As Magento Commerce is being used to power eCommerce stores, maintaining the security of your Magento installation and infrastructure is very important in order to protect both customers details and payment data.
If you are reading this while you suspect that your Magento store is already compromised, Sucuri has a good article on how to clean a hacked Magento site.
If you want to learn how to secure your Magento store, here are a some Magento Security Tips:-
Keep Everything Up to Date
As with any software, there are bounds to be bugs and security loopholes which are later patched either by a newer version or a security patch.
It is very important that you keep everything up to date at all times (this includes third-party extensions and themes) to ensure that all security loopholes are patched.
If you are not able to patch or upgrade your system for any reason, you may need to consider a solution like Sucuri Website Firewall which offers a Virtual Patching & Hardening feature that “patches” the loophole with the firewall so you are protected.
Use Only Trustworthy Extensions & Themes
Magento as a platform thrives due to the high number of extensions and themes that form part of its ecosystem. However, this is also a double edged sword as malicious actors may take advantage of the situation to create “free” extensions and themes that may have hidden backdoors.
As such, I highly recommend that you only use extensions and themes that are in the Magento Marketplace.
Isolate Live Magento Stores from the Rest
Always isolate your live Magento store from not just your development stores but also other applications that you may have (like WordPress for your blog, for example) to prevent cross contamination.
If your live Magento store is hosted in the same environment as the rest, any of the other applications that were compromised will mean that the hacker will gain access to your live Magento store as well.
If you are using a shared environment to host your Magento store, make sure that your Magento store is on it’s own hosting account and there are no other applications in the same account.
You also need to make sure that your shared hosting provider has properly software in place (for example CageFS, chroot, SuExec, etc) to isolate each hosting account from one another. This used to be a major issue with shared hosting but recent years many hosting providers have deployed advanced software to isolate the accounts in the same server properly.
All the companies in my Recommended Magento Hosting list has proper isolation in place for their hosting accounts so cross contamination will not occur.