Why Does My Website Say ‘Not Secure’?

If you’re a Google Chrome user, you might have noticed your updated browser is now telling you that some sites are “Not Secure” in big red letters. If you’re a business owner with your own website that’s being flagged this might be even more concerning to you. If you’re wondering what this means and how you can fix it, read on for the full story about SSL and You!

Dealing with Not Secure Website Warnings?Google announced in early 2018 that starting in July their Chrome browser, the most-used desktop browser by a wide margin, would start flagging unsecure sites that aren’t using HTTPS encryption. HTTPS in plain English is the secure version of HTTP, which is one of the basic ways websites are accessed on the internet. HTTPS normally uses SSL for encryption, one type of security certificate that keeps private information transmitted on your site safe from snooping middlemen.

Think about it this way: imagine HTTP is the front door of your business and it has a standard doorknob with a regular old lock on it that you keep locked after hours just in case. HTTPS is that same door but with extra deadbolts added on to beef up your security and keep criminals out.

That’s not to say that any site without HTTPS encryption is automatically in danger of door-kicking hackers! If your site isn’t using outdated contact forms to send private information such as Social Security Numbers, financial information, etc., your site and its users probably aren’t in any real immediate danger without an SSL certificate protecting your site. The reason Google is enforcing this new rule is to encourage site owners to make the switch to HTTPS to create a more secure web with secure and encrypted sites being the default, not the other way around. It’s a great idea in theory, but the only problem with that is many security certificates can be expensive and difficult to install and maintain, many requiring yearly renewals.

If you’re a small business owner who needs a website and you’re scratching your head about all of this, that’s where ITD Interactive comes in! Our standard hosting package for WordPress sites includes a 100% free SSL certificate that we install and maintain for you. You’ll be automatically upgraded to an HTTPS site without any hassle or yearly renewal fees. Your site will be more secure and your users who visit your site in Google Chrome won’t get that annoying message that implies that your site is not safe to visit.  We can also offer more heavyweight worry-free SSL certificates for eCommerce and medical websites that need added protection for an added cost.

If you’ve already got a website you’re happy with, you can still take advantage of this offer. Switch to ITD Interactive hosting and we’ll move an exact copy of your WordPress site to our ultra-secure servers and get your free SSL certificate up and running in minutes. Click here for pricing and more information.

eCommerce Security Checklist for 2015

eCommerce Security ChecklistSo far, 2015 has been a busy year from an eCommerce security standpoint.  At our shop, our ecommerce solutions are primarily built on the Magento platform, with a few smaller shops electing to use WordPress with an eCommerce plugin.  All the same – we have had to install many upgrades and patches over the last few months.  Given all the activity as of late – I thought I would throw together a quick eCommerce Security Checklist.  This article is for developers that might not be familiar with best practices for eCommerce security, or even online shop keepers that are wondering if they are doing everything they can to keep their store, and their customer’s data safe!  We hope you find this useful and if you feel we have missed anything, please feel free to add it to the comments!

1.  Secure your eCommerce Software

eCommerce Usage Data

This eCommerce usage chart was compiled by AheadWorks, a premium supplier of Magento Extensions. Check them out at AheadWorks.com

There are so many eCommerce platforms out there.  As I mentioned, most of our projects fall under Magento or WooCommerce – heavy on the Magento side.  As you can see in the chart on the right, Magento and WooCommerce make up close to half of all eCommerce platforms out there!  This means they are well respected and popular, but it also means they have a bit target on their backs.  Take every precaution to make sure your eCommerce software is updated and secure!  Below are some steps to help you do just that.

  • Magento Security Patches:  Magento, specifically, uses a security patch method of handling urgent updates.  Unfortunately, there is no quick “click this button to update” feature within the Magento interface.  You have to have your developer apply these patches, unless you are comfortable logging in through a terminal window and applying them yourself.  Magento has released 3 critical patches this year alone and if you are using a magento site, it is critical that you install them.  You can test your site for vulnerability and find out more about the patches here:  Magento Security Patch Page & Testing Tool
  • WordPress Automatic Updates:  If you are using the WordPress platform, with WooCommerce or any other eCommerce plugin, we highly recommend taking advantage of their automated update features.  Wordpress releases updates quite often and they are generally in response to security threats.  The WordPress team is quite vigilant in making sure their core software is as secure as possible.  For more information on configuring automatic updates, visit this page:  Configuring Automatic Background Updates
  • WordPress Plugin Updates:  Securing WordPress is only half of the battle.  Unfortunately, you can have a fully secured WordPress installation and with even ONE out of date plugin, your whole site could be at risk!  Since we are dealing with eCommerce, we would be naturally interested in making sure that WooCommerce, WP eCommerce, or whatever platform you use is updated.  However – every single plugin in your WordPress site can be a potential security risk.  Make sure they are all updated and as a general rule of thumb, if they aren’t critically necessary to your site – delete them!  People are generally unaware how a seemingly simple plugin feature can be exploited to hack into your site.  UPDATE THOSE PLUGINS!  
  • WordPress Theme Updates:  While you are at it – make sure theme files are updated as well.  Many of the more modern wordpress themes come bundled with all kinds of tools and widgets that could be subject to vulnerabilities.  Check your Wordpress update notifications periodically to make sure there isn’t an available update.  NOTE:  Updating a theme can potentially trash your website if you, or your developer made changes to the theme’s core pages.  If you are unsure, ask your developer.  When you can, always develop using a Child Theme – this way, you can take advantage of your master theme updates without the risk of losing all of your page design settings!  Read here about child theme development strategies.  It’s really pretty easy and it makes for a MUCH safer setup.

2. SSL Security

SSL Security ConsiderationsIf you use an eCommerce tool such as MagentoGo, Volusion or other hosted solution – you won’t have to worry too much about this.  If your site is self hosted, either on your own server, or a server your web developer set up, then you NEED to take these steps!

Note:  This section only applies if your site has an SSL certificate.  If you access your shop like this: https://www.myshop.com then you are using an SSL certificate.  If your site is processing transactions and taking credit card information under a regular http://www.myshop.com address, you are not using SSL.  If that is the case, you NEED to be using SSL.  Talk to your developer immediately and get this taken care of.  If your site only takes payments through third party services such as PayPal, and all transactions happen OFF of your site, then you have nothing to worry about and you can skip this SSL Security section altogether.

  • Heartbleed Bug Vulnerability:  Late last year, a huge vulnerability was discovered in the software that manages SSL security on web servers (OpenSSL).  They called this the Heartbleed bug and everyone was encouraged to update their software to newer, patched versions.  You can check your site for this vulnerability here:  Heartbleed Vulnerability Scanner
  • Poodle Vulnerability:  Funny name – not so funny if you don’t have it fixed!  This is a vulnerability that has to do with what types of SSL protocols your server allows.  Many servers, by default, allow SSLv2 and SSLv3.  Both of these are vulnerable and you want to make sure that your server only allows TLS varieties of SSL protocols.  You can check for this vulnerability here:  Poodle Vulnerability Scanner
  • General SSL Health:  This tool is one we use quite often and it scans your server and reports back on several SSL security issues.  The result of the scan will be a grade letter – A through F.  If you run this and get a C, D or F – you need to talk to your developer or host and get the issues resolved.  A score of C – you might still be ok, depending on which issues it flagged.  If the scanner comes back with any items in red – then you NEED to pay attention to those!  View the SSLLabs Server Scanning Tool.

If you sell things online, AND you take credit card information ON your website, please make sure you have a proper SSL certificate installed.  Get with your developer or host and find out what to do.  You can even give us a shout and we would be glad to tell you what you need to do – or do it for you if you need us to.  As I said before – if your sales all happen somewhere else, such as PayPal, 2CheckOut, or something like that, then you don’t have anything to worry about.

3. Secure your Admin Panel

Admin Panel Security Steps

Keep this guy out of your site’s admin panel!

Some hacks happen through known vulnerabilities where hackers can exploit something as simple as an image directory that still has write access and upload their own files to gain access to your site.  Many times, however, hackers use known admin panel logins to simply log into your sites admin panel and then do whatever they want!. Don’t make it so easy on them!  Below are some steps you need to consider to secure your admin access.

  • Change Admin Username:  Please, please PLEASE – do NOT use “admin” as your username.  This is the default username for many systems and hackers are counting on this.  They have software that guesses passwords – and it only works if they know your username to begin with!  If you use a non-standard username like “MyStoreAdmin” or something that doesn’t even have the word “admin” in it, then no only would they have to guess the password, they would have to guess your username first.  That is often enough to make a hacker move along to a site with a much less savvy administrator.
  • Changing the Admin Path:  Wordpress sites use /wp-admin for their admin panel.  Magento uses /admin by default.  Most sites have a default admin panel link and again, the hackers know this.  If you change this to something non standard, it basically takes your site off of the hacker’s “low hanging fruit” list.  Make breaking in even a little bit difficult and they often move on to another target.  In Magento, you choose the path during setup.  In WordPress – changing this is easiest with a security plugin that offers this option.  We have used the iThemes Security plugin on many sites and it works really well.

4. Secure Transactions

Online Transaction Guidelines for eCommerce SecurityIn your store’s eCommerce settings – you have a lot of control over the types of transactions you allow, and how those transactions are processed.  Below are some things to consider when taking people’s money online:

  • Never Store a Credit Card Number:  For reasons I do not understand, many eCommerce apps, including the great Magento, still offer offline credit card processing  as a standard payment option.  NEVER (i can’t repeat this enough) use this option.  This is the option that saves the credit card number in fully readable fashion, for you to manually process later.  They trust you will delete the number – but many people do not.  I have seen this happen to store owners before and it is not pretty. The fines and liability you will face are significant.
  • Use Off-Site Processing When Possible:  If you are a small shop and you do not have a merchant account, a gateway account and all of that good stuff yet – that’s ok!  Taking payments with PayPal express, or any host of other off-site processors might be a small headache to your clients, but it saves a lot of grief in the end.  Sure – you’ll eventually want to handle everything on your site, but when you are starting out – it’s a good idea to use these services as long as you can.  In fact, I find that on a lot of our websites that offer both – a huge portion of shoppers still prefer to use PayPal over entering their credit card numbers on our sites.

5. PCI-DSS Auditing / Compliance

PCI-DSS Compliance for eCommerce Store OwnersThere are countless smaller shops out there that never give PCI-DSS compliance a second thought.  Unfortunately, even if you sell 1 item a year, if your site is hacked and that breach results in credit card numbers or other personal information being released into the wild, the Payment Card Institute can, and will come down on you.  If your site is established and is a regular part of your revenue stream, then you really have little excuse to ignore PCI-DSS compliance.  We don’t have time to go into what all is involved in PCI-DSS compliance in this article, but you can find out more here:  Why Comply with PCI Security Standards?

Final Thoughts

The biggest rule of thumb in dealing with your site’s security is to be PROactive and not reactive.  Spending half an hour installing that patch is much better than losing days trying to rebuild a site that has been hacked, defaced and trashed.  As bad as that is, it can always be worse.  If you operate a store and your customer’s data is stolen and used fraudulently – you could be looking at significant liability if they are able to trace the breach back to your site.  When you are dealing with eCommerce, security is simply too critical of an issue to take lightly.  We hope this has been helpful and again – if you have anything to add or share, please leave a comment!  That only makes the article more useful for others.

Search Engine Optimization, Security, Uncategorized, Website Design, Website Maintenance