Magento 1 reached end of life on June 30, 2020. Adobe no longer provides security patches. Running Magento 1 in production exposes your store to unpatched vulnerabilities.
- Migrate to OpenMage LTS - Community-maintained fork with security patches: https://github.com/OpenMage/magento-lts
- Upgrade to Magento 2 - Current version 2.4.8 with active security support
- Isolate legacy installations - If migration isn’t possible, isolate behind WAF and restrict access
For organizations running OpenMage LTS (the recommended Magento 1 replacement):
- Monitor OpenMage LTS releases for security updates
- Subscribe to OpenMage security advisories
- Test and deploy patches within 7 days for critical CVEs
- Validate custom modules against patched API changes
¶ 2) Harden Admin and Privileged Access
- Enable 2FA for all admin users (use extensions like TwoFactorAuth)
- Use non-default admin path - Change from
/admin to custom URL
- Restrict admin access by IP/VPN - Use firewall rules or reverse proxy
- Enforce least privilege - Review admin roles and remove unnecessary permissions
- Secure SSH access - Use key-based authentication, disable password login
¶ 3) Secure Extension and Infrastructure Layers
- Install extensions only from trusted vendors - Verify code quality and maintenance status
- Remove unused extensions - Reduce attack surface
- Keep PHP and dependencies current - PHP 8.0+ recommended for OpenMage 20.x
- Place behind WAF + TLS - Use ModSecurity, Cloudflare, or similar
- Enable strict request filtering - Block suspicious patterns on checkout/admin routes
- Encrypt backup sets - Protect order/payment data at rest
¶ 4) Database and Cache Security
- Isolate database - Run on separate host or private network
- Use strong passwords - Minimum 16 characters, rotate quarterly
- Restrict database user privileges - Only grant required permissions
- Secure Redis/Memcached - Bind to localhost, require authentication
- Enable slow query logging - Monitor for SQL injection attempts
# Set restrictive permissions
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;
chmod 500 cron.sh
# Ownership
chown -R www-data:www-data /var/www/html
# Protect sensitive files
echo "Deny from all" > /var/www/html/app/etc/.htaccess
¶ 6) Security Headers and TLS
Configure in Apache/Nginx:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
¶ 7) Monitoring and Logging
- Monitor failed login attempts - Alert on brute force patterns
- Log admin actions - Track configuration changes, user creation
- Monitor file integrity - Use tools like AIDE, OSSEC, or Tripwire
- Review access logs - Look for SQL injection, path traversal attempts
- Set up intrusion detection - ModSecurity with OWASP Core Rule Set
Ensure cron.sh runs every minute:
* * * * * /bin/bash /var/www/html/cron.sh
Monitor cron execution for failures.
- OpenMage LTS Repository: https://github.com/OpenMage/magento-lts
- OpenMage Security Advisories: https://github.com/OpenMage/magento-lts/security/advisories
- Magento 1 End of Life Notice: https://magento.com/blog/technology/magento-1-end-support-what-you-need-know
- OWASP E-commerce Security Guide: https://owasp.org/www-project-web-security-testing-guide/
Any questions?
Feel free to contact us. Find all contact information on our contact page.