Why make life easy for an attacker to breach your Magento environment? This official Magento guide explains in detail how to start making your Magento eCommerce site less vulnerable.
As explained in this guide, we can see recommendations that would not be difficult to implement which would drastically improve the security stance of the environment. We have found in recent breaches, that a simple administration panel being publicly accessible was one of the main contributing factor to the compromise.
Use the latest version of Magento to ensure that your installation includes the most recent security enhancements. If for any reason you cannot upgrade to the latest version, make sure to install all security patches as recommended by Magento. Although Magento issues security patches to fix major issues, new product releases include additional improvements to help secure the site.
Use a unique, custom Admin URL instead of the default “admin” or the often-used “backend”. Although it will not directly protect your site from a determined attacker, it can reduce exposure to scripts that try to break into every Magento site. (Never leave your valuables in plain sight.)
Check with your hosting provider before implementing a custom Admin URL. Some hosting providers require a standard URL to meet firewall protection rules
Block access to any development, staging, or testing systems. Use IP allow lists and .htaccess password protection. When compromised, such systems can produce a data leak or be used to attack the production system.
Use the correct file permissions. Core Magento and directory files should be set to ready only, including app/etc/local.xml files.
These recommendations, as well as other best practises listed in the guide below, should be implemented. This will assist in preventing your environment from being compromised and keep criminals as far away as possible from confidential data.