Creating and managing a secure high-performance infrastructure can be tough. We know as we have spent years solving these problems for technology startups and large enterprises. Hackers are constantly on the lookout for companies to target. Learn about 7 actionable steps in order to get more secure Mautic hosting.
What are the biggest risks if you host Mautic?
Exfiltration, exfiltration, exfiltration. Your contact list is gold. Hackers all over the world love to get their hands on personal data that can be sold on to competitors or used for more nefarious purposes. Not only is your clients’ privacy at risk, but you can also face hefty fines if their personal details fall into the wrong hands.
Other risks include being able to impersonate you to send out phishing campaigns or using your servers to mine BitCoin or launch attacks against other people.
Hackers are constantly on the lookout for companies to target. They’ll quickly find your Mautic instance by blindly scanning IPs for open ports or checking public TLS disclosure databases. Once they find you they’ll probe your Mautic for vulnerabilities.
How can you make your Mautic hosting more secure?
Use strong TLS 1.3 Encryption
At a minimum, you’re going to need to keep your traffic safe using strong TLS 1.3 encryption. An ISP (Internet Service Provider) can generate TLS keys for you but you will be responsible for installing and periodically rotating them when they expire. If you are not managing the server yourself make sure you trust the company distributing them as anybody with the private key can impersonate you or eavesdrop.
Use a Web Application Firewall
While Mautic has a good track record on security, even the most battle-hardened technologies can have vulnerabilities. Using a Web Application Firewall (WAF) like CloudFlare or mod_security will block many attacks before they reach you.
Furthermore, a WAF will protect you against Distributed Denial of Service (DDoS) attacks in case somebody tries to overwhelm your Mautic instance with traffic in order to take your business offline.
Subscribe to Security Bulletins and stay up-to-date
Finally, make sure you subscribe to security bulletins for all the software you use: At a minimum, this will include Mautic, your database, and operating system. On rare occasions, you may have to update your software at 3 am on a Sunday!
How can you make Mautic more secure as an admin user?
Use the “Principle of Least Privilege”
Firstly, assign different roles to users to apply the “Principle of Least Privilege”. For example, somebody who creates campaigns does not need the power to create new Mautic users. If you are the only user of your Mautic instance you will still benefit from having a separate admin user to minimize damage if somebody compromises the account you usually use.
Use strong single-use passwords
Use a password manager like 1Password to create strong passwords that aren’t reused for different logins. Password managers also allow you to temporarily share secrets in cases such as distributing passwords for new employees.
Disable unused features
As an example, API users should disable Basic Auth and only use OAuth. OAuth tokens are short-lived and can have their scope limited to only the task at hand which is another example of the Principle of Least Privilege. Contrast short-lived, limited-scope OAuth tokens with Basic Auth credentials which will only be invalidated by password change and can be used to log in to the Mautic UI and do anything the user can do.
Be cautious and aware of the risks
If you are managing or hosting a Mautic instance yourself be very cautious about the advice you receive. While much of it is well-meaning and will help you achieve your goals it may introduce vulnerabilities. For example, many people still use FTP to upgrade their Mautic instances and aren’t aware of how insecure this protocol is. At a minimum use SFTP or SCP to copy files.
What are your thoughts? What do you do to keep your Mautic hosting safe? Let me know in the comments.
Do you know someone that could benefit from a more secure Mautic hosting? Please share this article.