SSL Security in Magento
If you are looking to use Magento as an e-commerce platform the site should be secured with an SSL certificate to give your customers peace of mind that any sensitive data provided will be encrypted and protected from malware activity.
By having the green ‘lock’ icon showing in the address bar also adds credibility to your site and allows customers to view the certificate information which will mate your site information.
This step takes place after you have already purchased an SSL certificate from a 3rd party, and have the required certificate files that they provide.
You can find walk-through in our other categories to install SSL certificates on various platforms and panels. The steps for these change depending on which OS is being used and if there is a control panel or not in place.
Log into your admin panel and head to the System > Configuration section. Here you have all the configuration options that are available for your servers such as site listings, designs used, contacts and report generation.
Go into the Web setting, as we need to change some of the values that are already here.
First of all we need to change the site from http to https, this is done by simply changing the entry in BASE URL to https://WEBSITEURL.com/magento/
You now have an option to have your site to work via HTTPS only. Normally the site will load mixed content with HTTPS protecting pages such as contact boxes or payment information. You can enforce HTTPS site-wide by changing the value in Use Secure URLs in Frontend to ‘yes’. This may cause site performance issues at times due to the increased resource usage to protect every element with HTTPS.
To secure the Magento admin panel with HTTPS (recommended) change the option of Use Secure URLs in Admin to ‘yes’.
Once these changes have been made, save them then navigate to your website/Magento admin login page, it will now be secured with the green padlock icon whenever you use a page that has HTTPS content.
Once you have the site secured you can use a variety of 3rd party tools to check the security level you have in place, and if there are any outstanding security issues that need addressing.
You can manually edit a sites vHost file to make changes to the SSL configuration to bring your site in line with current legislation and recommendations for transaction processing sites.
The Vhost file should have a section similar to the following.
# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
The last section is what we can use to tweak the settings allowed by the server.
SSLProtocol all -SSLv1 -SS:v1.1 -SSLv2 -SSLv3
As per current standards to process payments, sites need to support TLS 1.2 and higher. Here we can define which protocols SSL should not be using.
SSLCipherSuite – This is a list of ciphers that represent certain net browsers and configurations. The list I used as an example here is for current and upto date browsers only. There are lists available if you require compatibility with older net browsers.
These are the main features that should be updated beyond the basic SSL configuration if you wish to harden the security of your site..