It’s no secret: hackers love e-commerce sites! The valuable information that flows through them makes online sellers prime targets for attempted intrusion. This is especially true during times like the holiday shopping season. If you plan to sell online this holiday season, now is the time to review your e-commerce security.
In 2022, 40% of visitors to e-commerce websites were bots.
Fortunately, these weren’t all malicious bots — but 23.7% were. Which should be enough to put any e-commerce site owner on notice.
The biggest threats to e-commerce security in 2022
There are a number of hacks that occur regularly, but the most common ones to watch out for are:
- Credit card theft
- Malicious redirection (when someone tries to visit your website but is taken to a different site)
There are a number of different ways that these things can occur, methods by which malicious actors get in as well as carry out the hack itself.
Sometimes, it can take a long time to figure out that a hack has occurred, especially in the case of credit card theft!
Unfortunately, if a hacker is able to steal customer credit card numbers from your e-commerce store, the hacker isn’t the one who will suffer. Angry customers will flood social media with angry complaints and your business reputation will tank.
Related: Why hackers go after small business websites
7 e-commerce best practices from the pros
The lead up to Christmas is open season for hackers. Here is a list of simple e-commerce security tips that you can follow to help keep your web store safe:
1. Keep your software updated
This first e-commerce security tactic cannot be stressed enough. Outdated WordPress plugins and themes can have security gaps in them that are discovered and used by malicious actors to break into your site. (If your WordPress website was built with GoDaddy’s Managed WordPress, skip to Tip #2, as all updates are taken care of for you.)
Once they’re in, hackers could program your site to redirect holiday shoppers to a malicious website where they might be asked to download software, for example.
In any website software, there is a section for checking for updates, just like on your computer. You wouldn’t put off a computer, phone, or phone app update … so why would you miss one for your website? Website software, just like with any other software, is always being upgraded and improved.
Sometimes these changes are purely for useability purposes.
As an example, here is an article that talks about a recent security gap in the Elementor WordPress plugin that was closed by subsequent plugin updates.
2. Use strong passwords and update them regularly
It is often said in the cyber security world that humans are the weakest link.
Since each person generally comes up with their own passwords, weak passwords are a popular method of breaking into websites.
There are plenty of methods that malicious actors use to get into a website via a weak password. So our second e-commerce security tip is to ensure that you have strong passwords for all your admin (administrative) users in particular, and that they also update them on a consistent basis.
Anyone who has administrative access to your e-commerce store MUST use strong passwords and change them regularly.
There are a number of different ways to ensure that your users have strong passwords:
- Use plugins or free tools like LastPass that create strong passwords for you
- Most content management systems (CMS) have an indicator that will show how secure a password is
For a list of password best practices, check out these two articles:
How to create secure passwords for your website
3. Get a malware scanner
Although it’s been around for decades, malware had a very good year in 2022.
Malware infections are most often intended to raid vulnerable websites for valuable resources such as:
- Credit card information
- Traffic
- Search rankings
- Server resources
Here are some of the most popular malware attacks in 2022, according to the Sucuri SiteCheck Malware Trends Report:
SEO spam
This is when hackers inject unwanted keywords, spam content, ads, or malicious redirects into websites. The goal? To inflate their own site’s search rankings by generating backlinks in bulk, to the detriment of the sites they have hacked.
If Google detects a spam infection or other malicious code on any website, it often downgrades its search rankings.
As a result, organic (free) traffic to the site drops — at least until the issue is resolved.
No website is safe from SEO spam; SiteCheck found it on sites built with WordPress, Joomla, Drupal and Magento.
Injected malware
These malicious external script injections, iframes or inline scripts are often inserted into JavaScript files or tucked in a site’s HTML code. These can be hard to find manually, since attackers can be clever about hiding malicious JavaScript.
Defacements
This type of attack is the equivalent of graffiti or vandalism carried out on a physical building.
In this case, you open your website one morning to find your site has been visually changed in a way that will likely scare off customers and other legitimate visitors trying to see it.
The motivation for this type of hack could be political or religious in nature … or simply random mischief.
Credit card thieves
Credit card skimming malware such as MageCart injects scripts into checkout pages to steal payment card details during the checkout process.
MageCart sends this data to a destination controlled by the hackers.
The instances of skimming malware found by SiteCheck in late 2022 affected sites built most often with WordPress, but also Magento and OpenCart.
Unwanted ads
This type of malware does just what you’d expect: it inserts ads, pop-ups and malvertisements onto websites. The goal in this case is to make money, since ad networks deposit advertising fees into the hacker’s account rather than the real website owner’s account.
4. Adopt two-factor authentication
Two-factor authentication (2FA) is a form of multi-factor authentication that requires two steps to verify your identity when logging in. Instead of simply providing an ID and password, two-factor authentication asks you to provide:
- Something only you know (like an answer to a secret question)
- Something you are (like your fingerprint) or
- Something you have (like a physical token generator) as an additional authentication factor to granting you access to the system
Small businesses can implement two-factor authentication for their employees and users by either of these methods:
- Physical security keys: The Yubico Security Keyis available for both USB A and USB ports and has one of the best combinations of compatibility and security.
- Software token authentication: You can use third-party authenticator services. The most popular providers of this form of MFA are Google Authenticator, Okta, and PingOne.
5. Check the default privilege level for new users
Many small businesses like to give their customers the option to make a user account. After all, why wouldn’t they want a user account? This allows customers to see various things that are beneficial to you and them such as:
- Their past purchases
- Check on the status of their current order(s)
- Any points they’ve collected, etc.
If you plan to give your customers this option, you’ll want to check the privilege level (aka, the amount of access they have to make changes to your website) that is automatic for each new user. Always make sure to check this, and ensure that it’s set to the lowest level necessary.
For example, in WordPress and most site builders, there is a permission level for “Customer,” which would most likely suit e-commerce needs for any new users created. However, there is also the option for “Admin.”
An Admin user is allowed to do things like create and publish new pages, change items for sale, as well as their prices.
As this isn’t something that you would want to allow customers to do, definitely be sure to check the pre-set privilege level for new users and make sure it’s not Admin level.
Depending on the CMS or online store builder you used to build your site, you can check their support site for how to change access privileges. Here are articles explaining user roles, and also how to change them:
6. Get an SSL certificate (if you don’t already have one)
People talk about making sure to have an SSL certificate on your site, and how important it is for SEO (search engine optimization), as well as the security of your website.
But what does this actually mean? What does an SSL actually do for your e-commerce security?
SSLs encrypt information going into and out of your site.
Imagine you write a letter to your best friend. If you write that letter in plain English, anyone could pick it up, tear it open, and read it.
If the letter had any important information (your credit card information, perhaps?), that person could copy it down, stuff the letter back in its envelope, and then deliver it to your best friend.
For the sake of this example, your best friend and you may never know that the important information was copied/stolen.
The magic envelope
Now, instead, imagine that you write your letter, the envelope you put it in scrambles the letters and entirely changes the whole message for you. The same devious someone picks up your letter, opens it, attempts to read it, but can’t.
Because it’s not in any real language!
Then, when your best friend gets the letter and uses their secret decoder ring to read the message, you can be certain that your important information is kept safe.
This is, in essence, how SSLs work: they are the envelope that scrambles the message for you, so that only the people for whom the information was intended can read it.
This is not to be confused with website security! An SSL is only a part of website security, but is absolutely essential for e-commerce sites. You can read more on all of this here.
Note: An SSL is included with GoDaddy's eCommerce store.
7. Purchase a Web Application Firewall (WAF)
This is a very simple e-commerce security step to take, as these are generally set up by an expert. You can purchase one and have it set up.
Imagine it’s like building a moat and drawbridge for your house, as well as putting bars on the windows. It makes it difficult for malicious actors to get into your site and cause trouble.
Here are some articles that provide more details about a WAF, how it works, and what it does.
Editor’s note: GoDaddy’s Website Security is a one-stop e-commerce security solution that includes an SSL, Web Application Firewall, daily malware scans and 24/7 monitoring.
Put e-commerce security on your New Year's to-do list
If you’re ever unsure of how to implement any of these e-commerce best practices, you can always check what services are available through your hosting provider. If you have a web developer and/or designer, it is also a good idea to check with them about how to boost your online security. These are all simple steps that can be taken to ensure the security of your website, and therefore your business!
