Whether your shop is your main income or just a hobby, you need to protect it using good security practices. In this article I will go over some of the methods that you can use to make your shop harder for someone to exploit. Implementing as many of these as you possible will make your shop more secure and make it easier for you to rest at night.
Hey, that is the early 90’s way of using passwords. It sure is. But it is a way that you can use 2 factor identification. Most shopping cart software has an admin directory, where you enter your username and password. If you use the htaccess to protect that directory, you have made it where it takes 2 user names and 2 passwords. If you go to the trouble of doing this, do not use the same user name and password for both.
Use a Different Email Address
Every e-commerce package that I can think of requires some sort of email address to login to it. Whether it be a username and the password resets to the email address or it takes a straight email address to get in. What happens if someone breaks into your email account? They can reset you password without you knowing, they can lock you out of your own shop. The best practice here is to not use your main email address for the login. Create another email address, whether it be with one of the email companies or on your own domain. The key when you do this is to have no trace of this email address inside your main email address. Do not have the emails forwarded to your main address, do not access it unless you absolutely have to. Some packages like WHMCS actually send alerts to your email address when logins fail. You can set up in the back office to have those sent to other email addresses too. You should do that to maintain the separation between the email addresses.
Test Your Host
Your host is supposed to be one of your most secure aspects, but sometimes they are not. In 2012 when WMCS was hacked and all of the credit card numbers were breached, the host was at fault. Someone socially engineered the hosting support to get the servers password. No matter how secure the software is or what precautions you take, you are always open to this type of attack. You can try to make your host use 2 factor identification with your account, if they are willing. But right now, there is no 100% way to secure something that you have no control of.
Custom Cpanel Name
Most e-commerce sites are actually hacked at the cpanel / ftp level. I bet you didn’t know that when WHM creates a user name for a domain name, it usually uses the first 8 letters of the domain name. Since this is common knowledge, it is not secure. Use a custom user name and that will make it harder for someone to try to log into your cpanel or ftp account.
Hide Your E-Commerce Package
Many e-commerce packages put a meta generator tag in the head of your site. Take it out, it is dangerous. If there is ever an exploit against the cart that you run, people can actually search for sites that have that tag in the head. Also, most shops will let you map your themes folder to a different path. Do this, I can view the source of a store and generally I can tell what shopping cart software the shop is using by looking at how the theme is addressed. But if you change the theme path to something obscure, it will make things harder on the hackers.
Avoid Common Database prefixes
Most applications use a default database prefix. WordPress uses the wp prefix Prestashop uses ps for the prefix. Change the default prefix; this will actually help you against sql injection attacks because the attacker will have a harder time figuring out what the tables are named.
This really does not have to be said, but at the same time is does. Use a strong password for your shop and for your email address that the shop is connected to. Do not use the same password for your shop and that email address or for anything else either.
2 Factor Authentication
Most shops have plugins where you can use 2 factor authentication on the back office. If the shop that you use has a plugin available it would be a good investment. If someone makes it through one factor, they have the second factor to worry about. It effectively makes your shop twice as hard to hack.
Run PCI Tests
Run PCI scans on your server. Unless you are using a managed dedicated server, you never know what buggy version of software that your host is running. Running a scan will let you know of possible vulnerabilities on your site before they become an issue. I would suggest running a scan quarterly.