\/blog\/magento-2fa-implementation-guide\/\" target=\"_blank\" rel=\"noopener\">Magento 2FA supports multiple authenticators<\/a> to suit your security needs. Here are some of the supported authenticators:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Authenticator: Generates a code from a mobile app.<\/li>\n\n\n\n<li>Duo Security: Supports SMS and push notification authentication.<\/li>\n\n\n\n<li>Authy: Supports SMS, call, token, and one-touch Authentication.<\/li>\n\n\n\n<li>U2F Keys: Uses a physical device like YubiKey.<\/li>\n<\/ul>\n\n\n\n<p>Enabling and configuring an authenticator is essential after enabling and configuring 2FA for your Magento instance. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"a-a-managing-two-factor-authentication-in-magento\"><span class=\"ez-toc-section\" id=\"Managing_Two-Factor_Authentication_in_Magento\"><\/span>Managing Two-Factor Authentication in Magento<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Magento 2FA provides comprehensive tools for managing and configuring authenticator settings globally or per user account. Administrators have the following options:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Review existing authenticators configured per user account.<\/li>\n\n\n\n<li>Require specific authenticators.<\/li>\n\n\n\n<li>Reset or remove authenticators to resolve access issues.<\/li>\n\n\n\n<li>Revoke access for devices to resolve access issues.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"br-troubleshooting-two-factor-authentication-issues\"><span class=\"ez-toc-section\" id=\"Troubleshooting_Two-Factor_Authentication_Issues\"><\/span><br>Troubleshooting Two-Factor Authentication Issues<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>If you are having trouble signing in to the admin with 2FA, consider the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Try synchronizing the time settings on the device and server or resetting the authenticators associated with the account.<\/li>\n\n\n\n<li>Clear the web cache and cookies for the Magento installation, as authenticators like Google use generated cookies to save access and duration.<\/li>\n\n\n\n<li>Add a rule to your browser that allows cookies for your Magento installation to prevent blocking cookies, which may prevent some authenticators from completing the verification process.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"br-6-nbsp-nbsp-audit-admin-user-accounts\"><span class=\"ez-toc-section\" id=\"7_Audit_Admin_User_Accounts\"><\/span><br>7.\u00a0Audit Admin User Accounts<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Admin user accounts are a critical aspect of Magento security. As an administrator, you must regularly audit and review the user accounts in your system.<\/p>\n\n\n\n<p>You can take the following steps to maintain the security of Admin user accounts:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"a-a-remove-unknown-admin-accounts\"><span class=\"ez-toc-section\" id=\"Remove_Unknown_Admin_Accounts\"><\/span>Remove Unknown Admin Accounts<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Remove unknown admin accounts to your system files ensure only authorized users can access your system. Keep a record of all removed accounts for your records.<\/p>\n\n\n\n<p>To Begin, navigate to the Admin panel of your production site and remove any unknown Admin accounts from <strong>system<\/strong>&gt; <strong>Permissions<\/strong> &gt; <strong>All Users<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"535\" src=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/remove-unknown-admin-accounts-1024x535.webp\" alt=\"Securing Magento by removing unknown admin accounts\" class=\"wp-image-13489\" srcset=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/remove-unknown-admin-accounts-1024x535.webp 1024w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/remove-unknown-admin-accounts-300x157.webp 300w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/remove-unknown-admin-accounts-768x401.webp 768w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/remove-unknown-admin-accounts.webp 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Remove unknown admin accounts<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"remove-unused-accounts\"><span class=\"ez-toc-section\" id=\"Remove_Unused_Accounts\"><\/span>Remove Unused Accounts<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Remove any unknown or unused accounts, including API accounts. Be sure to keep a record of all removed accounts for your records to ensure that you do not delete any essential accounts accidentally.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"change-passwords-and-usernames\"><span class=\"ez-toc-section\" id=\"Change_Passwords_and_Usernames\"><\/span>Change Passwords and Usernames<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Changing passwords on all known Admin accounts and renaming overly generic admin usernames to unique names is also a good step to ensure Magento security.<\/p>\n\n\n\n<p>Avoid using common words like &#8220;administrator,&#8221; &#8220;superuser,&#8221; or &#8220;root,&#8221; as these can be easy targets for attackers. Use a unique username and a strong password, a combination of letters, numbers, and symbols.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"a-a-manage-admin-user-accounts\"><span class=\"ez-toc-section\" id=\"Manage_Admin_User_Accounts\"><\/span><a><\/a>Manage Admin User Accounts<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>When your Magento store is installed, a default administrator account is created with login credentials that give you full administrative access. As a best practice, you should create another user account with full Administrator access. This way, you can use one account for your everyday administrative activities and reserve the other as a &#8220;Super Admin&#8221; account. This can be helpful if you forget your regular credentials or they become unusable.<\/p>\n\n\n\n<p><strong>Create separate user accounts<\/strong> for team members or service providers who need access and assign restricted access based on their business need to know. Set an expiration date for temporary accounts.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"a-a-create-a-user\"><span class=\"ez-toc-section\" id=\"Create_a_User\"><\/span><a><\/a>Create a User<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>To create a user, follow these steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\" type=\"1\">\n<li>On the Admin sidebar, go to system&gt; Permissions &gt; All Users.<\/li>\n\n\n\n<li>In the upper-right corner, click Add New User.<\/li>\n\n\n\n<li>Add the necessary Account Information.<\/li>\n\n\n\n<li>Set This Account to Active.<\/li>\n\n\n\n<li>Click the calendar icon to set the Expiration Date for the user account. Defining an expiration date is helpful when a user or role is temporary. After the expiration date, the user account status changes to Inactive and can be updated if needed.<\/li>\n\n\n\n<li>Under Current User Identity Verification, enter your user account password.<\/li>\n<\/ol>\n\n\n\n<p>To <strong>limit the websites or stores<\/strong>, users can restrict access in the admin, create a role with limited scope and only the necessary resources selected, and assign the role to a specific user account.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"a-a-assign-a-user-role\"><span class=\"ez-toc-section\" id=\"Assign_a_User_Role\"><\/span><a><\/a>Assign a User Role<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Assigning user roles in Magento involves the following process:<\/p>\n\n\n\n<ol class=\"wp-block-list\" type=\"1\">\n<li>Log in to your Magento Admin Panel using your login credentials.<\/li>\n\n\n\n<li>Click on the &#8220;System&#8221; tab in the main navigation menu and select &#8220;Permissions&#8221; from the drop-down list.<\/li>\n\n\n\n<li>In the &#8220;Permissions&#8221; section, click on &#8220;Roles&#8221;.<\/li>\n\n\n\n<li>Click on &#8220;Add New Role&#8221; to create a new role.<\/li>\n\n\n\n<li>Enter the role name and description.<\/li>\n\n\n\n<li>Under the &#8220;Role Resources&#8221; section, select the resources that the role should have access to. Resources include catalogues, customers, sales, and other admin areas.<\/li>\n\n\n\n<li>Click on the &#8220;Save Role&#8221; button to save the new role.<\/li>\n\n\n\n<li>After creating the role, you need to assign it to a user. To do this, click the &#8220;Users&#8221; tab in the &#8220;Permissions&#8221; section.<\/li>\n\n\n\n<li>Click the &#8220;Add New User&#8221; button and enter the required information, such as user name, email, and password.<\/li>\n\n\n\n<li>Under the &#8220;User Role&#8221; section, select the role you just created and click the &#8220;Save User&#8221; button.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"7-nbsp-nbsp-update-admin-account-security\"><span class=\"ez-toc-section\" id=\"8_Update_Admin_Account_Security\"><\/span>8.\u00a0Update Admin Account Security<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Updating Admin account security can help ensure Magento security; limiting the number of password reset requests and setting the maximum login failures before the account gets locked out is essential. Adobe suggests that you set the lockout time to at least 30 minutes.<\/p>\n\n\n\n<p>You can configure these settings quickly through the admin panel by navigating to:<\/p>\n\n\n\n<p><strong>Stores<\/strong> &gt; <strong>Configuration<\/strong> &gt; <strong>Advanced<\/strong> &gt; <strong>Admin<\/strong> &gt; <strong>Security<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"535\" src=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Update-admin-account-security-1-1024x535.webp\" alt=\"Enhancing Magento security with updated admin account settings\" class=\"wp-image-13552\" srcset=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Update-admin-account-security-1-1024x535.webp 1024w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Update-admin-account-security-1-300x157.webp 300w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Update-admin-account-security-1-768x401.webp 768w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Update-admin-account-security-1.webp 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Update admin account security settings<\/figcaption><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"key-security-settings\"><span class=\"ez-toc-section\" id=\"Key_security_settings\"><\/span>Key security settings<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Some of the key settings you can configure include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Secret Key to URLs:<\/strong> Add a secret key to the Admin URL as a precaution against exploits.<\/li>\n\n\n\n<li><strong>Case-Sensitive Passwords:<\/strong> Requires that upper- and lowercase characters in any login information entered match what is stored in the system.<\/li>\n\n\n\n<li><strong>Admin Session Lifetime:<\/strong> Determines the length of an Admin session before it times out.<\/li>\n\n\n\n<li><strong>Maximum Login Failures to Lockout Account:<\/strong> Determines the number of times a user can try to log in to the admin before the account is locked.<\/li>\n\n\n\n<li><strong>Lockout Time:<\/strong> Determines the number of minutes an Admin account is locked when the maximum number of attempts is met.<\/li>\n\n\n\n<li><strong>Password Lifetime:<\/strong> Determines the number of days a password is valid.<\/li>\n\n\n\n<li><strong>Password Change<\/strong>: Determines whether Admin users are forced or recommended to change their passwords after the account setup.<br><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"8-nbsp-nbsp-use-https-ssl-encryption\"><span class=\"ez-toc-section\" id=\"9_Use_HTTPS_SSL_Encryption\"><\/span>9.\u00a0Use HTTPS \/ SSL Encryption<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>For Magento sites, Use HTTPS \/ SSL encryption to protect sensitive information such as login details, <a href=\"https:\/\/www.hostduplex.com\/blog\/how-do-cybercriminals-steal-credit-card-information\/\" target=\"_blank\" rel=\"noopener\">credit card details<\/a>, and personal information.<\/p>\n\n\n\n<p>SSL is a security protocol that encrypts all data between your store and the browser. It also allows you to set up a dedicated domain for your website, meaning only those with the right credentials can access it.<\/p>\n\n\n\n<p>Setting up HTTPS \/ SSL is essential for ecommerce sites because it increases trust in your site and makes it more difficult for intruders to break into it. HTTPS \/ SSL certificates can boost customer confidence when shopping.<\/p>\n\n\n\n<p>When building a new website, launching it using HTTPS from the start is a good idea. Google has already taken the initiative and now considers HTTPS a ranking factor. For those who already have an existing website, upgrading the entire site to run over a secure, encrypted HTTPS channel is recommended.<\/p>\n\n\n\n<p>Without SSL encryption, your website is vulnerable to cyber threats such as phishing attacks, man-in-the-middle attacks, and data breaches.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"a-a-implementing-https-ssl-encryption-on-your-magento-store\"><span class=\"ez-toc-section\" id=\"Implementing_HTTPSSSL_Encryption_on_Your_Magento_Store\"><\/span><a><\/a>Implementing HTTPS\/SSL Encryption on Your Magento Store<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>To set up HTTPS\/SSL encryption on your Magento store, follow these simple steps:<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"1-install-an-ssl-certificate\"><span class=\"ez-toc-section\" id=\"1_Install_an_SSL_Certificate\"><\/span>1. Install an SSL Certificate:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>The first step to implementing SSL encryption is to install an SSL certificate. Adobe Commerce provides a Domain-Validated <a href=\"https:\/\/letsencrypt.org\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Let\u2019s Encrypt SSL\/TLS certificate<\/a> to serve secure HTTPS traffic from Fastly.<\/p>\n\n\n\n<p>Adobe provides one certificate for each Adobe Commerce on cloud infrastructure Pro plan architecture, Staging, and Adobe Commerce on cloud infrastructure Starter plan architecture environment to maintain secure systems for all domains in that environment.<\/p>\n\n\n\n<p>If you <strong>own a certificate<\/strong>, upload it using an SFTP (SSH File Transfer Protocol) client to a web-inaccessible file location on your server and submit a support ticket letting them know the file path.<\/p>\n\n\n\n<p>If you have your own cPanel server, you can <a href=\"https:\/\/www.hostduplex.com\/kb\/how-to-run-autossl-on-your-domains-to-install-an-ssl-via-cpanel\/\" target=\"_blank\">generate an SSL certificate using the cPanel AutoSSL<\/a> function.<\/p>\n\n\n\n<p>It&#8217;s important to note that the <strong>certificate name must match<\/strong> the primary hostname named by the first URL.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"2-update-the-unsecure-base-url\"><span class=\"ez-toc-section\" id=\"2_Update_the_Unsecure_Base_URL\"><\/span>2. Update the Unsecure Base URL<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>After installing the SSL certificate,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Log in to the admin dashboard of your Magento store.<\/li>\n\n\n\n<li>Navigate to <strong>Stores<\/strong> &gt; <strong>Settings<\/strong> &gt; <strong>Configuration<\/strong> &gt; <strong>General<\/strong> &gt; <strong>Web<\/strong>.<\/li>\n\n\n\n<li>Update the secure base URL to &#8220;<strong>https<\/strong>&#8221; and click on <strong>Save<\/strong> <strong>Config<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p>This will ensure that all future requests to your website use SSL encryption.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"535\" src=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Implementing-SSL-encryption-for-Magento-security-1024x535.webp\" alt=\"Securing Magento with HTTPS\/SSL encryption\" class=\"wp-image-13553\" srcset=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Implementing-SSL-encryption-for-Magento-security-1024x535.webp 1024w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Implementing-SSL-encryption-for-Magento-security-300x157.webp 300w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Implementing-SSL-encryption-for-Magento-security-768x401.webp 768w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Implementing-SSL-encryption-for-Magento-security.webp 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Implementing SSL encryption<\/figcaption><\/figure>\n<\/div>\n\n\n<h5 class=\"wp-block-heading\" id=\"3-verify-your-ssl-setup\"><span class=\"ez-toc-section\" id=\"3_Verify_Your_SSL_Setup\"><\/span>3. Verify Your SSL Setup:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Finally, verify that your SSL setup is working correctly. You can use an online SSL checker tool to check that your SSL certificate is valid and that there are no security vulnerabilities on your website.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.hostduplex.com\/urgent\/\" target=\"_blank\"><img decoding=\"async\" width=\"936\" height=\"285\" src=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/magento-tech-support.webp\" alt=\"Magento Tech Support\" class=\"wp-image-13518\" srcset=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/magento-tech-support.webp 936w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/magento-tech-support-300x91.webp 300w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/magento-tech-support-768x234.webp 768w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><\/a><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"9-nbsp-nbsp-implement-security-extensions\"><span class=\"ez-toc-section\" id=\"10_Implement_Security_Extensions\"><\/span>10.\u00a0Implement Security Extensions<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Many security extensions are available that can help in enhancing Magento security. These extensions provide an additional layer of security to existing IT infrastructure of your Magento installation and prevent potential threats and vulnerabilities from being exploited.<\/p>\n\n\n\n<p>Consider using extensions that provide malware scanning, security alerts, and two-factor Authentication.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"a-a-how-to-choose-security-extensions\"><span class=\"ez-toc-section\" id=\"How_to_Choose_Security_Extensions\"><\/span><a><\/a>How to Choose Security Extensions<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Choosing the right security extensions for your Magento store can be challenging, especially if you need to become more familiar with the features and functionality of the options available.<\/p>\n\n\n\n<p>Here are some tips to help you select the best security extensions for your online store:<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"a-a-consult-a-solution-integrator\"><span class=\"ez-toc-section\" id=\"Consult_a_Solution_Integrator\"><\/span><a><\/a>Consult a Solution Integrator:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>A solution integrator (SI) specialist can advise you on your <a href=\"https:\/\/www.hostduplex.com\/blog\/top-magento-2-security-extensions\/\" target=\"_blank\" rel=\"noopener\">Magento store&#8217;s most appropriate security extensions<\/a>. Ensure that your SI is well-versed in security and has a proven track record of dealing with security issues.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"a-a-use-trusted-vendors\"><span class=\"ez-toc-section\" id=\"Use_Trusted_Vendors\"><\/span><a><\/a>Use Trusted Vendors:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Use extensions that come from trustworthy vendors. Adobe recommends only sourcing extensions from the Adobe Commerce Marketplace or your solution integrator. This can help ensure the security and stability of your online store.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"a-a-limit-the-number-of-extensions\"><span class=\"ez-toc-section\" id=\"Limit_the_Number_of_Extensions\"><\/span><a><\/a>Limit the Number of Extensions:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Limiting the number of magento extensions that you use can reduce your risk exposure. The more extensions you use, the more potential vulnerabilities you introduce to Magento security.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"a-a-review-extension-code\"><span class=\"ez-toc-section\" id=\"Review_Extension_Code\"><\/span><a><\/a>Review Extension Code:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Review the extension code or security patch before integrating it into Magento installation. You can also consult with your solution integrator to review the code.<\/p>\n\n\n\n<p><strong>Adobe<\/strong> offers a <a href=\"https:\/\/marketplace.magento.com\/extensions.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">wide range of extensions<\/a> for Magento stores.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"10-nbsp-nbsp-protect-against-data-leaks-from-browser-extensions\"><span class=\"ez-toc-section\" id=\"11_Protect_Against_Data_Leaks_from_Browser_Extensions\"><\/span>11.\u00a0Protect Against Data Leaks from Browser Extensions<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>No doubt browser extensions help enhance your browsing experience; however, it can pose a significant security risk to your e-commerce store. Recent <a href=\"https:\/\/en.wikipedia.org\/wiki\/DataSpii\" target=\"_blank\" rel=\"noreferrer noopener\">DataSpii<\/a> leaks found that some browser extensions can take data from page titles and URLs, potentially exposing sensitive data.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"what-is-data-spii\"><span class=\"ez-toc-section\" id=\"What_is_DataSpii\"><\/span>What is DataSpii?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p><a href=\"https:\/\/securitywithsam.com\/2019\/07\/dataspii-leak-via-browser-extensions\/\" target=\"_blank\" rel=\"noreferrer noopener\">DataSpii<\/a> is a leak that compromised the private data of millions of Chrome and Firefox users through at least eight browser extensions, including popular ones like Hover Zoom, SpeakIt!, and SaveFrom.net Helper.<\/p>\n\n\n\n<p>This leak impacted government agencies and major corporations, exposing sensitive information such as personally identifiable information (PII), corporate information (CI), and government information (GI). This data was intercepted and sent to foreign-owned entities, putting many organizations at risk.  <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"a-a-prevent-browser-extensions-from-leaking-sensitive-data\"><span class=\"ez-toc-section\" id=\"Prevent_Browser_Extensions_from_Leaking_Sensitive_Data\"><\/span><a><\/a>Prevent Browser Extensions from Leaking Sensitive Data<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>To protect your Magento store against browser extension vulnerabilities, consider the following tips:<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"monitor-the-use-of-browser-extensions\"><span class=\"ez-toc-section\" id=\"Monitor_the_use_of_browser_extensions\"><\/span>Monitor the use of browser extensions:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Only allow trusted browser extensions to be installed and used by your team. Ensure your team is trained to identify and avoid extensions that could pose a security risk.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"review-the-permissions-of-installed-extensions\"><span class=\"ez-toc-section\" id=\"Review_the_permissions_of_installed_extensions\"><\/span>Review the permissions of installed extensions:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Review the permissions of all installed extensions regularly and only grant the correct file permissions. Ensure extensions are only granted access to the data they require to function.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"limit-the-use-of-extensions-on-sensitive-pages\"><span class=\"ez-toc-section\" id=\"Limit_the_use_of_extensions_on_sensitive_pages\"><\/span>Limit the use of extensions on sensitive pages:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Avoid extensions on pages containing sensitive data, such as login and payment pages.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"remove-unnecessary-extensions\"><span class=\"ez-toc-section\" id=\"Remove_unnecessary_extensions\"><\/span>Remove unnecessary extensions:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Remove extensions that are no longer required to reduce the attack surface of your Magento store.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"avoid-including-sensitive-data-in-page-titles-and-ur-ls\"><span class=\"ez-toc-section\" id=\"Avoid_including_sensitive_data_in_page_titles_and_URLs\"><\/span>Avoid including sensitive data in page titles and URLs:<span class=\"ez-toc-section-end\"><\/span><\/h5>\n\n\n\n<p>Be mindful of including sensitive information in page titles and URLs, as browser extensions can easily capture these.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"11-nbsp-nbsp-use-a-waf-web-application-firewall\"><span class=\"ez-toc-section\" id=\"12_Use_a_WAF_Web_Application_Firewall\"><\/span>12.\u00a0Use a WAF (Web Application Firewall)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>WAFs are designed to protect your website from various cyber threats such as <a href=\"https:\/\/www.hostduplex.com\/blog\/how-to-prevent-sql-injection-attacks\/\" target=\"_blank\" rel=\"noopener\">SQL injection<\/a>, cross-site scripting (XSS), and other attacks. It sits between your website and the internet, monitoring incoming traffic and blocking malicious requests before they can reach your web server.<\/p>\n\n\n\n<p>A WAF service like the one that <a href=\"https:\/\/www.cloudflare.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Cloudflare<\/a> offers provides an extra layer of protection for your Magento store by filtering all incoming web traffic against predefined rules. Any request that doesn&#8217;t comply with the ruleset will be automatically blocked, <a href=\"https:\/\/www.hostduplex.com\/blog\/how-to-block-ip-address-in-wordpress\/\" target=\"_blank\" rel=\"noopener\">preventing potential attacks from reaching your website<\/a>.<\/p>\n\n\n\n<p>The WAF ruleset is constantly updated by a team of top security researchers and experts always looking for new attacks and vulnerabilities. This ensures Magento security against the latest threats, even if you don\u2019t have a dedicated security team.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"12-nbsp-nbsp-secure-your-site-with-a-strong-magento-hosting-plan\"><span class=\"ez-toc-section\" id=\"13_Secure_Ecommerce_Sites_with_a_Strong_Magento_Hosting_Plan\"><\/span>13.\u00a0Secure Ecommerce Sites with a Strong Magento Hosting Plan<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Many e-commerce startups are lured by the low cost and easy setup of shared hosting plans, not realizing that they&#8217;re putting their store at risk.<\/p>\n\n\n\n<p>So what&#8217;s the solution? Managed cloud hosting providers offer a more secure and reliable option for Magento stores. When <a href=\"https:\/\/www.hostduplex.com\/blog\/what-to-look-for-in-a-web-hosting-provider\/\" target=\"_blank\" rel=\"noopener\">selecting a hosting provider<\/a>, consider factors such as server speed, uptime, security features, and customer support. <\/p>\n\n\n\n<p>With the <a href=\"https:\/\/www.hostduplex.com\/about-us\/\" target=\"_blank\" rel=\"noreferrer noopener\">best Magento hosting provider<\/a>, you get the benefits of cloud hosting, including automatic scaling, high availability, and robust security measures like frequent server-level patches and malware scanning.<\/p>\n\n\n\n<p>Stay away from hosting plans that promise the moon but deliver little. Choose a hosting provider that understands the unique Magento security challenges, and <a href=\"https:\/\/www.hostduplex.com\/magento-hosting\/\" data-type=\"URL\" data-id=\"https:\/\/www.hostduplex.com\/magento-hosting\/\" target=\"_blank\" rel=\"noreferrer noopener\">invest in a hosting plan<\/a> that will give your store the best chance of success.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"a-a-final-thoughts\"><span class=\"ez-toc-section\" id=\"Final_Thoughts\"><\/span><a><\/a>Final Thoughts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Investing in reliable hosting providers, and implementing the recommended security measures is essential to safeguard your online business from potential cyber threats. With the ever-increasing number of online attacks, it\u2019s not a matter of if but when your website will be targeted. By following the tips we\u2019ve outlined, you can harden your Magento website, protect your customers\u2019 sensitive data, and ensure the continuity of your business. Please don\u2019t wait until it\u2019s too late; take action to improve Magento security and gain peace of mind.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview Running an eCommerce store with Magento can be a highly lucrative venture. However, success comes with a price, and that price is ensuring&#8230;<\/p>\n","protected":false},"author":8,"featured_media":13483,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[115,137],"tags":[147,119,150,148,145,149,151],"class_list":["post-13475","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-magento","category-cybersecurity","tag-e-commerce-security","tag-magento","tag-magento-security-best-practices","tag-magento-security-measures","tag-magento-security-tips","tag-magento-tips","tag-online-store-security","article","has-excerpt","has-avatar","has-author","has-date","has-comment-count","has-category-meta","has-read-more","thumbnail-"],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/02\/Best-Magento-Security-Tips-and-Practices-1.webp","_links":{"self":[{"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/posts\/13475","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/comments?post=13475"}],"version-history":[{"count":56,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/posts\/13475\/revisions"}],"predecessor-version":[{"id":16384,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/posts\/13475\/revisions\/16384"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/media\/13483"}],"wp:attachment":[{"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/media?parent=13475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/categories?post=13475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/tags?post=13475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}