All of us are well-acquainted with the the saying “better safe than sorry”. Surprisingly, we end up neglecting this, especially when things start working our way or to be precise when operational challenges start driving our business.
Once our online business starts going up, we tend to leave our site vulnerable – security down, performance overlooked and health ignored. It’s unfortunate, but we get in the reactive mode and work on incidences as and when they show up, staying completely ignorant to those that leech the system from deep within.
So, instead of hitting the alarm when your site slows down or crashes for no apparent reason, it’s better to set up a watch on the areas that matter the most and schedule a periodic site audit.
Being a Magento development company, we understand the whys’ and hows’ of Magento site audit and believe in conveying the same to you. Here’s a detailed audit checklist that will help you maintain the sanctity of your site and the reputation of your business.
Why Do You Need an Audit?
Your site is certainly your business’s lifeline. Thus, it is your responsibility to take utmost care of your website so that your customers and your business remains unharmed. How? Audit is the answer.
A site audit:
- Identifies any kind of hacking activities
- Detects unethical moves like stealing customer’s person info or card details
- Finds existing issues
- Helps in fixing bugs
This, it can be concluded that if you need to maintain the security of your site, develop the performance and keep your site healthy, you simply don’t have any option other than performing regular site audit.
What Needs to be Audited?
Running and maintaining an online business, specially Magento powered store, isn’t an easy job and requires regular see-through. Though, the whole site requires an audit but three major sections shouldn’t be ignored:
Your site is a host to a huge amount of customer information including personal and financial. Therefore, you need to minutely monitor for any kind of common Magento hacks, security patches, changes in the code, extensions and standalone files modifications, payment configuration and the admin accounts. Luckily, the Magento audit covers all and a lot more. It involves close combing of the site code to detect any vulnerability in order to make way for secure site performance and user experience.
The business growth is solely dependent on your site performance. Any lack in here can have a major impact. So it goes without saying that you need to measure the speed of your hosting services, page download and response time on a regular basis.
39% of people will stop engaging with a website if images won’t load or take too long to load.
Having said this, it is important to ensure site performance, design and speed. Further, look out for any 404 errors. Well, all this is a part of the Magento audit. It not only helps you improvise site performance but gives suggestions regarding the design, theme or an upgrade.
Health combines both, security and performance. Its main focus is on adherence to the best practices whether in theme, extensions, file system or database. The health audit also points out at any core edits or overrides to the Magento core code. Additionally, from whether a module should be disabled, the size of the database and number of logs are within limits, the file system needs cleaning, settings need a change to whether or not all records are intact, answers to these questions come up easily through a health check.
How Does The Audit Process Go?
Well, this is the most important question after you have figured out what needs to be audited and why. Basically, a Magento site audit takes into account three major areas which are further divided into areas of concern. Let’s discuss:
A server audit involves looking deep into users, network configuration, security, log files, application and services. Below is there audit process
The audit should primarily check how a user accesses your system and what authentication mode the system uses. After the identification is done, you categorize the list of users according to the roles and functions and evaluate their need to access the site. This helps in identifying the types of users who have a valid reason to access the site and setting up different types of access rights for the users in accordance with the business need. In case you come across a user with an access right but without a need, simply remove the user.
1.2. Network Configuration
Network configuration accompanies three prime aspects: configuration, listening ports and firewall.
The configuration checks whether the IP addresses, netmask and gateway are secured. Listening ports offers insights on the active services so that you can check their purpose in the business. Lastly, Firewall is the network shield. You can configure the setting of the firewall as per your system storage. Keep it simple, the more sensitive the data, the less number of systems it should communicate with.
There is a dire need to check whether proper access rights have been assigned to different users based on their business roles. For this, you may choose to assign controlled access to the users and prevent any unauthorized execution of files. You may still account situations where a few files won’t have a proper owner. In such cases, you have to put SetUID or SetGID into action and block any type of illicit file execution. It helps in defending your system from attacks that are planted using executables.
1.4. Log files
This is the gold mine for auditors. Log files contain an account of all the actions that have been performed on the system. Thus, study these file as minutely as possible as they help in performing the most accurate RCA in case of an incident. Check whether the calls and actions are properly logged and connected the to main applications. For a secured logging mechanism check the syslog configuration and find out if remote logging is allowed by the system. In case remote logging is not found on the system, then we suggest deploying a SIEM solution to start the practice.
1.5. Applications and services
Your server is the storehouse of applications and services. During the process, take a look at these applications because it will help you assess how much your server is exposed to attacks. If you come across any suspicious application, then can create backdoors for other applications.
PHP works with multiple RDBMS. It helps in creating dynamic pages so while auditing PHP, start with checking whether the latest and updated version is installed on your system. An updated version gets published with security fixes and better performance capability.
Further, like any other code, PHP codes also breakdown due to incorrect compilation or wrong configuration but you need to ensure that in such a situation errors don’t show up on your live website.
You need to have a clear understanding of the entire database and the relationship when you audit MySQL. You also need to look at the user permissions to capture your customer information, product information, transaction information and more. Next important step is to inspect the log files.
3.1. Error log
It works on log_warning system variable that maintains a record of all the warnings. This log is used to debug any critical errors.
3.2. Slow query log
The SQL statements that take long to execute and impact site performance are logged here.
3.4 General log
This is a catch-all technique. The general log records all queries a server receives. This is the most detailed logging technique and at the same time takes a lot of time to sift through.
Well, this is not all. The process isn’t that simple or short, it takes into account all the possibilities so that there is not room for errors or any kind of site performance issues.