Take Care When Setting Up a Magento Development Site!

Part of my proactive approach that I take includes checking the health of development websites set up for clients. This is mainly carried out for security reasons and ensuring that the codebase for both development and production environments are closely in sync.

In previous companies I have worked for, I discovered some fundamental issues with the development sites that had been set up. Therefore, I'm going to share some of my findings and what steps should be taken to avoid common development site problems.

Search engines...

One of the key steps when setting up a Magento (or any application) development website is: make sure that the search engines don't crawl the website!

In Magento 1, this can be achieved by heading to the System -> Configuration -> General -> Design section in the admin, expanding the HTML Head section and changing the Default Robots option to NOINDEX, NOFOLLOW.

Similarly in Magento 2 (as of version 2.2), within the Content -> Configuration section, select a theme to edit, expand the Search Engine Robots section and set the Default Robots option to NOINDEX, NOFOLLOW.

This step is surprisingly forgotten or left too late, which has resulted in development sites showing in the search engine results. This effectively means that both production and development websites are competing against each other in terms of SEO. In addition, it might not be immediately obvious to customers that they might be browsing on the wrong website!

If you know the website address of your development site, there is an easy check to find out whether the search engines have crawled the web pages.

In Google, simply type in site: followed by the domain name of the development site. Google will then return any pages from that domain which it has indexed.

I actively work on a few internal projects that use the sussexdev.co.uk domain. Typing in site:sussexdev.co.uk into Google shows that none of these appear. Hooray!

Remember, after setting up the development site's database and codebase, always make sure that you configure the search engines not to crawl and index the website.

If necessary, you can add password protection to the whole of the website, or only allow IPs from a whitelist to access it. Choose whichever option is best for you but make sure you take action quickly.

General security

This particularly is focused at Magento 1 and in terms of securing the local.xml database configuration file. It seems as though file and folder permissions are commonly forgotten about when setting up a development site.

Crucially, this can lead the exposure of the database configuration file in the browser. By simply heading to http://your-development-domain.com/app/etc/local.xml, you may find that your database connection details are accessible to the public.

If you forget about file permissions, remember that Magento 1 will flag this issue up in the admin area with the following notification.

Magento Development Site

There are therefore no excuses to skipping over this check. You might be thinking 'well it's just a development website with an old database. It doesn't really matter if anything happens to it'.

Which leads me onto my next point...

The data

When a development site has being set up, the codebase and a database backup from the production website is taken. There have been a few occassions where customer and order data has not been cleared from the development website. This, along with an exposed local.xml file as seen above means that sensitive data is open to anyone! This can lead to major legal and financial implications.

In both Magento 1 and 2, it is very easy to strip out this data. I would recommend using Sonassi's tools for dumping a Magento database. Simple to use, and truncates any sensitive data from the database dump.


I'm available to help businesses configure development sites.

Development sites do not take long to set up, and are often rushed due to time constraints with other projects. Don't forget to spend a bit of time checking over the site ensuring that no fundamental security issues exist for the benefit of you and your clients.