Categories
Episodes

Episode 6: Ecommerce Website Security

Last week we covered the topic of SSL certificates and trustmarks, so this week we’ll be digging deeper into Ecommerce Security.

Why is Ecommerce Security important for SEO?

They’re intertwined – Google doesn’t want to list compromised websites in their search results. So if your website gets hacked and has some sort of malicious software on it, then you’re going to have your website removed from their index. You won’t be getting any SEO traffic, because Google doesn’t want to send people to potentially dangerous websites.

People can also inject links into your website, so you’ll end up linking to some very dodgy websites or have really bad content placed on your site, that you don’t really want to have associated with your brand.

How do businesses keep their Ecommerce website secure?

It can be broken down into four key areas:

  1. Password Security
  2. Plugin or Addon Security
  3. Server Security
  4. Infrastructure Security (such as domains, DNS and email)

How can I improve my Password Security?

The number one security issue for websites is Password Security. You or your staff might voluntarily give your password to someone, thinking that a link you clicked or were emailed goes to a genuine login page (called a phishing attack). Or you might have a really weak password and attackers can do something called a “Brute Force Attack”. This is where they use a list of passwords, prioritized by how commonly used they are, or how likely they’re going to be used by you.

You might think that the name of your favourite football team is a very unique password, but that is bound to be one of the passwords that these hackers are going to be using. And they can just try these passwords automatically using their own software, on your Shopify login page or Magento admin page.

Most people think that their passwords are secure, but they’re often not. If you can remember your password, it’s probably not secure enough, you want it to be 32+ random characters (uppercase letters, lowercase letters, numbers and symbols).

I really recommend using a password manager. It’s a piece of software such as 1Password or LastPass, where it generates and stores secure passwords for you. So you can create a unique password for every website, then keep them safe in an encrypted vault. It means that you only have to remember a single password, which unlocks your vault. They usually work across all of your devices. So your mobile phone, every web browser, every computer that you use.

Where possible, also make sure that all of your staff are using strong passwords (and password managers) as well. You could have the strongest password in the world, but if there’s someone else with an admin or staff account on your Ecommerce store, then those accounts could be compromised as well. Enforce a Password Policy, such as a minimum of 20 or 30 characters, no real words, no dates, no places. Make it part of your business policy, that staff have to adhere to.

You can enforce Password Policies on most of the Ecommerce platforms out there. If you use WooCommerce for example, you can install a WordPress plugin called Wordfence. It’s an amazing security plugin that’s free, or you can pay $99 a year for a few extra features. It allows you to enforce strong passwords on these admin accounts and the higher privilege accounts. It also allows you to add something called Two Factor Authentication to WordPress.

What is Two Factor Authentication?

It’s a security practice that requires two types of authentication, before you’re allowed to log into an application. The first type of authentication is your normal password and the second type is a random password or number, that you don’t know (but carry with you).

The random password could be generated by a mobile app, such as Google Authenticator or Authy. It could be a text message / SMS that gets sent to a verified mobile/cell phone number, or it could be a physical key fob, such as Yubikey. You might already have one for your online banking. 1Password‘s app also supports Two Factor Authentication.

Even if you tell someone your password or someone guesses it, they still need to have access to your physical device to generate the 2nd random password to log in.

If you’re using WooCommerce, the Wordfence plugin I mentioned before, can add 2FA (Two Factor Authentication) to your website. Shopify and Bigcommerce have 2FA available, but you have to enable the feature. That’s the thing – you have to go into your security settings and make sure that you enable these features, they’re not enabled by default. Magento, since version 2.4, has 2FA built into it as well, but it’s also disabled by default. If you’re using OpenCart or Prestashop, there are paid plugins for 2FA out there.

So remember to enable it and also get all staff to enable 2FA on their accounts. Don’t trust your dev or design agency either. Even if you think that they’re the most tech-savvy people in the world, they’re just as likely to have security breaches as you are. So enforce these security policies on third parties as well.

You really have to cover yourself for human error in these circumstances.

What about Plugin/Addon security?

People assume that Plugin security is just an issue for self-hosted Ecommerce platforms, such as Magento. But you can have just as many issues with SaaS platforms as well. So if you install addons for platforms like Shopify and Bigcommerce, they can be just as hackable.

A majority of plugins are built by a single web developer and sometimes they’re built just as a hobby in their spare time. There’s no qualification that you need, to create these plugins. It could be the first thing the person has ever coded.

In fact, the first piece of PHP that I coded was an affiliate management software, called PHP Affiliate. I made the code open source and it was the first PHP script of its kind. The software got over a quarter of a million downloads and that’s quite a lot back in the day that I created it. But, I hadn’t learnt about PHP security yet – I was literally halfway through my “Learn PHP” book when I released PHP Affiliate. It ended up having a big security hole in it, which was reported across all the major security websites. A lot of people had this software installed on their site. I managed to fix the security hole, but it was still scary. I was still in school when I coded it – you never know who is creating these plugins or how experienced they are. So just be careful before you click install and add something to your site.

Even the big commercial plugins can have security issues. Some of the biggest plugins that you can think of have had a security issue at some point. A friend alerted me to one such case, where he was looking at a set of Google search results and found loads of Shopify order confirmation pages, that had been indexed in Google. You could click through and see someone else’s order. It included the buyer’s name, address, email and even every single item which they’d ordered. My friend asked me why this was, and I traced it back to a very popular Shopify add-on for post-purchase upsells. Hundreds of Shopify sites were affected because this was a very popular commercial plugin. I reported the issue to Shopify and the plugin author, then emailed every end customer that was affected by this, letting them know that their personal data was published on the internet. It’s not the fault of the Ecommerce store themselves – they didn’t know that the plugin was badly coded. Even though Shopify does have a big security team, if you have addons installed on your shop, there’s nothing stopping those addons from having these security issues, which Shopify isn’t responsible for. You want to make sure that your customers feel safe and stay safe.

How do you know which plugins/addons are safe?

The safest plugins are the ones built by the Ecommerce platform themselves. WooCommerce build their own plugins and Shopify do the same. These are going to be the safest because the companies have big teams managing code compliance and security, plus they know the platform inside out.

Usually, before you install a plugin, you can see when it was last updated or which version of your Ecommerce platform it supports. This is a good indication of how well maintained it is.

If you have a web developer that works in your company, ask them to read through the source code of the plugin as well, to make sure there aren’t any obvious security flaws in it.

The most important thing to do though is having as few plugins as possible. The fewer plugins, the better. Sometimes all that these plugins do, is a small design tweak or add a small feature onto your site, that could actually be done with a few lines of code. So before you install 20 different plugins to do small tweaks to your site, get a quote from a freelance designer or developer, to create these as a custom plugin for you.

I’ve logged into some WooCommerce stores before, that had over 30 plugins installed! It slows down the whole site and each one adds an extra security risk or potential security exploit. I’ve replaced 20 WooCommerce plugins with a single tiny plugin before, because public plugins try to do everything for everyone. Whereas if you custom build a plugin, you can just implement the specific thing that you need.

Every single plugin is a potential target or potential backdoor.

How do hackers know which plugins you have?

Most plugins leave clues in your code. That could be comment tags in your HTML, that advertise plugins such as Yoast’s WordPress SEO plugin. You get “Generator” meta tags, which tells people which version of WordPress you’re using. Plus most plugins create custom CSS or JavaScript files, using the same URL/naming pattern.

All of these are “footprints” and hackers can use specialist search engines such as NerdyData and Shodan, to search the source code of websites and find these footprints. Or you could even find them using Google, with a few different commands to isolate which pages have a specific URL pattern. So if someone finds one exploit in a plugin, they can then find hundreds of sites with that plugin and the same security issue.

What about server security?

It’s mostly an issue for the self-hosted Ecommerce sites, like Magento or WooCommerce. Your best defence is hiding as much information about your “stack” (software) as possible.

I’d really recommend using CloudFlare, which is a CDN and firewall technology company. You just point your domain name at them and they hide your server’s real IP address and details so that it’s harder for hackers to find. It also adds a web application firewall, which stops the most common types of security attacks on your website – plus gives you a free CDN. So it makes your images load faster and directly from their local “PoPs” (datacenters).

I’d also recommend activating the firewall on the server itself and blocking every port apart from the essentials (80/HTTP, 443/HTTPS, 22/SSH). I sometimes change the ports for SSH and FTP as well, so it’s harder for hackers to try and get into your server. There’s a free package for Linux called fail2ban that I’d recommend installing. It will basically limit the number of login attempts someone can have, and you can get alerts when somebody tries to login.

You also want to stop your web server, Magento, WordPress, WooCommerce, plugins etc advertising themselves in your HTML and server headers. Perhaps choose a different plugin if you can’t turn off these adverts.

Keep your software updated and give everyone a unique FTP and server login. Don’t give the same FTP or server login to every person that works in your company. Delete or disable user accounts as soon as that person stops working for you.

Are there any other areas of weakness that we should be thinking about?

Your domain name itself can actually be overlooked quite a lot. How secure is the password to your domain registration provider? Who knows that password and do old employees still have access to it? If someone has access to your domain registrar login, they can do anything to your website. They can point your domain name at a different website or web server, to display whatever they like. So that’s actually a huge security weakness for many.

It’s the same with DNS and web hosting logins as well. Who has your Cloudflare login? Who has your web hosting logins? All of these are actually bigger security threats than the Ecommerce software itself.

Email accounts are an even bigger risk. There’s no point in having a really secure Shopify account if you’ve got a weak email password. A hacker can simply request a new password from Shopify and you’ll get emailed a link to reset the password. If they can hack your email account, they can get access to that special URL and reset your password. So enforce tight security passwords on every email account and every member of staff.

Don’t let staff use their email password for anything else either. If they use a specific password for their email account, don’t let them then use the same password for Twitter, Facebook or any other website they use. If those other websites get hacked, then hackers will also get access to the person’s email account. If your details have been leaked from another website, hackers will store your username and password, and then try to use that same login for your email account and other websites. So be careful of that as well.

Register your email address at Have I Been Pwned?. You can get notified when your email or details get breached on other people’s websites. Whenever there’s a public release of information or someone shares a password list on the dark web, you get notified if your details are in there. Also if you’re an admin for your company’s domain name or email account, then you can actually get notified about any staff member whose details have been compromised as well. But you have to be discreet with this. I used to work at a company where we uncovered a few staff who were using their work email addresses on Ashley Madison, which is a dating site for cheating. So you want to be as discreet as possible, but also remind your staff not to use their company email accounts for anything personal.

If you have the revenue to justify it, do a mini security audit of your website with a professional security auditor. Do penetration testing at least once a year, to look at whether there are potential ways to exploit your website that you don’t know about. If you don’t have the money or resources to get a professional security audit, do an audit yourself – see if you’ve got any old user accounts with staff/admin permissions, old email accounts that have access to your domain or DNS accounts. Does everyone in your team really need to have admin access? Maybe reduce the permissions on certain users, if they don’t need to have them. Ask everyone in your company to reset their password NOW and make sure that they know your new password policy about not using the same passwords on the multiple websites. Do you need every single plugin that’s installed? Can it be replaced with a few hours of design or dev time? You know, so these are the things which I’d be looking at.


Please Note: The content above is a semi-automated transcription of the podcast episode. We recommend listening (and subscribing) to the podcast, in case any of the content above is unclear.

close

Join our newsletter to find out as soon as a new episode goes live and for updates on the show.