Website security is one component of eCommerce stores that is absolutely non-negotiable.
Not only do eCommerce merchants have a responsibility to their customers, they also have a responsibility to their fellow eCommerce merchants. One of the main reasons some people just flat-out refuse to shop online is because of the perceived threat of getting their information stolen or auctioned off.
Looking at the past few years of digital security news, can you blame them? Everyone, from small eCommerce start-ups to gigantic billion-dollar companies such as Yahoo, has put their customers’ security at risk at some point or another.
The following guide will help you to make tangible positive changes in your eCommerce store’s security and keep you and your customers protected.
1. Make the Switch to HTTPS
HTTPS is becoming the standard in online security, and sites that are still using the old HTTP protocol could end up seeing negative consequences.
Secure HTTPS hosting was originally used only for the payment sections of websites where the most sensitive information was shared. People began to transition to securing their entire site with HTTPS to ensure that not just their payment areas were safe, but every page on their site. Site security goes beyond just protecting payment details; it’s about safeguarding your visitors’ data.
By switching to an HTTPS server, many browsers will also display a green “Secure” text with a green lock in the URL area. This little bit of text goes a long way in easing the minds of shoppers, who longingly look for any sign of credible security.
A big reason many merchants started shifting over to HTTPS was that Google stated that they were going to start including HTTPS as a factor in the ranking of pages. Multiple browsers additionally announced that HTTP sites would start to be penalized.
When the green “Secure” text is missing, it usually comes with a warning that alerts visitors to the possible risks of the site. Some sites may even cause the browser to block access, preventing visitors from entering the page due to security concerns. Just think about how this could affect your bounce rate!
Switching to HTTPS requires choosing an SSL Certification, which can be purchased from an SSL vendor or from your hosting company. This process is relatively easy, but it does require a few steps, including:
- Switching your site to HTTPS
- Setting up 301 redirects
- Updating links on transactional emails to point to the appropriate site
- Updating internal links on your site.
As more and more browsers turn up the heat on site security, having an up to date SSL certificate and HTTPS protocol is going to become something all eCommerce merchants will have to do just to have a shot at getting any sort of traffic.
2. Pick the Right eCommerce Platform
The vast majority of eCommerce shops are run on a platform such as Magento and Shopify, and security is a big reason for this. The top factors that merchants consider when picking an eCommerce platform include convenience, a robust functionality, and the fact that these platforms are much more secure.
Many of the major eCommerce platforms have automatic security updates that take away the logistical effort and worry about security, making it much easier for you to focus on growing your business.
However, just because your security is updated doesn’t necessarily mean you are in the green just yet. Popular eCommerce platforms draw a lot of attention from hackers, and those that don’t prioritize their own personal security and that of their customers could end up exposing all their users’ information, as well as the information of their users’ customers.
Shopify, for example, hosts its shopping carts on a Level 1 PCI DSS compliant server, meaning your data and customer data is completely secure. Every Shopify pricing plan (besides Lite) offers users a 128-bit Free SSL certificate for free.
Although you’ve got a much lower chance of being individually targeted by hackers when you’re running on an eCommerce platform such as Shopify, you should take every precaution to make sure your store is secure.
3. Arm Yourself with Security Plug-Ins (and Keep Them Updated!)
Plug-ins are a gift to eCommerce merchants everywhere who are running their sites on platforms that allow for them.
WordPress has a ton of different plugins that add an extra layer of security to your eCommerce site. Wordfence Security, for example, is a plugin that integrates eCommerce stores with a strong security system powered by Web Application Firewall. Not only does this plugin prevent your site from getting hacked, it gives you a real-time view of your traffic and any potential hacking attempts made. With over 22 million downloads, Wordfence provides an awesome (and free) extra wall of security.
There are hundreds of other plugins just like Wordfence Security for virtually any platform you are using. However, if these plugins aren’t consistently up-to-date, hackers may exploit holes in the outdated versions.
Be sure to look into what plug-ins your eCommerce platform has to offer. Most of them are free and highly effective at providing an additional element of security.
4. Keep Your Admin Panel Air-Tight
There are multiple angles hackers can use to get to your site, but perhaps the least difficult is by accessing your Admin Panel. All it takes is one weak password for hackers to start playing around your admin panel and find the information that they’re looking for—and even lock you out of your own site.
This tip is so easy to act on. You could do it by the time you finish reading these next few lines.
- Change your Admin Username: Too many site owners set their admin panel login information as something as simple as “admin” for the username and “password” for the password, and then end up in disbelief after someone breaks into their admin panel. Admin is the default username when eCommerce sites are set up, and many merchants often get so caught up in the whirlwind of getting started that they never change it.
- Make sure your password is secure: The first word that probably came into your head after reading that was something along the lines of “duh,” but you would be surprised at how many merchants who thought their passwords were secure ended up getting hacked. This goes beyond using the standard 7 characters, a capital letter, and a symbol. That plays a huge role, but most hackers use sophisticated programs that are eerily good at finding out passwords based on a site’s owner. Make sure you are storing your password somewhere safe, and certainly not on a .txt document on your desktop named “passwords.”
- Change your Admin Path: The final element in this quick 3-step security update is to change the way people can access your admin panel. Most WordPress sites use either /wp-admin or /admin to access the admin panel. You don’t have to be an experienced hacker to find the log-in panel for 99% of sites, but you shouldn’t make it easy for them. WordPress allows you to change the path using a security plugin that offers this as an option.
5. Help Your Customers Protect Themselves
The responsibility to keep your customers’ information safe on the back-end ultimately falls on you, but there are still significant threats to individual customer accounts being hacked.
While you can’t stand over your customers’ shoulders and tell them how to set up a secure account, you can enforce standard security features such as strong password requirements.
Strong passwords that include a minimum number of characters and the use of numbers and symbols are much harder to hack, and the majority of secure eCommerce platforms won’t let their customers create profiles without a secure-enough password.
Some sites even go as far as to enable Two-Factor Authentication (2FA), depending on the degree of sensitivity of the information. While this may be overkill for your average run of the mill eCommerce site, it is a great way to take your user profile security up a notch.
Keep in mind that with every additional security enhancement on the front-end comes a new potential hurdle for customer acquisition. This is why it’s imperative to introduce users accounts and these security features strategically at points where your visitors are least likely to drop off.
Additionally, there are methods to integrate Facebook and Google sign-ins to your user profiles. This is an excellent way to leverage the security of other companies with some of the best security on the planet, while simultaneously eliminating several steps in the user profile sign-up process.
6. Always Back Up Your Data
It’s never a fun time finding out that your site has been hacked and your information has been compromised.
It’s such an unsettling feeling to know that someone has been prying around your site, and it’s even more uncomfortable that you don’t know exactly what they did. Attackers could do anything from simply copy your data to go the more malicious route and corrupt it and make sure that you can’t use it again.
This is why it’s extremely important to regularly back up your site’s data. Your site’s data is your property, and you can’t completely rely on your hosting company to make sure your data is backed up and up to date.
While there are ways to manually back up your data, it’s easy to forget or stop doing it as consistently. If the last data backup is from your site’s update six months ago, it won’t do you much good. This is why many eCommerce merchants opt for an automatic data backup service. This removes the risk of human error or forgetfulness and gives you the peace of mind of knowing that you have one less important thing to do.
The most common way to automatically back up your data is by using a plug-in on your eCommerce platform. Plug-ins such as Rewind for Shopify allow you to restore any deleted items, sync inventory levels, and save everything from inventory, customers, orders, products and product images, themes and theme files, and other pertinent information.
7. Don’t Store Credit Card Numbers
The moment you store a single credit card number, your site has a tangible monetary value and incentive for hackers.
Many eCommerce platforms offer “offline credit card processing” as a standard payment option. This option saves your customer’s credit card number without any sort of encryption so that you can process it manually later. These platforms offer this option under the impression that you will end up deleting the number, but many people don’t.
It may seem like a convenient way to make things easier for your repeat customers and nudge repeat purchases, but it exposes you and your customers to a gut-lurching amount of risk. Not only are you exposing your customers’ information to people who are incentivized to use it to make money, but you are also putting your brand’s integrity on the line.
A single credit card hack could completely diminish the confidence your customers have in shopping with you.
Additionally, if your systems are compromised, you could be exposed to several heavy fines that could very well force you into debt and close your shop completely.
You can avoid this by:
- NEVER storing credit card numbers.
- Utilizing a payment gateway provider that keeps payments off your site. Services such as PayPal make it easy to get started with a tight budget.
Shoot for Payment Card Industry Data Security Standard accreditation (PCI DSS). In order to get this accreditation, your site must be compliant by completing an audit of your cardholder data environment to the set standard. A few of these standards include:
- Build and maintain a secure IT network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
Having this accreditation doesn’t just look good and inspire confidence. In order to get it, you will have already met the standards for having a secure website in the modern digital age.
8. Proactively Monitor Your Site
As convenient as it would be, site security is not a passive process.
Sure, there are ways you can automate certain components of your site’s security, such as automatic backups and firewalls, but there is way more to it than that.
Savvy eCommerce merchants know their site and traffic at an intimate level. They know how to check their website code for any potential issues. One of the most accurate ways to detect any malware is to scan all code for irregular behavior by using real audience profiles.
You need to be able to emulate what a real website visitor does through a variety of different operating systems, browsers, geographic combinations, and devices. Creating cookie-based user behavior profiles allows you to better identify and block any one of the thousands of active malware infection attempts on the internet.
For example, if you’re a bike shop in Austin, Texas and the vast majority of your traffic is in the greater Texas area, you might find reason to be suspicious if all of a sudden you see a bunch of active users from Lithuania snooping around.
If you discover a breach in your security, you should immediately figure out where and why it happened. One of the first steps you should take is to reach out to all the vendors you are working with and have them audit their software.
If your site’s security is up to par, chances are any malicious activity is coming from a third-party vendor. This means you don’t have to necessarily pull your site offline; you just have to get in touch with the compromised vendor and ask them to stop executing until they can confirm there isn’t anything fishy going on.
9. Use Multi-Layered Security
Hacking into a website is much like laying siege to a medieval castle or city. Many of these castles utilized different layers of security to prevent an external attack, and the ones with more sophisticated and fortified options ultimately lasted longer.
There is no single certain way to secure your site forever, but the use of different layers makes it substantially more difficult for attackers.
- Start with a firewall. A firewall is essentially a barrier between trusted and untrusted networks, and it controls incoming and outgoing traffic. Think of it as a membrane coating your site, allowing good guys in and keeping bad guys out. There are physical firewalls, as well as web application firewalls. There are quite a few firewall plug-ins that range from free to relatively inexpensive. Firewalls are a great first line of defense against the more common hacks such as cross-site scripting and SQL injections.
- Enhance your Content Delivery Network (CDN). Your CDN is a set of servers that store copies of your website’s pages. These servers are geographically dispersed and are trained to recognized malicious traffic before it harms your site. Content Delivery Networks also help prevent Distributed Denial of Service Attacks (DDoS), which are essentially attacks that aim to overwhelm your site.
Each step above these helps to fortify your line of defense against attackers. Make sure all your angles are covered and stay up to date with the different types of attacks.
10. Don’t Neglect Your Personal Security
Your store’s security starts with you.
All it takes is for a hacker to gain access to your email to find pertinent information to further gain access to sensitive information on your site. All the above security tips will have been done in vain if a hacker can simply outmaneuver your site’s security and go straight to what is often the least protected target: the site owner.
If a hacker doesn’t find a way into your site, they might try to use you to gain access. All it takes is a simple domain lookup to find everything from your full name, phone number, email address, and server names to even your home address!
With the inter-connected world of social media, these hackers could even gain access to your friends, family, and professional connections.
The first step in protecting your personal security is by opting for “WHOIS” domain privacy. This adds a few dollars to the cost of renewing your domain every month, but it hides your identity from casual domain registrar lookups.
By controlling your privacy settings on all social media networks, you’ll be able to limit the access hackers have to more information about you.
Additionally, lower the risk of EVERYTHING getting hacked by using different passwords for different platforms. Too many people with a single exposed password end up getting everything hacked, from their email address and Facebook and LinkedIn accounts to their eCommerce shop.
Final Thoughts
The world of cyber security is a constantly evolving game of Cops and Robbers. As hacking techniques continue to advance and exploit holes in outdated security models, more and more eCommerce businesses will be exposed to harm. Thankfully, the cyber security industry is pushing the needle on innovations to optimal security utilizing a variety of different technologies, including cloud-based security, machine learning, and even blockchain protocols.
Stay up to date with the cyber security world, learn of any strings of attacks in your industry or other related industries, and always keep your important information safe and your site backed up.