More and more stores are moving online. Whether that was part of your plan or something that you’ve recently decided to do, it’s important to make sure that you protect your customers’ data. That means you need to take steps to secure your online store. In this article, we want to focus on giving you some suggestions for the most effective ways you can improve your security with the least amount of effort.
We know that small business owners have a lot of different roles, and that these roles are changing. You’re responsible for keeping the sales flowing, marketing, dealing with customers and clients, staff, finances, the list of responsibilities never ends. With this in mind, you may not have the skill or time to look after the security of your website or maybe you just aren’t sure where to start.
Ultimately, you are responsible for making sure that your website is secure even if you use other people to help you look after it. And the last thing you want is to find your website has been hacked and your customer data stolen.
So whether you look after your site yourself or you outsource it to someone else, we’ve written this article to help you minimise the risk of a breach and help you start the conversation about security with your website provider.
This article is not meant to be exhaustive and cover everything that you need to do, but it is a starting point for understanding some of the key steps you can take to minimise your risks if you’re hosting your own web store or using open source shopping solutions.
Difficulty: Easy to Hard
Patch your host (the server that your web store runs on)
Patch your application (the application you are using for your website, like Magento or WordPress)
Patch your plugins
Patch your themes
If you aren’t patching all of these things then you might not be aware of all of the potential vulnerabilities in your environment. And if there are things in your environment that you can’t patch (for example, your application), then you should be looking to see if you are missing some patches for your host’s operating system or one of the underlying dependencies like php. Very often the reason you can’t patch one thing is because you haven’t yet patched another. That’s why patching everything is so important!
Patching your plugins might be easy, but if you don’t have access to the host or you’re not familiar with how to update your server and what needs updating, this might be a bit harder.
Secure Your Login
We all know that long, strong passwords are best. And PCI says that you should make sure that they are complex, regularly changed, and have lockouts and password policies. But before you even get to that, the most effective thing that you can do is put multi-factor authentication everywhere that you sign in.
Multi-Factor Authentication (MFA)
Most web applications (including WordPress and Magento) have plugins that can be used to configure multi-factor authentication. You’ve probably had to use multi-factor authentication before, maybe with your email, maybe at work, maybe for your bank. Examples of multi-factor authentication (MFA) include:
Entering a code from an application on your phone
Confirming a push notification on your phone
Confirming a login with a phone call
Making sure that anyone who has access to the host or the admin part of the application uses MFA is one of the most effective tools you can use to prevent someone from guessing your password or using a password that has been compromised (want to see if your password may have been compromised? Check have I been pwned?). By using a one-time limited time token, you add another factor that makes it much harder for someone to get access to your account. Will it take a little longer to login? Yes. But the security that it adds is worth it!
Most shopping and web applications support plugins for multi-factor authentication. We recommend finding one that supports multiple users so that if you have more than one person with access, everyone is able to configure it for themselves.
Note: You don’t have to make your customers use MFA. This recommendation only applies to people who have access to change the configuration of the website.
Change the Login URL
One of the most basic things an attacker will do is try to login from the default login page. It’s usually a quick and easy process to do. Most applications let you either change it as part of the basic configuration options or you can add a plugin to change the login URL.
Bonus Tip: Lock down access to your login page to just your static IP address by configuring it on your firewall. This way even if someone does stumble on your login page, they won’t be able to use it.
Whitelist Your (Static) IP Address
The next most effective thing you can do (once you’ve added multi-factor authentication) is to whitelist certain connections to only your IP address (if you have a static IP address). For example, if you want to be able to connect to your server via SSH, restrict it to your IP address and the web interface.
Restricting access to authentication methods or sensitive areas of the website is a good way to prevent other people from accessing it. However, make sure that if you restrict access to a single IP address, you always have access to it or you might end up locking yourself out.
One of the key things you can do is regularly check to make sure that new accounts aren’t being added and that accounts are only being logged into by the right people.
So for example, if you know you only ever login between 10am-3pm and suddenly there’s a login at 2am, then this should raise some red flags for you.
Things that you should look for in the logs include:
Uploads of files
Changes to configurations
We know that sometimes knowing what to look for is half the battle. And knowing what is normal and what is not normal can also be hard when you first start looking at the logs. Regularly looking at the logs you will probably start to see patterns. We recommend that you keep logs for at least 12 months just in case you need to go back and find out when something happened.
Add Security Controls
Here’s where things can get a little more challenging. You can go as in-depth as you want depending on your skill. We will provide some recommendations for things you can do at different levels of difficulty.
Add a Web Application Firewall (WAF)
Difficulty: Easy to Medium
A web application firewall can be used to mitigate the risk of vulnerabilities in the application that might be exploited. For example, it can help protect against cross-site scripting or injection vulnerabilities.
There are lots of different options out there for web application firewalls.
The easiest option is to use a fully managed Web Application Firewall (for example, CloudFlare, Akamai, CloudFront and Stackpath are just some of the options out there). These services charge a monthly fee, but they look after the the detail of how they protect your web application.
You can also install plugins that provide an application layer web application firewall. These usually have a bit more configuration to them and you should understand what you might break by enabling them. These can be added on the host or to the application.
The important thing is to make sure that you’ve configured things to block potential attacks. Make sure you’re regularly checking that you aren’t blocking legitimate traffic as well.
Configure Transport Security Layer (TLS)
Difficulty: Easy to Medium
The default standard for web pages is to ensure that they are encrypted. Browsers and search engines expect that you will use TLS. And browsers now warn if the website is using a version of TLS that is considered as insecure.
Some WAF / CDN (content delivery network) solutions let you configure what versions of TLS you use from their web interface. If you can do that from your WAF / CDN, this is pretty easy. We recommend setting it to accept TLSv1.2 and higher.
But if you aren’t using a WAF / CDN or it doesn’t have that option, you might need to figure out how to configure TLS on your web host yourself.
Disable (or Secure) Anything You Don’t Need
Difficulty: Easy to Hard
This can apply to a number of different areas in your web store. This advice most often applies to:
Application plugins / themes
Some of these are easier than others.
The easiest part is disabling / removing plugins that you don’t need in the application. Regardless of what application you use, it probably supports plugins. Maybe you’ve tried some but no longer use them, maybe some of them came with the application by default. By disabling / removing any of the plugins you don’t need, you have fewer potential vulnerabilities and fewer things to patch. Removing these is usually a few clicks in the application.
A little bit more difficult might be disabling open ports that you don’t need. For example, if you don’t regularly use FTP to upload files, then make sure you disable it when it is not in use. To do this, you will need to be able to access a firewall or the host operating system. There are too many possibilities to list here for how you would do it. And we know that different people will have different approaches. But a few recommendations that might help are:
Allow access on port 443
Redirect traffic from port 80 to port 443
Restrict access via RDP or SSH to your static IP address
Disable FTP except when you need it
The area that is probably the most challenging is disabling things in the operating system that you don’t need. To be able to do this, you need to understand what is necessary and what you might break by removing things. We only recommend this if you are very familiar with how to secure an operating system. More importantly, make sure that you patch everything!
Monitor Critical Files
There are certain files that should be monitored for changes. Exactly which files should be monitored will depend on what application you are using.
You can monitor these files using programs on the web server itself, or some plugins will help you lock down access to certain files or monitor for changes.
The important thing to be able to tell is if someone has added something to your site (like malicious code) which could cause a security breach.
Difficulty: Medium to Hard
Vulnerability scans are a type of scan that is different from antivirus scans. They aren’t looking for malware, they are looking for misconfigurations in your environment (for example, insecure versions of TLS, open ports, some insecure software).
To make them effective, you have to be able to understand what it is that they are saying. So you might need some help if your expertise isn’t in this area. The other thing you have to do is understand how to fix the things that are identified. Identifying a vulnerability without doing anything about it doesn’t change the risk.
These kinds of scans can be useful, but they are one of the more advanced recommendations in this post since they require a level of technical expertise.
What to Ask
Even if you don’t understand some of the terminology in this article, we’ve put together a table of questions that you can ask the people who look after your website (if you don’t look after it yourself). While you should probably be asking more questions than this, you can use these as a starting point.
If you find that most or all of these recommendations haven’t been implemented, it’s probably a good time to find out if they are things that your provider can do for you and start the discussion about security.
Answer / Tool Used
If Not Used/Done, Why?
How often is the web server patched?
How often is the application patched?
How often are plugins / themes updated?
Is MFA configured for admin access on the server?
Is MFA configured for admin access to the shopping application?
Has the admin login URL for the shopping application been changed from the default?
Has admin access been whitelisted to specific IP addresses?
Do you keep access logs? How long do you keep them for?
Recommended: 1 year
How often do you check the logs?
Is a WAF used?
Is TLS configured to use strong encryption? Check using https://www.ssllabs.com
Have unused features on the web server been disabled?
Have unused plugins / themes been disabled?
Are you monitoring for changes to critical files?
Are you running vulnerability (ASV) scans?
Do I Have to Do Everything in the List?
No, you probably don’t have to do everything. But the more you can do, the more you minimise the risk of a compromise.
Depending on how you take payments you will probably have to do some of these things, but even if your bank hasn’t requested you to be PCI compliant, we recommend looking at the steps you can take with a focus on protecting your customers.
If you’re a merchant, you might want to read more about some of our PCI basics, including: