GlobalSign Blog

13 Jan 2017

How to Make an Ecommerce Website Secure

Imagine you run a local store in a shopping mall.

What would be the basic level of security in place?

You’d probably have secure doors with locks, CCTV cameras, alarm systems - that type of thing.

Most of these are visible security that most people can relate to and understand.

But what if you’re an online retailer? You’re not dealing with traditional shoplifters now. You’re up against potentially sophisticated hackers who have the upper hand when it comes to their knowledge of the weaknesses of online stores.

Put simply, they’re constantly looking for areas they can exploit.

But they’re not your typical thief looking to steal a few items and sell them on to the local black market.

They’re after something far more valuable - data. Whether that’s credit card details or your customer’s ID, your Ecommerce store and your business are at risk unless you take the necessary action to secure it.

So we’ve prepared these simple tips that can help you protect your Ecommerce site and your business...

Choose Ecommerce Hosting

You’ve probably made quite an investment in building your website. Designing, building, optimizing and promoting a website costs money.

But are you risking it all by choosing a low cost hosting option?

The simple fact is that these days you are spoilt for choice when it comes to hosting. But don’t be tempted by promises of super cheap hosting. Often it’s a false economy.

In fact, it’s a bit like building a racing car and fitting it with bicycle wheels.

If you’re on a shared hosting service with hundreds of thousands of other users, then you could end up in a ‘noisy neighborhood’. And nobody like noisy neighbors. They’re rude, anti-social and they tend to bring the tone of the neighborhood down.

If you’re on one of these ‘eat as much as you can for a dollar’ servers, can you be sure your host is investing in security? I doubt it. The chances are your server’s IP address will be constantly blacklisted.

Probably the best option for serious Ecommerce retailers is a Virtual Private Server. This balances superb, scalable performance with reasonable costs and excellent security customization options.

Setting up your server for security is quite straightforward and if you can’t manage it yourself, then usually a reputable host will offer a managed server service for you.

Switch to HTTPS

Until recently, using secure HTTPS hosting with an SSL Certificate was generally reserved for the payment area of your site. That’s obviously still the case, but gradually website owners are making the shift to securing their entire websites.

A major initial driver of this was the fact that Google stated in 2014 that they were doubling down on security and were including HTTPS as a ranking factor. Further contributing to the shift are announcements that browsers are going to start penalizing HTTP sites. Google recently said they have long term plans to mark all HTTP sites as non-secure and Mozilla said something similar back in 2015.

If you want to switch to HTTPS, you’ll need to choose an SSL Certificate first. You can purchase one from your hosting company or a reputable SSL vendor.

Normally, they will help you to install the SSL Certificate, but then you need to run through a number of steps to switch your site to HTTPS, such as updating internal links in your site, setting up a 301 redirect and updating links in transactional emails, etc..

Overall, using an SSL Certificate is the basic price of admission when it comes to online security these days and it seems it will only become more important as browsers begin to take action against HTTP sites.

Choose A Secure Platform & Keep It Secure

There are loads of Ecommerce platforms to choose from these days. You need to be sure that your choice of Ecommerce platform not only performs how you want it to, but that it has a good reputation for security and updates itself regularly.

Tools like Magento, WooCommerce and PrestaShop are all really popular Ecommerce platforms, but popularity comes at a price. Hackers are always looking for vulnerabilities in these tools so patches and security updates are constantly being made available.

The key point here is to not just assume that once your site is live that it doesn’t need to be maintained and updated or that it’s the developer’s, designer’s or web hosting company’s responsibility.

Ultimately you are responsible for security and even if you are not a technical person, you need to be sure that someone on your team, whether internal or via a supplier or partner, is covering your back.

Be sure to keep an eye on the software provider’s site to check for updates and be sure to ask your security expert that these are being applied to your site.

Arguably the best option though is to use a comprehensive Ecommerce security application that will not only protect most common vulnerabilities, but also check the vendor’s site to ensure that you are running the most up to date version.

Secure Your Admin Area

One of the simplest and cheapest ways to improve your site’s security is to protect your admin area.

If you use a common Ecommerce platform like Magento or WooCommerce (based on WordPress), then they will have a default admin area. Just by changing this you can prevent most lazy hacks who will just be looking for easy targets.

One really important point is to change the default administrator username. Hackers are looking for easy targets - if you use the default username like ‘admin’ then you’re a sitting duck. Make your login credentials original and difficult to crack.

Also you can restrict access to the admin area by setting up a ‘whitelist’ of IP addresses which your server administrator controls so that access to the admin area is only permitted to known IP addresses.

Finally, set up your admin area to notify the administrator when a particular threshold has been passed, such as failed login attempts or login attempts from unknown IP addresses.

These are surprisingly simple and cheap, but effective steps.

Backup Your Data Regularly

Imagine waking up to find that your site has been hacked!

What a bad feeling - you’re in for a bad day.

But can you imagine how you’d feel if your site hadn’t been backed up?! Things just went from bad to worse.

And don’t forget that data loss can happen due to hardware failure or simple human error (it happens).

The simple fact is that you can never be too careful when it comes to backing up your data. And remember - it’s YOUR responsibility.

Don’t assume it’s up to your hosting company or your web designer. Your data is your property and therefore your responsibility.

There are manual ways to backup your data, but the danger here is that it gets forgotten or you fall out of the habit of doing it regularly and the latest one available is from two or three months ago. That’s no use to anyone.

The best solution is a fully set it and forget it automatic backup service. This means you can sleep safe in the knowledge that your data is backed up, safe and up to date.

Never Hold Client Card Data

Some Ecommerce platforms will come with the ability to accept your client’s card details and store them. This is something you should NEVER do.

Not only is it bad practice, but it could land you a heavy fine if your systems are compromised.

Ideally you should use the services of a payment gateway provider who provides this service for you and keeps the payments off your site. They have the highest levels of security for managing this type of sensitive data.

If you are just starting out and you are on a tight budget then services like PayPal will allow you to hit the deck running and aside from anything, some customers just prefer to use PayPal so it’s good to give them the choice.

Of course, it’s good practice to aim for Payment Card Industry Data Security Standard (PCI DSS) accreditation.

To become PCI-DSS compliant, your website needs to guarantee the integrity of your customer’s financial data and you need to implement strong access control throughout your website.

Use a GeoLocation Anti-Fraud Software

Hacking is not a local issue - it’s global.

Attempts to use stolen card details could involve cards being stolen in one part of the world, which are then sent electronically to the other side of the planet and used to try to perpetrate online fraud.

Aside from the fact that you could lose revenue by sending out products for fake orders and start picking up chargebacks, the LAST thing you want is to be identified as a soft touch for fraudsters.

One way of addressing this issue is to use a GeoLocation Anti Fraud tool. These tools provide a real-time fraud score, which is available to the merchant to determine the level of risk of any particular transaction.

The algorithm looks at a number of criteria around the IP Address of the order and takes into account popular cloaking methods, such as using proxies and compares this with its database of billions of transactions to create a unified Fraud Risk Score.

If you’re unsure, it gives you the opportunity to either refund the order or run some further manual checks.

Which brings me very nicely on to…

Create Manual Security Policies & Procedures

Never underestimate the effectiveness of solid manual procedures.

For example, let’s take the example above where you receive an order that has a high Risk Score, but it looks OK to you.

What do you or your team do? Well you could just a) go on ‘gut instinct’ or b) you could do some further investigation.

I’d recommend option b). And this is where your Security Policies & Procedures should come into play.

Even if the thought of processes and procedures gets you yawning, just consider that this could be as simple as phoning the client using the number provided. If they aren’t available, you could send an email asking for one or two pieces of identification.

You just need to find the right solution for your circumstances.

But also you can extend these to things like password policies and physical security, such as stolen or lost items like laptops that are used to access your system.

Multi Layered Security

There is no magic bullet that will secure your site; therefore, ideally you should look at several different layers of security.

You could start with a firewall. You could use a physical firewall or a web application firewall depending on your budget. As a minimum, these offer a first line of defense against the most popular hacks, such as SQL injection or cross-site scripting.

You can also enhance your site by using a Content Delivery Network (CDN), which is a geographically dispersed set of servers which store copies of your website’s pages.

One security advantage of a CDN is that they ‘learn’ to recognize malicious traffic to prevent it from harming your site.

Another advantage is that a CDN can prevent Distributed Denial of Service Attacks (DDoS).

Alternatively you can also prevent DDoS on a server using free, OpenSource Software.

Wrap Up

Security is not free, but it’s cheaper than getting hacked.

Ultimately, there is no one unified solution to make an Ecommerce site sound and secure.

The optimum solution is one which takes into account the right choice of software and hosting platform and keeping everything up to date and secure.

But also be ready for bad news. Make sure you keep our site automatically backed up.

Look at a layered approach by using different tools but also don’t forget that good old written procedures play an important role in keeping your site safe and secure.

Share this Post

Write for Us

Apply Now

Subscribe to our Blog