You don’t want your site to slow down or crashes for no apparent reason so it is advisable to set up a watch on the areas that matter the most to your site and schedule a periodic audit. To help you in the right direction and keep your Magento store maintained we have presented the entire audit checklist.
Why do I need an Audit?
As an owner, it is your responsibility to make sure that your customers stay unharmed. A site audit will protect your website from the hacker. If any unethical movements are taking place like stealing the card information or controlling the customers’ personal data then a site audit will identify such attempts and inform you immediately. It also audits existing issues which are bugging your system so that you can solve them before they grow further. It allows you to chart out the next course of action for your websites like performing minor fixes, an update, or a migration.
Thus, if you want your website to run smoothly and develop performance then you have to perform a regular site audit.
What do I Audit?
Your audit should cover the major three sectors:
1. Security
Your site collects your customers’ personal details so you need to minutely monitor any known symptoms of common Magento hacks. Keep a close eye on existing security patches, changes in the mode or any kind of modification are done in the extension. Recheck the administrator accounts and payment configuration. Magento site audit will detect any vulnerability in the payment methods, administrative credentials, and site control due to the changes in certain settings.
2. Performance
The growth of your business is directly connected to your site performance. You should measure the speed of your hosting services, page download, and response time. Make sure your site does not throw any 404 errors. Your site design and theme helps in attracting new visitors to see that both are responsive. A Performance audit may suggest you enhance your design or a complete overhaul. You might also have to do design optimization and upgrading to the latest versions
3. Health
Health combines both, security and performance. Its main focus is on adherence to the best practices. Health audit checks any core edits or overrides to the Magento core code. A proper health check will keep the system clean, tell you about changes in the settings and also the extension disability or not
How do I Audit?
A Magento website audit takes into account four main areas.
1. Server
A server audit is all about network configuration, log files, security, checking applications and services, users. Let’s elaborate on them:
1.1. Users
Your audit should first check how a user accesses your system and provided the authentication mode of the user. After the identification is done you categorize the list of users into roles and functions and then do an evaluation of their access. This way you can identify different types of users and their role in the system. If you come across a user with an access right but without a need then you can simply remove the user.
1.2. Network configuration
The network configuration has three prime aspects which need your attention while auditing. They are configuration, Listening ports, and Firewall. The configuration will check whether the IP addresses, netmask, and gateway are secured. Listening ports offer insights on the active services so that you can check their purpose in the business. Last is the Firewall that is the network shield. You can configure the setting of the firewall as per your system storage. Keep it simple, the more sensitive the data, the fewer number of systems it should communicate with.
1.3. Security
Always check whether proper access rights have been assigned to different users based on their business roles. For better security you may choose to assign controlled access to the users can prevent any unauthorized execution of files. There will be some files in the system where you will see no proper owner in such
cases you have to put SetUID or SetGID into action and block any type of illicit file execution. This way you can protect your system from attacks.
1.4. Log files
Log files contain an account of all the actions that have been performed on the system so it is said that log files should be protected and rotated. Keep a check whether all calls and actions are timely logged. Check Syslog configuration for a secured logging mechanism and find out if remote logging is allowed by the system. If you do not find remote logging in the system then we would suggest you deploy a SIEM solution to start the practice.
1.5. Applications and services
Your server is filled with applications and services therefore as a part of the server audit keep looking at these applications. An audit provides you with types of applications and how much your server is exposed to attacks. While looking if you come across any untrusted application then you can create backdoors for other applications. The timely check will have an impact on both security and performance.
2. PHP
PHP works with multiple RDBMS. It helps in creating dynamic pages so when you audit PHP always check whether the system has the latest and updated version installed. PHP uses different resources to perform different types of functions, therefore, you need to check out how much resource it is consuming and ways to optimize the consumption. Like any other codes, PHP codes also break down but you can ensure that if any such situation arises because of incorrect compilation or wrong configuration or simply by code break then such error does not show up on your live website.
3. Magento
Magento is the third most popular eCommerce platform. Nearly 62 percent of Magento stores are vulnerable to malicious attacks. If your store is running on Magento then you got to be extra careful and find the best way to protect your site. There is a number of scanners who can help you. Find the one who checks for brute force attack attempts, identifies the presence of Visbot malware, tells you if your APIs are exposed or your web forms are under the threat of RCE.
The scanner you select should be able to check the core Magento and inform you about the status of the security patches 9652, 6482, 7405, and 6788, whether your admin is disclosed, has there been any ransomware attack attempts, or is there a presence of Gurulnc Javascript. In addition, if your scanner checks for vulnerabilities among the 3rd party extensions then there’s nothing like it. For a site that faces thousands of visits and hundreds of transactions, just an automated scan will not serve the purpose. In addition, you need to personally check the site’s backend and front end separately.
3.1. Backend audit
Backend audit checks the Magento development standards and security updates. It also identifies if there are any loopholes in the code that may result in the backdoor entry into the system. Backend audit will ensure checking of overall performance and examining the queries made in PHP. The checking also includes server-side technologies, usage of external modules, and integration process.
3.2. Front end audit
Frontend auditing checks JS, CSS, and the independently developed JS plugins. You can even check the page speed by using Google page speed or Yslow or GTMetrix. Auditing also checks the Magento template. These different findings will help you optimize your site performance.
4. MySQL
You need to have a clear understanding of the entire database and the relationship when you audit MYSQL. The first audit will check tables once you get the complete picture of different types of tables then next come storage engines further it checks indexes and efficiently order access to records all RDBMS use a database index or a set of database indexes. Check out whether if there is any such index present in your system.
You also need to look at the user permissions especially when you have a critical system running to capture your customer information, product information, transaction information, and more. You don’t need someone dealing with product data to look into customer data and vice versa, right?
The next important step is to inspect the log files. MySQL uses diverse types of logging technologies that can be used for auditing.
4.1. Error log
It works on the log_warning system variable that maintains a record of all the warnings. This log is used to debug any critical errors.
4.2. Slow query log
The SQL statements that have taken a long to execute are logged here. It helps in identifying the queries that take a long time and impact the performance of the site.
4.3. Binary log
When you’re to review data modifications done using committed transactions, you’re to find them under the binary log. This may not help in pointing out any suspicious selection but helps you to find out the detail on any changes done to the database.
4.4. Custom made triggers
As an alternative to binary log review, you may choose to use custom-made triggers to get the detail on any modification of data. Although it offers flexibility in auditing, it’s too cumbersome to maintain.
4.5. General log
This is a catch-all technique. The general log records all queries a server receives. This is the most detailed logging technique, at the same time it takes a lot of time to sift through as this one doesn’t have any filtering mechanism.
Bottom Line
More than 2,200 Magento sites have been a victim to malicious attacks. With 7 more months to go and complete ignorance with respect to how many more sites, 2019 will claim, all we can comment is, the rise of the attack on Magento is scary. But it needn’t be this way.
A little more careful deployment, regular maintenance, and a periodic audit, by trained webmasters, can bring this number down. If you plan the set of checks discussed and start tracking them, then you will save yourself from a lot of stress, effort, and money involved in correcting your system. And that we believe is the way to go for a site that deals with sensitive data – from a customer’s delivery address to her money.
Need help auditing your Magento site?
We’ve had a lot of experience customizing Magento here at Mage Monkeys. If you need help, head over to the Mage Monkeys contact page, or email us at contact@magemonkeys.com
