Information security is an important consideration for any business, especially one storing their contact and customer data online. Imagine if your rivals got their hands on your lead database, the campaign you’ve been working hard to plan for months is leaked, or your email audience starts receiving spam (or worse) from unscrupulous sources. Even if you think you don’t have much valuable data to be a target, think again. Many times, hackers will scour the Internet for unprotected servers using automated tools, and attack them simply to wreak havoc on innocent users.
Like any web application, you have a big part to play to ensure your Mautic instance is secure. If you’ve been using applications like WordPress for any length of time, many of these best practices should not be a surprise to you. Here are some security tips to keep in mind.
Avoid using the username “admin” and choose a strong password for your Mautic account.
“admin” is often the first username a hacker will try to brute force, i.e. repetitively guess the correct login to a web application. Obviously you can’t depend on “security by obscurity” by using a unique username alone, but in conjunction with a strong password (more than 8-10 characters with upper and lower case letters, numbers and symbols), this is the single most important thing you can do to protect your Mautic instance.
Open the Settings pane in Mautic using the “gears” icon in the top right-hand corner of the Mautic dashboard, then choose Users to manage your user accounts. A helpful technique to create a complicated password you will remember is composing a passphrase, where you take the first letter out of each word in a phrase that you will remember (such as lyrics from your favorite song), but isn’t obvious to anybody else. Mix it up by swapping numbers and symbols for characters such as S (use $) or O (use 0).
Keep your Mautic installation updated.
Security vulnerabilities are discovered in software all the time. By keeping your Mautic instance up to date, you’ll benefit from the security fixes that the developers have rolled out in the latest version. Since the Mautic team moved to a rapid release schedule, they are now putting our releases every four weeks. You don’t have to rush out to upgrade your instance on day-one when a new release comes out, but don’t just ignore the notification that pops up at the top of your Mautic dashboard. Read our recent blog to learn how to ensure a successful Mautic upgrade and recover in the event of a failed upgrade.
Don’t use 777 for all of your file permissions in the Mautic directory.
If you remember when you installed Mautic, you needed to change the permissions of the /app directory to 755 to allow Mautic to write to the /app/cache folder and store transient data such as the IP lookup table. A bad habit that beginner users have is to chmod (change permission) everything to 777 on their web hosting account or server. That makes your installation much less secure because if a Linux user account is compromised, it will have access to read, write and execute your files. Only change permissions for the folders if and when needed, to the minimum level of access required by the application.
Create specific user accounts for freelancers and agencies to work on your Mautic installation.
If you are hiring an outside contractor to work on your Mautic installation, create a separate user account for them so the changes they make are traceable, and you can easily rotate the password or disable the account once the job is done. Ask your Mautic consultant or agency how they protect your passwords and which people in their organization are given access to your logins.
Set up DomainKeys (DKIM) and SPF records to prevent spammers from impersonating your email sending domain.
Don’t let your good name be tarnished by scammers & spammers impersonating your domain name in the From: address of their email headers. Setting up DKIM and SPF records in your DNS zone file lets receiving email servers know that they should only accept emails sent from your domain, originating from your server and/or email gateway’s address. In fact, the major webmail providers including Gmail, Outlook and Yahoo are much more likely to flag your legitimate emails as spam if this is not set up properly, impacting your email campaign performance.
Harden your server or VPS hosting Mautic against attacks.
If you using a self-hosted Mautic instance with a server you have root access to, you should harden it against malicious attacks. At the minimum, ensure you are using a strong root password and/or keypair to authenticate SSH access to the server. The MySQL root and database specific users should also have a strong password, ideally only allowing connections to be made from localhost.
To combat port scanning, a minimum of ports should be open to inbound traffic on your Linux firewall (ufw, firewalld or iptables) – 80 (HTTP), 43 (HTTPS) and 22 (SSH) are the most common ones needed. There are advanced techniques that a knowledgeable server admin can implement to further reduce the likelihood of attack, such as only allowing SSH logins from a certain IP address, such as a home or office connection. fail2ban is a popular package installed to automatically ban IP addresses from attempting to login via SSH after a certain number of failed attempts, discouraging brute-force attacks.
Encrypt the connection to your Mautic instance with an SSL certificate.
Does your Mautic server address currently begin with http:// ? If so, you haven’t installed a SSL security certificate which will encrypt data in-transit, including your Mautic login info and the data that your contacts fill in on your Mautic forms. Switching to HTTPS will prevent onlookers from eavesdropping on the information sent/received by your server, and for those of you concerned about SEO, counts as positive ranking signal in Google’s algorithm. In fact, Google Chrome has began marking pages collecting personal information with SSL as “Not Secure” which can significantly erode the trust of your customers.
SSL certificates supporting the highest level of encryption available in most browsers, 256-bit, are inexpensive (less than $30/year) or even free with Let’s Encrypt. The most tricky part where you will probably want the help a professional is configuring it correctly on your server, to avoid redirect and mixed content errors. Contact us and we can help with installing an SSL certificate for your Mautic instance, including:
- Updating your Mautic base URL from http:// to https://
- Rebuilding Mautic assets such as embedded forms to prevent errors
- Reconfiguring outside plugins and integrations such as WP-Mautic