1] Use a secure and strong password password
- Choose Difficult Password:
- Use Secure FTP Password:
- Do Not Save Password In Computer:
Here are some tips for creating a really secure and strong password:
- Bigger is superior, use at least 10 characters.
- Mix upper and lower case, punctuation, and numbers.
- Making your password vocal can make it easier to remember and type quickly.
2] Do not use your Magento password for anything else:
3] Change Your Magento Admin path:
System → Configuration → Advanced → Admin → Admin Base Url
Most Important Note: Do not use the admin base URL settings. It will break your site.
How to change your Magento Admin path
There is an easy way to change your Magento Admin path.
4] Expect HTTPS/SSL for all pages with logins:
Frontend” and “Use Secure URLs in Admin” by going to the “Secure” section of the “Web” tab in the system configuration.
5] Put up-to-date anti-virus software:
6] Disallow Scripting Executatin under full permission folders like Media, Uploads:
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
2. If you Dont have an access for httpd.conf you can also set it with .htaccess like following
- AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
- Options -ExecCGI
- Use 444 Permission for .htaccess after adding quote
NOTE :- Put that .htaccess code under the directory where you want to dis-allow scripting.
7] Allow Admin Login From Specific IP Address:
You can Apply that configuration under .htaccess to limit access for admin area
AuthName “Protected Area”
<Limit GET POST>
deny from all
allow from 220.127.116.11
allow from 49.248.5.
8] Block countries where you are not doing business:
You can block it using IP tables Rule on Server
9] Set proper permissions and ownership settings:
The safe Magento is to set chmod 755 on directories and 644 on all files with the exception of often created/deleted files like session or cache files will need chmod 755.
For More Refer Magento Link:
10] Use Sftp Insted of FTP
11] Remove your RELEASE_NOTES.txt after Installation
12] Don’t save export files with sensitive information into folders accessible on the web