- Magento Development
- Magento Support
- Industry Solutions
- Start A Project
You don’t want your site to slow down or crashes for no apparent reason so it is advisable to set up a watch on the areas that matter the most to your site and schedule a periodic audit. To help you in the right direction and keep your Magento store maintained we have presented the entire audit checklist.
Why do I need an Audit?
As an owner, it is your responsibility to make sure that your customers stay unharmed. A site audit will protect your website from the hacker. If any unethical movements are taking place like stealing the card information or controlling the customers’ personal data then site audit will identify such attempts and inform you immediately. It also audits existing issues which are bugging your system so that you can solve them before they grow further. It allows you to chart out the next course of action for your websites like performing minor fixes, an update or a migration.
Thus, if you want your website to run smoothly and develop the performance then you have to perform a regular site audit.
What do I Audit?
Your audit should cover the major three sectors:
Your site collects your customers’ personal details so you need to minutely monitor any known symptoms of common Magento hacks. Keep a close eye on existing security patches, changing in the mode or any kind of modification are done in the extension. Recheck the administrator accounts and payment configuration. Magento site audit will detect any vulnerability in the payment methods, administrative credentials, and site control due to the changes in certain settings.
Growth of your business is directly connected to your site performance. You should measure the speed for your hosting services, page download and response time. Make sure your site does not throw any 404 error. Your site design and theme helps in attracting new visitors to see to it that both are responsive. A Performance audit may suggest you enhance your design or a complete overhaul. You might also have to do design optimization and upgrading to the latest versions
Health combines both, security and performance. Its main focus is on adherence to the best practices. Health audit checks any core edits or overrides to the Magento core code. A proper health check will keep the system clean, tell you about changes in the settings and also the extension disability or not
How do I Audit?
A Magento website audit takes into account four main areas.
A server audit is all about network configuration, log files, security, checking application and services, users. Let’s elaborate them:
Your audit should first check how a user accesses your system and provided the authentication mode of the user. After the identification is done you categorize the list of users into roles and functions and then do an evaluation of their access. This way you can identify different types of users and their role in the system. If you come across a user with an access right but without a need then you can simply remove the user.
1.2. Network configuration
The network configuration has three prime aspects which need your attention while auditing. They are configuration, Listening ports and Firewall. The configuration will check whether the IP addresses, netmask and gateway are secured. Listening ports offers insights on the active services so that you can check their purpose in the business. Last is the Firewall that is the network shield. You can configure the setting of the firewall as per your system storage. Keep it simple, the more sensitive the data, the less number of systems it should communicate with.
Always check whether proper access rights have been assigned to different users based on their business roles. For better security you may choose to assign controlled access to the users can prevent any unauthorized execution of files. There will be some files in the system where you will see no proper owner in such
cases you have to put SetUID or SetGID into action and block any type of illicit file execution. This way you can protect your system from attacks.
1.4. Log files
Log files contain an account of all the actions that have been performed on the system so it is said that log files should be protected and rotated. Keep a check whether all calls and actions are timely logged. Check syslog configuration for a secured logging mechanism and find out it remote logging is allowed by the system. If you do not find remote logging in the system then we would suggest you deploy a SIEM solution to start the practice.
1.5. Applications and services
Your server is filled with applications and services therefore as a part of the server audit keep looking at these applications. An audit provides you with types of applications and how much your server is exposed to attacks. While looking if you come across any untrusted application then you can create backdoors for other applications. The timely check will have an impact on both security and performance.
PHP works with multiple RDBMS. It helps in creating dynamic pages so when you audit PHP always check whether the system has latest and updated version installed. PHP uses different resources to perform on different types of function, therefore, you need to check out how much resource it is consuming and ways to optimize the consumption. Like any other codes, PHP codes also breakdown but you can ensure that if any such situation arises because of incorrect compilation or wrong configuration or simply by code break then such error does not show up your live website.
Magento is the third most popular eCommerce platform. Nearly 62 per cent of Magento stores is vulnerable to malicious attacks. If your store is running on Magento then you got to be extra careful and find the best way to protect your site. There is a number of scanners who can help you. Find the one who checks for brute force attack attempts, identifies the presence of Visbot malware, tells you if your APIs are exposed or your web forms are under the threat of RCE.
3.1. Backend audit
Backend audit checks the Magento development standards and security updates. It also identifies if there are any loopholes in the code that may result in the backdoor entry into the system. Backend audit will ensure checking of overall performance and examining the queries made in PHP. The checking also includes server-side technologies, usage of external modules and integration process.
3.2. Front end audit
Frontend auditing checks JS, CSS and the independently developed JS plugins. You can even check the page speed by using Google page speed or Yslow or GTMetrix. Auditing also checks the Magento template. These different findings will help you optimize your site performance.
You need to have a clear understanding of the entire database and the relationship when you audit MYSQL. The first audit will check tables once you get the complete picture of different types of tables then next come storage engines further it checks indexes and efficiently order access to records all RDBMS use a database index or a set of database indexes. Check out whether if there is any such index present in your system.
You also need to look at the user permissions especially when you have a critical system running to capture your customer information, product information, transaction information and more. You don’t need someone dealing with product data to look into customer data and vice versa, right?
Next important step is to inspect the log files. MySQL uses diverse types of logging technologies that can be used to auditing.
4.1. Error log
It works on log_warning system variable that maintains a record of all the warnings. This log is used to debug any critical errors.
4.2. Slow query log
The SQL statements that have taken long to execute are logged here. It helps in identifying the queries that take longer time and impact the performance of the site.
4.3. Binary log
When you’re to review data modifications done using committed transaction, you’re to find them under the binary log. This may not help in pointing out at any suspicious select but helps you to find out the detail on any changes done to the database.
4.4. Custom made triggers
As an alternative to binary log review, you may choose to use custom made triggers to get the detail on any modification of data. Although it offers flexibility in the auditing, it’s too cumbersome to maintain.
4.5. General log
This is a catch-all technique. The general log records all queries a server receives. This is the most detailed logging technique, at the same time it takes a lot of time to sift through as this one doesn’t have any filtering mechanism.
More than 2,200 Magento sites have been a victim to malicious attacks. With 7 more months to go and complete ignorance with respect to how many more sites, 2019 will claim, all we can comment is, the rise of the attack on Magento is scary. But it needn’t be this way.
A little more careful deployment, regular maintenance, and a periodic audit, by trained webmasters, can bring this number down. If you plan the set of checks discussed and start tracking them, then you will save yourself from a lot of stress, effort, and money involved in correcting your system. And that we believe is the way to go for a site that deals with sensitive data – from a customer’s delivery address to her money.
Need help auditing your Magento site?
We’ve had a lot of experience customizing Magento here at Magemonkeys. If you need help, head over to the Magemonkeys contact page, or email us at firstname.lastname@example.org