Content management on the platform is certainly one of the most important places to be secure.
Logging in to content management
Our recommendation is to always keep the content management reference unique, because malicious bots already know in advance the options like Admin, Backend, Back, Backendadmin, etcetera. You could write /pinkpudding in there – as long as it’s not easily guessable. It’s also easy to associate the connection with the domain name or some other name that recurs on the website (you could also exclude the company’s real name).
It would be best to limit the whole panel to IP addresses as well – this also prevents brute-force hacks. In addition, VPN support could be added, so that users with dynamic IPs can also access the content management (or make it so that only VPNs can access the content management, if you want a particularly high level of security within the company).
If this option is out of the question, a safety box would be an option, which would add an inconvenient extra step for the robot. For example, a Google Captcha would work well.
The best combination would of course be IP restriction + security box.
Activities in content management
It’s also quite common that if previous steps are ignored, the robot can get into someone’s content management and start to do mischief there. Another possibility is that the mischief-maker is a (former) employee.
To keep an eye on this, we recommend installing a content management activity logging module that records exactly which activities were done when and what was done.
In addition, you could also keep track of exactly what admin (the most privileged user) users are doing. To protect this, it would be necessary to either log the admins’ activity to another server or make a continuous backup of the admin audit table and then make a copy of it.
Another possibility is to restrict user roles in Magento so that users only have access to the elements needed.
For example: There is an employee in the company who enriches the products, and he/she only needs to see the products – access to orders and system settings are not needed.
In addition to all the above, it is advisable not to work under a single user, but each employee should have their own personal account.
For example: The e-store is managed by 5 people who always work from the office. There is a content management activity logging module, but the staff all use the same user.
The result: The product enrichment/delivery is messed up/records are incorrectly saved, etc., but who did it is unknown as the log shows the same user from the same IP and browser.