Building and running a secure marketing automation infrastructure with Mautic can be difficult. We know this because we’ve spent years solving these problems for technology startups, SMBs, and large enterprises. Hackers are constantly on the lookout for companies to target. Achieve secure Mautic hosting with these 7 immediately actionable steps.
What are the biggest risks with Mautic Hosting?
The No. 1 risk: Exfiltration!! Data is the new gold, so your contact list is a hard currency and correspondingly attractive. Hackers around the world are trying to obtain personal information that can be resold to competitors or used for more nefarious purposes. Not only does this put your customers’ privacy at risk, but you also face hefty fines if personal information falls into the wrong hands.
Another risk is that hackers will impersonate your company to send out phishing campaigns. Or they use your server to mine Bitcoin, for example, or to launch hacking attacks against other people.
Hackers are constantly looking for ways to abuse data. Your Mautic instance can be found quickly as hackers blindly scan IPs for open ports or check public TLS disclosure databases. Once your Mautic instance is found, it is (automatically) scanned for vulnerabilities. So let’s make sure that hackers don’t get access to your Mautic instance in the first place. When it comes to hosting and as a user, you can do a lot right here.
How do you achieve secure Mautic hosting?
Use strong TLS 1.3 encryption
First, you need to protect your traffic with strong TLS 1.3 encryption. An ISP (Internet Service Provider) can generate a TLS key for you. Then you are responsible for installing the keys, keeping them confidential, and replacing them regularly when they expire.
If you don’t host the Mautic server yourself, make sure you trust your hosting provider. Because anyone who has the private key can impersonate you or eavesdrop on you.
Use a web application Firewall
While Mautic has a pleasing track record in security, even the most battle-tested technologies can have vulnerabilities. Using a web application firewall (WAF) like CloudFlare or mod_security will block a lot of attacks before they reach you.
In addition, a WAF protects you from Distributed Denial of Service (DDoS) attacks. This is the case when someone tries to overload your Mautic instance with traffic to take your business off the grid.
Subscribe to security bulletins and make updates
Finally, make sure you subscribe to all the security bulletins for all the software you use: this includes at least those for Mautic, the database security bulletins, and the operating system security bulletins. In rare cases, you may then have to update your Mautic instance at 3 am on a Sunday. But hey, better safe than snoring!
How to make Mautic more secure as an admin user?
Adhere to the “principle of least privilege.”
Assign different roles to users to apply the “principle of least privilege”. For example, someone who creates campaigns doesn’t also need the ability to create new Mautic users.
Even if you are the only user of your Mautic instance, it is recommended to have an admin and another user profile with fewer privileges. If someone hacks your other user profile, he or she will still not be able to access all the features. That way you minimize the risk.
Use secure one-time passwords
Use a password manager like 1Password to create long, strong passwords that won’t be reused for different logins. Good password managers also allow passwords to be exchanged in encrypted form, e.g. when distributing passwords for new employees.
Disable the unused functions
For example, if you use the API, Basic Auth should be disabled and only OAuth should be used. OAuth tokens are short-lived and are limited in scope to the task at hand. This is another example of the “principle of least privilege”.
In contrast, Basic Auth credentials can only be invalidated by changing the password. In addition, they can also be used to log in to the Mautic user interface. This makes it possible for hackers to do anything that the corresponding user is authorized to do.
Be careful and know the risks
If you host or administer a Mautic instance yourself, be very careful about the advice you receive from others. While much of it is well-intentioned and will help you achieve your goals. However, some things can also lead to weak points.
For example, many people still use FTP to update their Mautic instances. They probably don’t even realize how insecure this protocol is. You should at least use SFTP or SCP to copy files to your server.
Data is valuable, to you as a business, to the people it comes from, but unfortunately also to hackers. In the case of an attack on your Mautic instance, the worst thing would probably be the loss of reputation. But there are also financial consequences. Therefore, pay the necessary attention to the protection of your highly sensitive customer data. With the right mindset and consistent implementation of best practices, you’ll secure your Mautic hosting from hacker attacks. Investing in secure hosting can also earn you points with your customers. So it’s worth it!
Do you know someone who could benefit from a more secure Mautic hosting? We’d love it if you shared or forwarded this article.