The Fundamentals of Website Security for eCommerce Websites
27th March 2020
At SilverDisc we believe the three fundamentals of good website development are speed, availability and security. The latter is particularly important for ecommerce websites, which are more likely to be targeted by hackers due to the lucrative data that can be stored in the database. These databases contain sensitive customer data which hackers could attempt to gain access to. This blog post will outline some of the best website security practices we implement to mitigate these risks, with a focus on ecommerce websites.
Server Maintenance
SilverDisc is serious about security. So much so that we have our very own Systems Administrator, Victor, who monitors, analyses and protects our servers and sites 365 days a year.
Monitor
- We monitor file activity on our servers so that we can instantly prevent any attempted attacks.
- We monitor public and private services from different geographic points.
- We use a custom "URL monitor", which quickly alerts us to websites going down so they can be restored as soon as possible.
Analyse
- We constantly keep up to date with the latest vulnerabilities so we know how to best protect our clients' websites.
- We analyse server logs for potential threats.
Protect
- We implement firewalls to prevent unauthorized users from accessing servers.
- We apply patches and security updates on a regular basis.
- We install DDOS attack detection and containment tools.
SSL Protection
An SSL (secure socket layer) certificate encrypts all data that is sent between your server and your customer’s browser. This ensures that any sensitive data such as email addresses or payment details can only be understood by the server.
Another benefit of an SSL certificate is the “secure” padlock that displays in the URL bar.
Image
This reassures your customers that the connection to the site is secure and any personal data sent will be kept private. This is especially important for ecommerce sites where customers are going to be sharing their personal data such as their name, address and payment details.
Google also gives better rankings to sites with SSL certificates, and as your competitors are all highly likely to have one, being without an SSL certificate can put you at a real disadvantage in comparison. This is true from a security standpoint as well as in terms of SEO and whether potential customers will trust you. All SilverDisc sites are launched with SSL certificates as standard.
In The Event Of A Hack…
We understand how important it is for sites to remain online with minimal downtime, especially during busy periods. In the event of an attack, there should always be a recent back up of the code and database available. Having this will allow you to restore a working version of the site quickly and easily. At SilverDisc we regularly back up all our clients' websites, so they can rest assured knowing if the worst does happen they will be back up and running quickly.
Privileges and Training
It is essential for both web developers and clients to be educated on security threats. Simple measures such as using complex passwords and not sharing login credentials all contribute to a more secure site.
Each user who can log into the website should only be assigned privileges which allow them to access the features and data they need.
A typical hierarchy for an ecommerce site could be:
Administrator - Full access to the site
Order Dispatcher - Access to view completed orders only
Content Editor - Access to view and edit content
Customer - Access to their own orders
Not only will this reduce the chance of data leaks, but it will reduce the likelihood of CMS user errors breaking the site. At SilverDisc we configure our websites with bespoke roles and provide full CMS training to clients before launch. Our account managers are also only a phone call away should our clients require any guidance or advice.
Use A Well Supported and Up To Date CMS
Another way of reducing the risk of threats is by using a well-supported framework such as Drupal or Magento. When threats arise, the communities for these frameworks will work together to quickly release security patches or updates which should then be applied to eradicate the threats. A report by Sucuri states that “In 2019, over 56% of all CMS applications were out of date at the point of infection.” Whenever security updates are released for any of our clients' websites, we quickly work to apply any patches and ensure the sites are up to date and secure.
Payment Gateways
Payment gateways are responsible for taking payment details from the customer and ensuring the funds reach your bank. You should use a secure and trusted payment gateway to handle your payments. Customers will expect their transactions to be secure, and given the damage a data leak could cause your brand, it is especially important to get this right.
SilverDisc's 10 Top Tips To Keep Your eCommerce Site Secure
As the owner of an ecommerce website, here are ten steps that you should take to reduce the chance of your site being infiltrated:
- Choose a popular framework which provides regular security updates or patches
- Invest in a secure, reliable and knowledgable hosting provider
- Add SSL protection to your site
- Choose a trusted, well-known payment gateway
- Take regular offline backups of your site
- Use strong passwords for user accounts
- Do not share login credentials
- Remove historic data when it is no longer needed (for example users, orders and enquiries)
- Set up a hierarchical permissions system, which allows users to only access what they need
- Remove access to the site for users that leave your company
If you have any questions about the security of your site or any of the above, please get in touch with SilverDisc and we’ll be happy to help.