Website security is a hot topic these days, with a new hack of a major institution making it in the headlines every few weeks. You know security is important, and you want to protect your site, but what measures should you take to keep your site secure? The truth is website security will be slightly different for every site. Some large ecommerce sites may need an internal security team in place to juggle the various security tools being utilized, while smaller to mid-size sites can manage without a dedicated security team.
This is due to the complexity of larger sites, but also because the bigger a site the more attacks it will face: Distil’s 2017 Bad Bot Report found that large sites (defined as Alexa rank 1-10,000) get 57.9% bad bots compared to 42.1% good bots, whereas the smallest sites (defined as Alexa rank 150,000+) get a ratio of 28.6% bad bots to 71.4% good bots. A similar trend is likely seen with other types of attacks, as the bigger the site, the more sensitive information they have access to.
Here are 6 quick fixes that can cover your bases when it comes to getting started with website security
Quick Fixes to Start Improving Security
These security tips are standards that any site should be adhering to. While they may not protect your site from particularly large or sophisticated attacks, these will ensure you are taking regular steps to protect your site and your customers.
Scan your website for Vulnerabilities:
The first thing you should do when examining your website security is to do an audit of where you currently stand. There are many tools that will scan your website for malware and known vulnerability from platforms including Wordpress, Magento, Joomla, and Drupal. Some popular free tools include Sucuri and Quttera. Once you know what your vulnerabilities are, you can start patching them and evaluating what additional tools your site needs to block threats.
Another way you can examine your site for potential threats is to look at your logs. If you use a log management tool or ELK stack logs (a combination of ElasticSearch, LogStash, and Kibana) you can search logs to see where requests come from and identify if your site is getting unusual requests. For example, if you sell exclusively in the US and get a lot of suspicious traffic from other countries, you could see that and try to block that traffic from accessing your site.
Use SSL/TLS Encryption for All Pages
The majority of ecommerce sites use the HTTPS encryption protocol on their payment pages through the payment gateway they use, however having HTTPS only on some pages of your website could still leave you vulnerable to attack and your users’ browsing information open to be taken. Browsers including Google Chrome (which has a 59% market share on desktop) will label your site as insecure in the URL bar if it is not on HTTPS throughout the site. In addition, Google search has started ranking HTTPS-only sites higher in search results, and having HTTPS implemented on all pages will allow you to use the newer HTTP/2 protocol, which offers better website performance and can also improve SEO.
We also highly recommend using the Qualys SSL Labs tool to evaluate the quality of your SSL configuration. You should aim for an A+ rating which indicates the certificate itself is valid, and that the protocol support, key exchange, and cipher strength are also strong. Just having an SSL/TLS certificate isn’t enough, as there are weaknesses in the way some SSL certificates are deployed and if your certificate is expired it could also expose you to attacks and harm your reputation with customers.
Stay on Top of Security Patches:
44% of attacks are because of known vulnerabilities in the platforms websites us. Some bots scan your website regularly for vulnerabilities so that an attacker can take advantage of those found without manually searching. Always stay up to date on patches for these issues, which will be in a developer or security section on the platform’s website or in their portal.
Doing regular scans of your website yourself will also help pick up these security risks. If you use an open-source Web Application Firewall, as discussed in more detail below, it’s also crucial that you are regularly updating that against new security risks.
Use Strong Passwords and 2-Factor Authentication for Admin Access
Administrator accounts are particularly vulnerable to hacking attempts by bots or individual attackers. You should regularly audit the people who have administrator access to your website or database to check that no one has created an unauthorized administrator account, and make sure that your authorized users are strongly protected against hacking attempts. Requiring them to use a strong, randomly generated password that is unique from any other logins is important. A password manager such as LastPass is useful in generating and storing strong passwords.
If you can enable 2-factor authentication for logins that will go a step further in protecting your administrator accounts. In addtion, there may be platform-specific steps you can take to protect yourself from login fraud. Wordpress by default does not limit login attempts, meaning bots continue to try login combinations. To protect yourself from this, you can enable brute-force protection.
Be PCI Compliant
Ecommerce websites of all sizes that accept credit card payments are required to PCI compliant. The Payment Card Industry Data Security Standard (PCI DSS) are security standards to protect customers when they are submitting payment details online. There are several levels of verification depending on the number of transactions you process each year, ranging from a full network-level assessment to a self-assessment for smaller merchants.
Using an ecommerce platform such as Magento or Shopify will not directly make you PCI compliant because they don’t directly process transactions. You will need to make sure your server network, Content Delivery Network, and payment gateway (such as Stripe or Authorize.net) are PCI compliant before performing your assessment.
Use Trusted Extensions, Platforms, and Themes
As mentioned previously, it is crucial that you stay on top of updates for the platforms that you are using. In addition, you should use trusted platforms, extensions, and themes as these can open you up to vulnerabilities: Last year ecommerce platform Magento found that several third party extensions were at risk of SQL injection attacks. Wordpress has also found vulnerabilities in their numerous plugins and themes, with 52% of known Wordpress vulnerabilities coming from plugins and 11% coming from themes.
To find trusted themes and plugins that are less likely to have vulnerabilities, download directly from the platform’s marketplace and be wary of free tools which seem to good to be true. You can also check how many other extensions a company has created, the number of downloads or reviews each extension has, and the length of time they have been creating extensions as a good indicator of if they are a trustworthy business.
To learn more about how to get started with Website Security please download the full Website Security Guide. For more information on how section.io can improve the security of your website, please contact us.