Since you run your business on a public website, being aware of security risks is crucial. On an average we see one or two attacks per day per website we host. Attackers may have many intentions – from simply causing trouble, to hold the website owner to ransom, to skimming data from the website, to increasing your cloud bill. Adding layers of security, allowing the traffic you need in and disallowing internet access to those you do not want, is crucial to your business.
luroConnect’s multi-layered security approach has many components :
- Web Application Firewall – built into our nginx, WAF filters out traffic after examining its content. SQL and other injection can be best blocked here. However, WAF needs tuning on a per site basis – to reduce false positives. luroConnect includes custom rulesets tuned for each website by our WAF experts.
- Rate limit and IP address blacklisting.
- BOT blocker – filtered using the HTTP User Agent field.
- Protecting admin login with HTTP password (when 2FA is not available) and periodic admin user role and password change reminder
- File system security – ensuring code directories are not writable.
- Ensuring upload folders cannot execute js or php code
- Code deployment security
- Sansec security scanner
- Secure backup process
- Allowing images to be securely uploaded without exposing the real folder structure (needed when uploading products in a csv)
These rules are based on known type of attacks. Magecart works by inserting javascript code in the checkout page so it can skim user information. However, in order for this to work, it needs a vulnerable file or database to insert its code into. By disallowing upload to a directory into which code resides we prevent one way malicious code can be inserted.
We routinely blog about security in Magento and WordPress.
