There are a few options when it comes to securing your Magento store and in this article we will cover some of the best practices to do so.
We will also look at our options when it comes to Multiple Stores with or without different domains in your Magento installation, and how that can effect which SSL you use and how you use it.
Do I need to secure my whole magento site or just parts?
When it comes to magento we can either secure ( https:// ) our whole site or just the important parts such as the user account pages ( register, login, past orders, manage addresses etc ) and the checkout.
So what about all the other pages such as the home page, categories and product pages? Well you have to think of what securing these pages can effect and if it is worth it or not.
Recently google has come out and said that they will begin slowly having a site that is secured via SSL effect it’s rank in search results, not by a great deal, but when it comes down to a competitor and yourself, anything to help you gain more ground in the rankings can help.
However, with all your pages being secure by SSL we come to the issue of SSL actually causing more load on your server and sites loading a little slower due to the encryption n decryption of the data. Although you may not notice this much, it is there.
So this can be a bit of personal preference for the company on which way they want to go and if one way or another will benefit them more.
Myself? Well I go either way with different clients depending on the situation as such… If the products being sold are more of a sensative subject then a bit of extra security and trust to the user throughout the whole process may increase their chances of completing a purchase. If it is very general common day products being sold then I don’t really see a need to secure every page. If the company really wants to get their company name displayed to the user a bit more, as maybe it is a very trusted name and the user likes to know they are browsing and buying from this company, then I will most likely look at getting an EV SSL. This is because an EV SSL will make sure the company name is always displayed in the browser URL bar at all times.
Which ever you decide on in regarding this. you should always secure the important pages such as the user and checkout pages. And this is what we will cover next in regards to what is the best practice in your situation.
Secure a single store Magento site with SSL
Well this is the easiest one if you are running just a single online store from your magento.
First thing first, get an SSL for your domain name. It might be worth talking to your hosting provider first to make sure they support SSLs and you can get a dedicated IP as one will be needed. They might say they have something named SNI ( Server Name Indication ) enabled which means you do not need a dedicated IP. But this is not ideal and it is always best to not use SNI and have a dedicated IP. This is because using SNI will give some users a security issue, only users using older browsers, but they are still out there. We have plenty of very low priced SSL available here at SSLTrust so have a look around our offerings.
Once you have your SSL it is time to install it. Talk to your hosting provider about getting it installed as they will be the best help on this as all hosting is different and i can’t cater for everyone.
Once you have your SSL installed it is time to setup and configure you Magento. So login to Magento admin area and under your main menu go to System Configuration
Once this page has loaded. From the side menu go to the Web Tab.
Now under the Secure tab on the right make sure the Base Url is your correct domain with the https:// which is for the SSL and under that enable Use Secure URLs in Frontend and also the Admin
Now check your front end of your store and make sure it goes into https:// when you visit the checkout and/or login to a user account.
Now if you wanted to secure every page of the front end, you need to change the Base URL under the Unsecure Tab to be the same https:// URL
Secure a Multiple Store Magento site using different Sub Domains
So maybe you have more then one store view under your Magento installation and they are using different sub domains under a single top level domain. such as: store1.mydomain.com, store2.mydomain.com, store3.mydomain.com and so on.
First you will need a Wildcard SSL to secure all the sub domains. One you have this and installed the SSL ( ask your hosting company to install it if need be ) then we can start looking into securing the magento with it.
So how have you setup your magento? this can be different but the most common way is to have it installed into a single folder in your host and then within that folder you will have sub folders for each different store view ( with it’s own index.php and htaccess file ). I highly recommend this way as it allows a lot more customisation. If you have installed it a different way please let me know in the comments below and i can write up an article for your installation.
So make sure your Wildcard SSL has been installed for each sub domain.
And now think about your magento install in regards to your JS and SKINS folder. Have you for some reason made your own folders of these for each store view? ( i am not talking about sub template folders within these ) or have you just the one JS and SKINS folder under your main site folder. I hope this is the case as it is the best practice.
So login to your magento admin area and go to System > Configuration under the main menu.
Now from left tabs click on the Web Tab.
here you will be able to edit your secure URLs.
Your default store view should be selected from the configuration scope meny. If not, select it. And now under the Secure Tab on the right you should be able to change the Base Url to your main domain name including the https:// and from the Use Secure URLs in Frontend drop down menu select Yes, Also for the Admin, select Yes.
Also take note of the URL you used, usually https:// www.mydomain.com/
Now from the Current Configuration Scope drop down menu select one of your other store views which is under a different sub domain.
Find the Base URL field under the Secure Tab and change it to your subdomain example: https:// store1.mydomain.com/
Now this is the important part...
For the Base Skin URL, Base Media URL and Base JavaScript URL Fields you want to change the {{secure_base_url}} text to be your main secure URL which was https:// www.mydomain.com/
So for the Base Skin URL it would look something like this: https:// www.mydomain.com/skin/
This is to make sure all the skin, media and js files are loaded from the base of your magento as they are not under your subdomain.
And do the same for each store view making sure the Base URL is the correct https:// URL for each store view.
And if you wanted to secure every page on the front end you would do all the same but instead under the Unsecure Tab.
Setup Multiple Store Views in Magento with SSL https:// for different Domains
This is almost similar to the sub domain one above but instead of different sub domains we have completely different domains such as www.mystore.com, www.myotherstore.com, www.mybetterstore.com.au
So first we need to know which SSL you can use. If you have a separate dedicated IP for each domain name your can use a separate SSL for each domain. Or if you have SNI ( Server Name Indication ) enabled, but this is not recommended due to some older browsers displaying an insecure error, you can use a different SSL for each domain name under a single dedicated I{. But this might get a bit expensive.
So you might like to look at using a Multi-Domain SSL or also called a UCC SAN SSL Certificate. These are very useful certificates when dealing with multiple domains as they will allow you to secure up to 100 different domain names without the need to have a separate dedicated IP for each domain, thus you wont also need to look at using SNI.
So once you have decided on that you need to think about how your magento has been setup. Remember we are talking about a single magento installation with more then one store view under a different domain name.
So you have the option when you have you magento installed to either have each store view under its own folder which includes it’s own Skin, Media and JS folder or to keep that folder under the main magento folder and have each store view access it as such but under your main domain name. You could ( to get more advanced ) get those folders linked to a folder of the same name under your store view folders which you can then access it under the store views domain, but this can be a tricky one to setup and if you want to do this maybe talk to your host about setting up symlinks for this to work.
So login to your magento admin area and go to System >Configuration under the main menu.
Now from left tabs click on the Web Tab.
here you will be able to edit your secure URLs.
Your default store view should be selected from the configuration scope menu. If not, select it. And now under the Secure Tab on the right you should be able to change the Base Url to your main domain name including the https:// and from the Use Secure URLs in Frontend drop down menu select Yes, Also for the Admin, select Yes.
If you want to secure every page of your front end, then also enter the secure https:// of your domain under the Unsecure Tab Base URL field.
Now from the Current Configuration Scope drop down menu select one of your other store views which is under a different domain name and find the Base URL field under the Secure Tab and change it to your other domain example: https:/ www.myotherdomain.com/
And now you need to, depending on what you decided to do, either make the Base Skin URL, Base Media URL and Base JavaScript URL Fields linked under your main domains https:// or if you had setup a symlink of these folders under your store view folder back to their main location then you can simply leave them using the {{secure_base_url}} value.
If you have done it like above where it still loads all the JS, Media and Skin files through the https:// of your main domain, the user will not know. They will only know if they look at your sites source code, which is generally the more advanced user. But why would they look at your sites source doe anyways?
So continue this for every other store view you have under a different domain name.
And that is it. If you think i missed something or would like me to clear something up or help on something related to this please post it in the comments below.