Despite the fact the internet was invented as a medium for sharing cat pics (I swear that’s true), the WWW is far from being all that fluffy and safe. Unfortunately, just like the real world around us, the internet is full of dangers, fraud and black-hooded hackers with thick lenses and malicious intents. And if there’s any money, there’s always someone creeping around to pick-pocket your virtual wallet or shoplift from your virtual store.
Indeed, many store owners have a false sense of urgency, thinking of hacker attacks as something found in Hollywood movies and video games only. To our regret, the facts show the opposite: online fraud attacks in the U.S. are growing at an alarming rate, causing a severe damage to e-store owners. To me, that’s a clear call to action.
Thankfully, it’s always easier to win as defending. Here’re a few simple means in securing your store that will reduce the chances of your business being harmed and help leave those virtual burglars with empty hands.
1. Know your system’s weaknesses
There’s no perfectly safe CMS, obviously, and the first step you need to make in terms of securing your e-business is learning what its weak points are. Most of the vulnerabilities e-Commerce platforms have are known and widely discussed at community forums, the same places where you could find ways of addressing those security holes as well.
One thing to understand: the more popular your e-Commerce software is, the more likely someone will find the way to exploit it. That’s especially true when it comes to WordPress, a universal CMS which is often criticized for its lack of security. However, WordPress is not poorly designed -- just the fact that nearly everyone uses it for blogs, websites and stores makes it an obvious target for all kinds of evil computer geniuses.
Talking about WordPress, you also need to know that its internal structure is pretty “stiff” and difficult to modify which, again, makes it more vulnerable. It’s easier to mess around with the internal structure of such platforms like Joomla or Drupal, but no matter what, security through obscurity is not really security.
2. Use HTTP Over SSL
The very first and one of the most important preventative measures to secure your website is to get a SSL certificate. Unlike HTTP, HTTPS is encrypted and known to be much more secure protocol for exchanging data. It provides a reliable guarantee that the contents of communications between the user and site cannot be read or forged by any third party, protecting against man-in-the-middle attacks.
In general, SSL certificate is a must-have nowadays and everyone can easily check if it’s there or not - simply by looking at the address line of the browser. If there’s no httpS, your business automatically becomes a natural target for hacker attacks.
3. Move things out of default locations & use folder level security
Make it harder for anyone to find where’s your data at by renaming the default folder names to a bit more freakish, like “images” to “zg896x”. It won’t affect the system’s performance, but definitely draw a red herring across the path.
Also, implement folder level security. Start with always using an index.php in directories of your site to restrict unauthorized folder browsing, as well as using htaccess for similar purposes. If you’re using cPanel, add passwords to folders you want to protect by clicking “Directory Privacy” link in a menu.
4. Protect against SQL injections and XSS attacks
These two are some of the most commonly exploited website vulnerabilities and yet they’re pretty easy to safeguard yourself from.
SQL injection is a situation when some input with an executable code is passed to an internal service function for processing and causes the service to respond. If you’re using PHP, you need to research commands like real_escape_string(), addslashes(), stripslashes() and htmlentities(). When you understand what these commands do and how to use them, you’ll be able to filter most of attempts to inject malicious SQL instructions.
Similarity, to avoid XSS attacks you should use htmlentities() and str_replace(). Just create a function to strip out any special characters and convert into a raw text what is intended to be any kind of instruction from outside. If any of these contact a HTML instruction, it’ll be rendered harmless.
5. Use POST instead of GET if possible
GET is less secure compared to POST because data sent is part of the URL. As the result, it's saved in browser history and server logs in plaintext. Also, users can see what and where is being evaluated, and then use that information to exploit any kind of vulnerability your store may have, which is something you don’t want to happen. So when possible, use POST instead of GET.
6. Set long passwords, not complicated
In hope to create an unbreakable cipher, users sometimes choose complicated passwords, something like “Uo#%^@gAg2” which is fairly stupid, if being honest. Most likely, you won’t remember such password properly, and would need to write it down somewhere (that destroys the whole concept of a reliable password, right?). Moreover, you’d need to put a lot of effort every time entering it.
Instead, it’s more reliable to use long passwords, even phrases, something like “Life is meaningless but it’s OK” and turn it into “Lifeismeaninglessbutit’sOK”. As the result, you have an easy to remember password with a solid length of 27 characters, uppercase letters and a punctuation symbol. Unhackable, if that’s not the phrase you pronounce too often 🙂
Online store security requires time, efforts, and knowledge. But it’s necessary, just like wearing seatbelts when driving a car: you never know when they might save your life, or business.
P.S. You know what’s the secret way of securing your store easily? Using SaaS e-Commerce platform the security of which are guaranteed by cart software providers, not you (yeah, it’s arguable, but hosted solutions are generally considered to be more secure). With Cart2Cart, you can easily move your current shopping cart data to Shopify, BigCommerce, 3dcart and a number of other hosted solutions with advanced security. Start with Demo Migration and check out SaaS solutions by moving a limited number of entities to any of them.