In this article we’ll look at how to secure ecommerce websites.
But first, imagine you ran a local shop.
Would you let people give you fake payment details or let them walk out without paying for stuff?
Or would you switch off the CCTV system and let people help themselves to your stock?
And as for physical security, what about leaving the doors unlocked when you go home at night? Or maybe not bothering to install fire alarms or extinguishers?
When you read it like that I’m sure the answers are ‘No’ to all of the above.
But what if you’re an online retailer? Just because you’re selling online doesn’t mean that you can let your guard down.
These days keeping a close eye on security is vital for online retailers who want to prevent online hacking and keep their Ecommerce website safe.
10 Steps to Secure Your Ecommerce Website
Apply these easy steps to protect your ecommerce store.
Upgrade Your Hosting
If you’re hosting with Pickaweb you can ignore this section. 🙂
Simple – because of the way we set up our servers. Here are the highlights:
- Enterprise grade servers with either 10K SAS drives or super fast SSD Drives if you’re using SSD hosting – not slow 7.2K SATA
- Hot swap drives in a hot swap set up so we can replace faulty hard drives without downtime
- RAID 10 – data stored across at least 4 hard drives – more expensive for sure but it’s the best option in terms of speed and security
- CloudLinux – to prevent individual clients hogging the server’s key resources like CPU or RAM
- SpamExperts – outgoing email monitored for known Spam/Phishing/Malware signatures – results in good IP Reputation
But if you’re with a host that offers as much disk space and bandwidth as you want and all for a couple of quid a year then guess what?
You’re not alone.
If you’re with a cheap host then you’re probably squeezed in there with thousands of other bargain hunters.
That’s a big issue for you.
Because you’re more than likely hosting with noisy neighbours. Nobody likes them – they’re loud, obnoxious and they generally give the place a bad reputation.
You definitely don’t want that. The chances are that at best they’re lax about updating their software so hackers can exploit them and at worst they’re probably sending tons of spam relating to all sorts of dodgy products and services.
The problem here is that pretty soon the server gets a bad reputation. That means it’s IP address is probably on loads of blacklists which means that suddenly your emails don’t get through and your position in the search engine results takes a nosedive.
The beauty of a VPS is that you get full control over the hosting and you’re not sharing with other businesses. They’re also really powerful too so you can have dedicated resources allocated to you that you don’t have to share – things like CPU and RAM.
That means your site will not only be more secure but also much, much faster.
When it comes to security you are in full control and securing your server, whilst not something you may want to do yourself is quite straightforward for a server administrator or your hosting company.
Use Secure HTTPS Hosting
HTTPS is the secure form of HTTP which is the protocol that people use when they browse your website.
As an Ecommerce merchant you’re probably using HTTPS for your payment pages but you might want to consider moving all of your site over to HTTPS to prevent security frauds.
There are a couple of important reasons for doing this.
Firstly, HTTPS is now a Google ranking factor. That just means that Google prefers websites that use HTTPS rather than HTTP and will include this when calculating what position to put your website in its rankings. Basically sites that use HTTPS have a better chance of getting a higher ranking which means more visitors.
Secondly, HTTPS is the basic level of website protection you can offer your visitors. It creates an impenetrable link between their browser and your web server so that hackers can’t intercept any traffic or data between them.
To make the switch to HTTPS you’ll need an SSL Certificate and you’ll need to install it and make some changes to your site. An experienced Developer can help you with these and they’re not to difficult.
Keep Your Software Updated
Just because your website is up and running doesn’t mean to say it’s secured. Updating software is an ongoing process.
The reason it’s important is because the software developer will continuously be adding new features and plugging any security issues.
If you’re using a popular Ecommerce tool like Magento, Prestashop or WooCommerce (for WordPress) then you’ll probably find that they issue updates quite regularly.
Often they are quite straightforward to update although from time to time there will be a major release which will require quite a bit of re-working to your site.
Again, if you’re not sure this is something you need to ask an experienced Developer to help you with but the bottom line is you need to keep your software updated.
Basic Administrator Security
Sometimes just making basic changes is all that’s required to deter lazy hackers.
Often they will use automated tools which are designed to exploit elementary security errors. Things like not changing the default username or the default URL for the admin access.
Slightly more advanced features are things like setting up a whitelist of IP addresses that can access the admin area. That way only you and your developer can access it.
You can also set thresholds so that you are made aware of any unsuccessful login attempts or when attempts have been made to access your admin area from non- approved IP Addresses.
Also don’t forget local security. Make sure you increase security on your company’s internal network by using a physical firewall and being careful with wifi connections.
Perform Regular Backups
If you get hacked that’s bad enough but you can recover from it.
But losing data is often not something you can recover from.
And remember – your data is your responsibility. It’s your property and so you need to be 100% sure it’s being backed up.
You can always run manual backups for your data but the trouble here is that it’s time consuming and there’s the possibility that you won’t do it for whatever reason. The last thing you want is to find that the most recent backup you have is from 3 months ago – that’s no use to anyone.
The best way is to use an automated backup service so you can set and forget it, safe in the knowledge that you will always have a backup of yesterday’s data at the latest.
Don’t Store Sensitive Data
When we’re talking sensitive data we really mean card payment data.
Some ecommerce tools will offer the ability to store card details but you’re strongly advised to avoid using this feature.
A better option is to use a 3rd party payment solution where they use a web server that will be used for secure transactions for customers. These details can then be accessed for repeat payments if required.
That way you get a high degree of security as well as the option of offering your clients a convenient way to order more from you without having to constantly enter their card details.
Use Fraud Prevention Geo-Location Software
Often hackers will obtain details of stolen cards from one country and test them from another country.
So if they target you then you can stop this dead in its tracks using a Geo-Location anti fraud software which analyses the cardholders address with the IP address of the person placing the order. It then calculates a risk score which enables you to decide whether or not to investigate the order further.
For example if you’re not sure you could run telephone checks or ask for proof of ID before fulfilling the order.
Use Hacker Protection Software
Aside from an SSL Certificate how do you know a website is secure?
Fortunately there are various types of hacker prevention software.
They all work in a similar way by scanning your website for Malware and depending on the level of service you have they will scan more or less frequently and also help in removing the Malware or remove it automatically.
By having a website security shield shown prominently on your website it helps your customers how to know if a site is safe and shows that you take security seriously and your website is Malware free.
Create A Security Manual
Having a written set of security policies and procedures is the first line in your battle to keep your website and your business secure.
Things like password procedures or physical security such as what happens if equipment is lost or stolen are just as important as online security.
Also dealing with possible fraud order should be documented so that your staff know exactly how to deal with these types of issues rather than making it up as they go along.
Use A Content Delivery Network
A Content Delivery Network (CDN) is a geographically dispersed set of servers which stores copies of your website’s pages in their systems.
Their main role is to present your pages to people from the server that is closest to their physical location so that they enjoy a fast browsing experience.
But CDNs also have a security element built into them because they learn to recognize patterns of malicious traffic and Malware and can protect your site from them.
Wrap Up – Think Of Layers Of Security
We’ve looked at a number of ways of improving security and the key takeaway is that security is multi layered. There is no one single magic bullet that will secure your website.
Make sure that your hosting platform is secure and free from noisy neighbours. Switching to secure HTTPS and keeping your software up to date are the basic table stakes these days.
Also make sure you keep your files backed up so you are ready for the worse case scenario.
But also good old manual processes and common sense actions like changing common logins will also help you secure your ecommerce website.
I hope you found this post on how to secure your ecommerce website useful.
If you have any questions or suggestions please comment below.