The holidays are fast approaching and it’s time to make sure your site is up to snuff! With the changes to compliance over the last year, there are some privacy issues that you should definitely be concerned about if you’re collecting your customers’ information on your site.
At the end of your check up, you should be able to answer these 10 questions:
1. Is my store on the right platform?
2. Is my store on the right web host?
3. Is my shop PCI-DSS compliant?
4. Do I collect too much data on my customers?
5. Am I encrypting communication between my customers and my store?
6. Are my customer accounts secure?
7. Is the software running my online store up to date?
8. Am I regularly visiting the front-end of my site?
9. Am I using a CDN and WAF?
10. Do I protect my connection when working in public spaces?
1. Is my store on the right platform?
Shopify, Magento, and WordPress are three of the most popular platforms that people use to create their stores. None of these platforms would be popular eCommerce solutions if they weren’t secure. All three platforms have their strengths and weaknesses, so you should do a little research to find out which one best fits your needs. kimtown uses WordPress exclusively; both because of security and ease of design.
A quick audit of your current platform might include the following questions:
1. Does the platform frequently push out updates to
address security vulnerabilities?
2. Does the platform employ/utilize a team who is
devoted to ensuring security standards are met?
3. Does the platform have a history of large-scale data
breaches or vulnerabilities that were left open?
4. What is the reputation of the platform as being
secure?
One thing to keep in mind is how easy it would be to move your store to another platform or host. If you need to move away from Shopify, you can migrate Shopify to WooCommerce. However, it won’t be as easy as moving a WordPress store to a new web host. WordPress also allows for more customization and flexibility for the tools you can use.
2. Is my store on the right web host?
Putting your website on the same shared hosting as your friend’s blog is a bad idea. Why? An eCommerce website adds a lot of complexity that requires higher expertise to properly secure. You didn’t create a store because you dreamed of becoming a cyber security expert, so you should offload that responsibility to your host.
Investing in an eCommerce focused hosting solution like kimtown’s VPS is the way to go. Having a managed eCommerce host will save you a lot of time and hassle in managing your site—time you can use to grow your business instead.
3. Is my shop PCI-DSS compliant?
If you accept credit card payments, you must meet Payment Card Industry Data Security Standards (PCI-DSS). According to the official PCI Security Standards Council, “If you accept or process payment cards, the PCI Data Security Standards apply to you.” These standards include over 300 different security requirements, but here’s an overview of PCI-DSS best
practices.
-
- Build and maintain a secure network
- Protect Cardholder Data
- Maintain a Vulnerability Management
Program - Implement Strong Access
Control Measures - Regularly Monitor and Test Networks
- Maintain an Information Security Policy
When you elect to take people’s debit card numbers, meeting these requirements will go a long way in preventing a malicious attacker from draining their bank account. It’s a good idea to get some expert advice to ensure you are meeting the PCI-DSS requirements.
4. Do I collect too much data on my customers?
The more information you collect on your customers, the more information that can be compromised during a breach.
These days, we can hardly go a week without hearing that some company was the victim of a data breach that exposed customer data.
For example, in the Doordash breach, customer’s phone numbers, email addresses, home addresses and hashed passwords were compromised. That combination of information could be
all that is needed to take out a fraudulent loan. You should never collect more information on your customers than you need. If you are selling digital products that do not automatically renew, why would you collect and store mailing address?
You should also consider using a payment gateway like
Stripe or Paypal. Payment gateways allow you to offload credit card
payments, so your store can accept online payments
without processing or storing credit card numbers. These companies will also help you become PCI-DDS compliant.
Unfortunately, there will always be attackers online, and there will not be a lack of reports of sites being compromised. Limiting the information you collect on your customers will limit the amount of information exposed during a breach. You can’t lose sensitive customer data you don’t have.
5. Am I encrypting communication between my customers and my store?
SSL encrypts the communication that your customers type in their browser and send to your site. With SSL, when someone enters their account name and password, it will be protected when that information is sent to your site’s server for confirmation. Encrypting the username and password will make it harder for an attacker to intercept the username and password in transit from their browser to your server. If you are using an ecommerce-specialized host, your site is likely already securely using SSL. You can look up in your browser’s address bar to see if the little lock is open or shut. Open is not secure and closed/locked is secure. Never put in your private information on a site that has an open lock.
6. Are my customer accounts secure?
A brute force attack is the most common type of attack on your customer accounts.
Brute force is a type of attack when a hacker tries to guess a random combination of usernames and passwords until they find the right one. The reason that brute force attacks are so popular is that the skill barrier of entry is very low. You can find plenty of free password cracking tools with a quick Google search.
The great news is that using a WordPress security plugin on your WordPress site makes it easy to prevent attacks on your customer’s login from being successful.
Based on research by Google security blog, you should
follow these 5 rules to stop 100% of brute force attacks:
-
- Limit Failed Login Attempts
- Force Strong Passwords
- Refuse Compromised Passwords
- Use Two-Factor Authentication
- Limit Outside Authentication Attempts
You may be thinking that you would never make it harder for your customers to login. It is up to us, as store owners, to require strong passwords and two-factor authentication to secure customer accounts. When a customer’s account is hacked, store owners are likely to get the blame.
7. Is the software running my online store up to date?
Software updates are not just for new features or bug fixes. Updates can also include security patches for known security exploits. Running outdated software with known exploits is one of the most common reasons websites are hacked. It is crucial to the security of your WordPress site that you have an update routine. You should be logging into your sites at least once a week to perform updates.
8. Am I regularly visiting the front-end of my site?
When was the last time you ran through the front-end of your site or even looked at your homepage? As busy site owners, we typically log straight into the back end of our sites to add new products, content and perform site updates. Running through your site’s pages and products can help you find signs of infection.
You should look for these 3 signs of infections when inspecting the front-end of your site or when asking is my WordPress site hacked:
-
- Check your homepage for changes –The primary goal
of some hacks is to troll a website or gain notoriety. So
they only change your homepage to something they
find funny or to leave a hacked by calling card. - Look for any malicious pop-ups or spam – Are there any products being advertised on your site that you don’t sell?
- Find unexpected redirects – Do you click on one of your product links only to be redirected to a malicious shop trying to harvest your customer’s data?
- Check your homepage for changes –The primary goal
It is crucial to be alerted to a successful attack on your site, the sooner the breach is identified the more you can mitigate the damage done.
9. Am I using a CDN and WAF?
Using a content delivery network (CDN) like Cloudflare CDN can help to protect your shop from DDoS attacks. The CDN is on a different server than your site and is able to inspect requests to your site before they ever make it to your site. A Denial of Service Attack (DDos) is when an attacker tries to disrupt or bring your site down with a flood of internet traffic. Depending on your hosting plan, it may not take very much extra traffic to bring your site down.
A CDN can help mitigate a DDoS attack in a couple of different ways. The first thing a CDN will do is actively monitor and identify that your site is under attack, which is critical. You can’t stop an attack that you aren’t set up to detect. Once the malicious IPs are identified the CDN will prevent any requests from the IPs from ever hitting your site.
You should also consider using a Web Application Firewall (WAF). A WAF is able to identify and filter out malicious traffic before it hits your site. Unlike a PHP Web Application Firewall, a WAF like the Cloudflare WAF provides isn’t on the same server as your site. So all of the security filtering is done offsite and doesn’t add any extra load or slow down your site.
10. Do I protect my connection when working in public spaces?
One of the great things about running an online shop is that you can work anywhere. Unfortunately, public wifi is known to be very insecure making public libraries, hotels, coffee shops and airports prime locations for hackers to intercept communication and harvest passwords.
A VPN, virtual private network, allows you to safely communicate with your bank or online shop by encrypting your internet traffic.
If you need any more proof about the insecurity of public
wifi, here is a great USA Today article where a journalist
wrote about his experience being hacked while using inflight
wifi: “I got hacked mid-air while writing an Apple-FBI story“.
Final Thoughts:
Most attacks on your online store can be prevented from being successful with a little action on your part. Right now is a great time to do a security audit of your website to be sure your site is secure!
If you need a checkup, kimtown can help! Contact me today for a quote!
*Content in collaboration with iThemes Security.