Magento Security Measures_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-04-11 13:01 出处：网络

I was looking for tips for making Magento as secure as possible. I found this http://magplazza.com/2010/06/top-4-security-tips-f开发者_StackOverflowor-your-magento-store-that-can-be-done-easily/ but I wonder if anyone has any more tips or links like the one above ..... or maybe Magento is pretty secure out of the box. ( I have done a lot of work with WordPress and there are plenty of things to do to vanilla WordPress to secure it so I was assuming Magento would have some too )

EDIT: NB: A commenter below has brought up a few issues with the quality of information contained in the above link.

Wow, what a useless article you linked :-)

1) is obvious.

2) is more appropriately changed by overriding the frontName of the adminhtml module. This is done during Magento install or anytime by editing the admin/routers/adminhtml/args/frontName node in app/etc/local.xml. By the way, the admin frontName or the admin URL should always be something besides /admin - it's the cheapest impediment to bot attacks.

3) is TERRIBLE ADVICE. The secret key exposes nothing and should mitigate POST attacks.

4) is the only thing worthwhile item from the post.

Besides the above, everything else comes down to standard web server security. Patch your installs regularly, patch your software regularly, use sFTP if possible.

The only Magento-specific advice I can add is to ensure that you review any third-party modules before you install.

One thing that is also good to do is to setup a web server based login / password in your admin location to add an extra layer of security to your admin OR Set up the admin to be only accessible to a particularly set of IPs. Keep the OS, PHP, Apache, and MySQL up to date as possible to prevent any exploitation of these services outside the realm of Magento itself.

http://addoa.com/blog/ten-tips-keeping-your-magento-store-secure

While setting up magento during the installation process, selecting the option for using tables prefix may help, too. Then, when the site is attacked and SQL injection is used, for the attacker will be more difficult (but not impossible :) ) to find out the right table names for the SQL queries.