So far, 2015 has been a busy year from an eCommerce security standpoint. At our shop, our ecommerce solutions are primarily built on the Magento platform, with a few smaller shops electing to use WordPress with an eCommerce plugin. All the same – we have had to install many upgrades and patches over the last few months. Given all the activity as of late – I thought I would throw together a quick eCommerce Security Checklist. This article is for developers that might not be familiar with best practices for eCommerce security, or even online shop keepers that are wondering if they are doing everything they can to keep their store, and their customer’s data safe! We hope you find this useful and if you feel we have missed anything, please feel free to add it to the comments!
1. Secure your eCommerce Software
There are so many eCommerce platforms out there. As I mentioned, most of our projects fall under Magento or WooCommerce – heavy on the Magento side. As you can see in the chart on the right, Magento and WooCommerce make up close to half of all eCommerce platforms out there! This means they are well respected and popular, but it also means they have a bit target on their backs. Take every precaution to make sure your eCommerce software is updated and secure! Below are some steps to help you do just that.
- Magento Security Patches: Magento, specifically, uses a security patch method of handling urgent updates. Unfortunately, there is no quick “click this button to update” feature within the Magento interface. You have to have your developer apply these patches, unless you are comfortable logging in through a terminal window and applying them yourself. Magento has released 3 critical patches this year alone and if you are using a magento site, it is critical that you install them. You can test your site for vulnerability and find out more about the patches here: Magento Security Patch Page & Testing Tool
- WordPress Automatic Updates: If you are using the WordPress platform, with WooCommerce or any other eCommerce plugin, we highly recommend taking advantage of their automated update features. Wordpress releases updates quite often and they are generally in response to security threats. The WordPress team is quite vigilant in making sure their core software is as secure as possible. For more information on configuring automatic updates, visit this page: Configuring Automatic Background Updates
- WordPress Plugin Updates: Securing WordPress is only half of the battle. Unfortunately, you can have a fully secured WordPress installation and with even ONE out of date plugin, your whole site could be at risk! Since we are dealing with eCommerce, we would be naturally interested in making sure that WooCommerce, WP eCommerce, or whatever platform you use is updated. However – every single plugin in your WordPress site can be a potential security risk. Make sure they are all updated and as a general rule of thumb, if they aren’t critically necessary to your site – delete them! People are generally unaware how a seemingly simple plugin feature can be exploited to hack into your site. UPDATE THOSE PLUGINS!
- WordPress Theme Updates: While you are at it – make sure theme files are updated as well. Many of the more modern wordpress themes come bundled with all kinds of tools and widgets that could be subject to vulnerabilities. Check your Wordpress update notifications periodically to make sure there isn’t an available update. NOTE: Updating a theme can potentially trash your website if you, or your developer made changes to the theme’s core pages. If you are unsure, ask your developer. When you can, always develop using a Child Theme – this way, you can take advantage of your master theme updates without the risk of losing all of your page design settings! Read here about child theme development strategies. It’s really pretty easy and it makes for a MUCH safer setup.
2. SSL Security
If you use an eCommerce tool such as MagentoGo, Volusion or other hosted solution – you won’t have to worry too much about this. If your site is self hosted, either on your own server, or a server your web developer set up, then you NEED to take these steps!
Note: This section only applies if your site has an SSL certificate. If you access your shop like this: https://www.myshop.com then you are using an SSL certificate. If your site is processing transactions and taking credit card information under a regular http://www.myshop.com address, you are not using SSL. If that is the case, you NEED to be using SSL. Talk to your developer immediately and get this taken care of. If your site only takes payments through third party services such as PayPal, and all transactions happen OFF of your site, then you have nothing to worry about and you can skip this SSL Security section altogether.
- Heartbleed Bug Vulnerability: Late last year, a huge vulnerability was discovered in the software that manages SSL security on web servers (OpenSSL). They called this the Heartbleed bug and everyone was encouraged to update their software to newer, patched versions. You can check your site for this vulnerability here: Heartbleed Vulnerability Scanner
- Poodle Vulnerability: Funny name – not so funny if you don’t have it fixed! This is a vulnerability that has to do with what types of SSL protocols your server allows. Many servers, by default, allow SSLv2 and SSLv3. Both of these are vulnerable and you want to make sure that your server only allows TLS varieties of SSL protocols. You can check for this vulnerability here: Poodle Vulnerability Scanner
- General SSL Health: This tool is one we use quite often and it scans your server and reports back on several SSL security issues. The result of the scan will be a grade letter – A through F. If you run this and get a C, D or F – you need to talk to your developer or host and get the issues resolved. A score of C – you might still be ok, depending on which issues it flagged. If the scanner comes back with any items in red – then you NEED to pay attention to those! View the SSLLabs Server Scanning Tool.
If you sell things online, AND you take credit card information ON your website, please make sure you have a proper SSL certificate installed. Get with your developer or host and find out what to do. You can even give us a shout and we would be glad to tell you what you need to do – or do it for you if you need us to. As I said before – if your sales all happen somewhere else, such as PayPal, 2CheckOut, or something like that, then you don’t have anything to worry about.
3. Secure your Admin Panel
Some hacks happen through known vulnerabilities where hackers can exploit something as simple as an image directory that still has write access and upload their own files to gain access to your site. Many times, however, hackers use known admin panel logins to simply log into your sites admin panel and then do whatever they want!. Don’t make it so easy on them! Below are some steps you need to consider to secure your admin access.
- Change Admin Username: Please, please PLEASE – do NOT use “admin” as your username. This is the default username for many systems and hackers are counting on this. They have software that guesses passwords – and it only works if they know your username to begin with! If you use a non-standard username like “MyStoreAdmin” or something that doesn’t even have the word “admin” in it, then no only would they have to guess the password, they would have to guess your username first. That is often enough to make a hacker move along to a site with a much less savvy administrator.
- Changing the Admin Path: Wordpress sites use /wp-admin for their admin panel. Magento uses /admin by default. Most sites have a default admin panel link and again, the hackers know this. If you change this to something non standard, it basically takes your site off of the hacker’s “low hanging fruit” list. Make breaking in even a little bit difficult and they often move on to another target. In Magento, you choose the path during setup. In WordPress – changing this is easiest with a security plugin that offers this option. We have used the iThemes Security plugin on many sites and it works really well.
4. Secure Transactions
In your store’s eCommerce settings – you have a lot of control over the types of transactions you allow, and how those transactions are processed. Below are some things to consider when taking people’s money online:
- Never Store a Credit Card Number: For reasons I do not understand, many eCommerce apps, including the great Magento, still offer offline credit card processing as a standard payment option. NEVER (i can’t repeat this enough) use this option. This is the option that saves the credit card number in fully readable fashion, for you to manually process later. They trust you will delete the number – but many people do not. I have seen this happen to store owners before and it is not pretty. The fines and liability you will face are significant.
- Use Off-Site Processing When Possible: If you are a small shop and you do not have a merchant account, a gateway account and all of that good stuff yet – that’s ok! Taking payments with PayPal express, or any host of other off-site processors might be a small headache to your clients, but it saves a lot of grief in the end. Sure – you’ll eventually want to handle everything on your site, but when you are starting out – it’s a good idea to use these services as long as you can. In fact, I find that on a lot of our websites that offer both – a huge portion of shoppers still prefer to use PayPal over entering their credit card numbers on our sites.
5. PCI-DSS Auditing / Compliance
There are countless smaller shops out there that never give PCI-DSS compliance a second thought. Unfortunately, even if you sell 1 item a year, if your site is hacked and that breach results in credit card numbers or other personal information being released into the wild, the Payment Card Institute can, and will come down on you. If your site is established and is a regular part of your revenue stream, then you really have little excuse to ignore PCI-DSS compliance. We don’t have time to go into what all is involved in PCI-DSS compliance in this article, but you can find out more here: Why Comply with PCI Security Standards?
Final Thoughts
The biggest rule of thumb in dealing with your site’s security is to be PROactive and not reactive. Spending half an hour installing that patch is much better than losing days trying to rebuild a site that has been hacked, defaced and trashed. As bad as that is, it can always be worse. If you operate a store and your customer’s data is stolen and used fraudulently – you could be looking at significant liability if they are able to trace the breach back to your site. When you are dealing with eCommerce, security is simply too critical of an issue to take lightly. We hope this has been helpful and again – if you have anything to add or share, please leave a comment! That only makes the article more useful for others.