A secure platform is the cornerstone of a successful eCommerce business. As online transactions increase year over year, insecure sites become prime targets for hackers looking for opportunities to acquire—and sell— sensitive information. A simple Google search for “eCommerce breaches” will give you half a million results. There’s no shortage of unsecured sensitive data out there, waiting to be swiped and sold to the highest bidder.
One incident that springs to mind is the recent eBay hack that affected 148 million users. And while hackers are making money off this stolen customer information, retailers are losing it. According to recent data from Symantec and BigCommerce, the average security breach costs retailers $172 per record breached. This should serve as a huge wake up call to the eCommerce community.
Of course, as an online retailer, you’re probably thinking, “If eBay can’t even protect their users from a security threat, how am I supposed to secure my store?” It’s definitely a challenge, but by following best practices you can deter hackers from choosing you as their mark. In this blog post, I’ll explain the security strategies we stress to our clients here at Gauge. These measures have helped our clients protect themselves, their credibility, and their customers.
1. Choose the Correct Hosting Service
We’ve worked with many hosting providers over the years, but since 2014 our go-to provider has been Joyent. Joyent offers tools that allow us to secure our data the way we want. We can separate a site’s application server from its database server, so that if one is compromised, the other is still safe. It also gives us a robust backup server; in the event of a breach, we can rollback to previous versions or pull past data to find the cause. Another benefit Joyent provides is the ability to create specific users for specific sections of the site. This creates damage control; if one user account is compromised, the cybercriminal won’t have the necessary permissions to go anywhere he chooses.
One of the biggest factors to consider when choosing a hosting provider is its reliability. A more reliable site translates directly into more revenue. Our setup on Joyent cloud hosting allows us to keep your site up and running all the time, which leads to a more trustworthy shopping experience and happier customers.
You don’t have to use Joyent, but when you’re deciding on a hosting provider, don’t just choose the cheapest option. Do your research, ask questions about their security measures and uptime records, and make sure whatever hosting setup you choose is secure for your needs.
2. Choose a Solid Content Delivery Network (CDN)
A good Content Delivery Network (CDN) will offer more than just faster page loads; it’ll improve your site’s security. Our preferred CDN solution, CloudFlare, offers IP restrictions for certain endpoints. I’ll cover this in another point below.
Along with IP restrictions, CloudFlare also offers protection from DDoS attacks. This form of attack is a little different from regular security breaches, because no sensitive information is actually taken by the hacker. Instead, attackers flood your site with traffic, overload your server, and cause site outages. Outages hurt retailers by making your site seem unreliable and untrustworthy. Let’s face it; if a store can’t keep its own site up and running, would you really want to give them your credit card number? You can have excellent marketing and the top Google results for your industry, but that’s all wasted effort if your site isn’t reachable. That potential customer will likely never come back.
I strongly suggest reading up on CloudFlare and their services along with other CDN solutions to see which one is the best fit for you.
3. Secure Your Entire Website
Traditionally, eCommerce sites have only secured customer dashboards, checkout pages, shopping carts, and admin portals, but now more and more sites are securing their entire platform. A secure page will encrypt all data retrieved and sent between the site and the user’s computer. This should be a high priority for eCommerce retailers anyway, but soon there will be even more motivation to go fully secure. Google recently announced that it will give higher priority to secure pages because of the benefits it offers the customers.
Keep in mind, though, that becoming fully secure entails more than just securing your pages. You need to make sure you are using the most secure protocols as well. Right now, SSL (or the up-and-coming successor, TLS) protocols are the encryption methods to prioritize. In addition, you should always choose an Extended Validation certificate over the standard, cheaper SSL certificates. EV certificates offer significant security enhancements, so they’re well worth the cost.
4. Don’t Use Simple Passwords
Another way your security can be breached is through brute force attacks. This is a trial-and-error method; hackers use automated software to try to guess login passwords. The software can make these guesses very quickly; if your site isn’t protected against these attacks it can take literally seconds to figure out a password.
The solution to this is simple, as long as your passwords aren’t. The more complex the password, the better. Don’t use your name, words that can be found in the dictionary, or common number combinations. Do use a mix of letters, numbers, and punctuation. Switch up the letters by making some uppercase as well. If you have problems coming up with something unique, use a password generator from a reputable site.
I’d also suggest using a password management tool like Passpack or LastPass to store your passwords for you. They are free to use, offer many helpful plugins and mobile apps, and come with handy tools like built-in password generators. Password management tools make it easy to organize and keep track of complex, secure passwords.
5. Protect Your Portal Logins
In addition to creating complex passwords, you can use several other methods to protect your site from brute force attacks. Multi-Factor Authentication (MFA) will force the user to present additional evidence before accessing the admin portal from a new device. I’m sure many of you have run into this authentication when logging into your Google account from a friend’s computer or a new phone. Google sends a text message to your personal phone number with a unique number key. You have to verify your identity by entering the correct number key before accessing your account.
Another method provided by Magento is the ability to lock a user’s account after a certain number of failed login attempts. A bot can try thousands of different combinations of usernames and passwords in minutes. By locking an account for a long period of time after incorrect credentials are entered, Magento stretches this time out significantly and renders the robot useless. It can also alert you when a number is blocked, which gives you a warning that your site is under attack. This can create some issues for valid users who forget their passwords, as too many guesses will lock their account as well.
Finally, the best and most secure way to defend your logins is to create IP firewall rules. Essentially, IP restrictions allow you to lock down your eCommerce admin portal to only people who have been pre-approved, or “whitelisted,” to view this area. This same feature could be used for API endpoints, ERP endpoints, or any other endpoint where sensitive data is passed back and forth.
While this method is the most secure, it does have its downside as well. If you aren’t at a whitelisted location, you won’t be able to access the portal. This can cause problems if a site emergency comes up when you’re traveling or away from work, but if your site is a high target for hacker activity, you should still explore this option. The benefits may outweigh the downside.
Trust can take years to build and can be lost in an instant. Hackers are becoming bolder every year, and their methods for securing sensitive data is ever-growing. Staying up-to-date on best practices and new methods for securing your website should be a top priority for any eCommerce website. It takes time and resources, but site security can be the difference between success and failure. To keep your site strong and growing, do your research, learn about vulnerabilities, and create a safe experience for your customers.