1] Use a secure and strong password password

Magento is the Most Powerful and Secure Framework in eCommerce. But there are certain tips that you can follow in order to make sure your Magento store is safe and sound. When you are select your Magento site password, select cleverly. Depending on your configurations and permissions, this password may give access to customer information.
    • Choose Difficult Password:
The Magento Admin Password must be different from Username and Special Character and Numerical Character. We ensure that your password is secure make it lengthy by adding as many characters as possible which are not only letters but punctuations and numbers too.
    • Use Secure FTP Password:
Most Of time loose and small password are reason of hacking the site. So use the powerful and difficult password to the FTP. Prevent your website from the Hacker using strong and lengthy password.
    • Do Not Save Password In Computer:
Some time Developer save there FTP and Admin Password in computer, to use regularly. But when the site is live that do not remove there password from computer. So that is easy to hack the website. To secure your website from Hacker do not save your FTP password. Also do not save password of admin on browser.

Here are some tips for creating a really secure and strong password:

  • Bigger is superior, use at least 10 characters.
  • Mix upper and lower case, punctuation, and numbers.
  • Making your password vocal can make it easier to remember and type quickly.

2] Do not use your Magento password for anything else:

Do not use Magento password with any other websites or web services. Third party sites may support SSL (Secure Sockets Layer) to login. In the event that a third party websites is hacked, your password may be vulnerable.

3] Change Your Magento Admin path:

Generally, you access your Magento Admin panel by your sitename.com/admin. Using the path to your admin panel path easily guessable means that someone or something can try to guess your password. How NOT to change your Magento Admin path:
System → Configuration → Advanced → Admin → Admin Base Url

Most Important Note: Do not use the admin base URL settings. It will break your site.

How to change your Magento Admin path

There is an easy way to change your Magento Admin path.

1. Exist /app/etc/local.xml
2. Find <!
[CDATA[admin]]> and replace ‘admin’ with the path you would like to use So if your local.xml file says <![CDATA[testbackend]]>, your admin path will be /testbackend.

4] Expect HTTPS/SSL for all pages with logins:

In Magento, you can expect secure logins by selecting “Yes” for both “Use Secure URLs in
Frontend” and “Use Secure URLs in Admin” by going to the “Secure” section of the “Web” tab in the system configuration.

5] Put up-to-date anti-virus software:

Computer viruses and Trojans can pick your data and log your key strokes.

6] Disallow Scripting Executatin under full permission folders like Media, Uploads:

1. If your server is Dedicated or VPS you can add following configuration in your httpd.conf to preventing scripts on Specific folder

<directory /your-dir-path>
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
</directory></span>
2. If you Dont have an access for httpd.conf you can also set it with .htaccess like following

  • AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
  • Options -ExecCGI
  • Use 444 Permission for .htaccess after adding quote

NOTE :- Put that .htaccess code under the directory where you want to dis-allow scripting.

7] Allow Admin Login From Specific IP Address:

You can Apply that configuration under .htaccess to limit access for admin area

AuthName “Protected Area”
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 114.143.5.69
allow from 49.248.5.
</Limit>

8] Block countries where you are not doing business:

You can block it using IP tables Rule on Server
https://www.cyberciti.biz/faq/block-entier-country-using-iptables/

9] Set proper permissions and ownership settings:

The safe Magento is to set chmod 755 on directories and 644 on all files with the exception of often created/deleted files like session or cache files will need chmod 755.
For More Refer Magento Link:
https://www.magentocommerce.com/wiki/groups/227/resetting_file_permissions

10] Use Sftp Insted of FTP

11] Remove your RELEASE_NOTES.txt after Installation

12] Don’t save export files with sensitive information into folders accessible on the web