We don’t mean to be a killjoy, but while you are having “the most wonderful time of the year” someone else might take advantage of your website vulnerability. With the holiday season upon us, we might expect the increased number of targeted cyberattacks. It’s a no brainer, your website is getting more traffic and therefore more personal data from shoppers like identity and billing data. Just the kind of information the attackers are after.
Anyway, it’s too soon to start worrying. Our security team is committed to making your holidays anxiety-free and is ready to share the 10 pro tips to help you keep your website safe from unauthorized access.
Tick off the ten-point security checklist below and join your folks to continue the celebration of the New Year’s.
eCommerce Website Security Checklist:
#1 SECURE CONNECTION
Make sure your secure connection settings in your store are enabled.
- Secure connection for the storefront—if you enable this setting, then the storefront will work through the HTTPS protocol.
- Secure connection in the administration panel—if you enable this setting, the Administration panel will work through the HTTPS protocol.
Click the link to learn about why HTTPS matters.
Note: The settings can be enabled only if you have an SSL certificate installed on your server.
Not all webservers support a secure connection and provide SSL certificates.
Our AWS hosting solution offers free, automatically renewed SSL certificates from Let’s Encrypt. No actions required from you.
#2 TWO FACTOR AUTHENTICATION
Install the Two Factor Authentication by Google add-on.
The add-on protects your store from unauthorized access to the admin panel by requiring a second step of authentication for administrators.
This extra security measure will make you feel more safe about the store.
Note: For the correct performance of the add-on make sure that the time on your server is correct.
review from our marketplace:
“I have been using two-factor to protect my email for years and now I love the fact I can get this same level of security for our website. Awesome and works great.”
Danny Osterberger
#3 ADMIN USERS
- Check the Administration panel of your store for unexpected new admin users. Through a compromised user account, it’s possible for an attacker to create a new admin user. With their new admin privileges, the hacker is ready to cause some major damage to your website.
- Also, check the panel for removed users. Some hackers immediately delete admin users to completely control access to a compromised website.
#4 OUTDATED PERMISSIONS
Often you need to give outside vendors access to the back-end of your website for some tinkering, repairs or add-ons, or an employee is working on some key areas of your web server and has the administrative access rights. Even after the outside vendors finish their work or your employee moves to another department or leaves the organization, you forget to change the access levels. That keeps the store open to unintentional vulnerabilities.
This is more a slip than a fault. You need to change the credentials once an outside vendor or an employee is no longer associated with the task.
#5 STRONGER PASSWORDS
- Force stronger passwords both for the administrators and customers.
A password that is at least 12 characters long, random and includes a large pool of characters like “ISt8XXa!28X3” will make it very difficult to crack. Use services like Last Pass Password Generator to help you create stronger passwords.
- Limit the number of incorrect login attempts a bot can try before being locked out.
- Don’t use the same password on multiple accounts.
A password manager like KeePass will help you organize and store your passwords.
#6 reCAPTCHA
Enable the reCAPTCHA add-on in your store.
The add-on integrates free Google service to detect abusive traffic on your website without any user friction:
reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease.
Note: Starting from CS-Cart 4.4.3 the reCAPTCHA add-on is found in default. For store owners of CS-Cart below 4.4.3, the reCAPTCHA add-on is still available on or marketplace.
#7 FRONT-END
When was the last time you ran through the front-end of your site or even looked at your homepage? As busy site owner, probably log straight into the backend of our sites to add new products, content and perform site updates. Running through your site’s pages and products can help you find signs of infection:
- Check your homepage for changes –The primary goal of some hacks is to troll a website or gain notoriety. So they only change your homepage to something they find funny or to leave a hacked by calling card.
- Look for any malicious pop-ups or spam – Are there any products being advertised on your site that you don’t sell?
- Find unexpected redirects – Do you click on one of your product links only to be redirected to a malicious shop trying to harvest your customer’s data?
#8 THIRD-PARTY EXTENSIONS
Third-party extensions and themes are safe to use if only they are the officially supported versions. On our marketplace, you can choose from over 150 add-ons and themes you can trust.
Themes and extensions that are widely available—often for free—may carry hidden, back-door passages through which hackers will slip in and destroy your eCommerce store.
#9 SITE SPEED
Your site may feel sluggish when it has an infection. You can experience slowdowns on your site if you are experiencing brute force attacks or if there is a malicious script using your server resources.
Check page loads for every element of your site — from how long it takes an image to render to how fast the checkout process is.
#10 BACKUP
Data loss due to cyber-attacks is not uncommon. And if you don’t backup your data regularly, you are at the risk of losing it for good. But with a managed eCommerce web hosting service like AWS hosting, you are guaranteed to avoid this scenario.
All our servers have automatic backups enabled for CS-Cart sites by default. You can, however, even control the frequency of backups and set it to as frequently as 1 backup per 24 hours.
Here are the most popular questions we are getting about backups we perform:
Q: How long do you store backups?
A: We make daily backups and keep each of them (including store) for 7 days. All backups are stored on our servers and are deducted from disk storage limitations for each tariff plan (e.g. 40Gb for Premium tariff plan).
Q: Do backups occupy server space?
A: No, they don’t! All backups are stored in our servers/S3 buckets and are deducted from disk storage limitations for each tariff plan.
Q: Is it possible to provide a backup for us?
A: You can contact us via MyCloud, specify the date and time for which you need backup and we will prepare archives with database and files for you.
Also, the backup can be restored upon your request.
To draw the line,
as we can see, the store owner’s vigilance is the price of store safety.
But that’s not enough.
When it comes to cybersecurity, here you depend on your web hosting service provider more than you might expect. In fact, if you chose an untrusted hosting provider, you leave your site open to exploit and downtime.
If your website hosting is managed by our expert DevOps team, you already know what excellence is. We constantly monitor the servers for vulnerabilities. Our systems allow us to detect any suspicious activities and take the right action immediately. That provides our clients with maximum protection against cyber attacks.
But if you are not using our hosting services yet, it is the right time to make a smart New Year’s resolution and that is to:
Make cybersecurity your top priority with AWS Hosting in 2020!