It’s no secret: hackers love e-commerce websites! The valuable information that flows through them makes online sellers prime targets for attempted intrusion. This is especially true during times like festive sale seasons. Now is the time to review your e-commerce security.
Shopify merchants collectively made $5.1 billion in sales from Nov. 27 to Nov. 30, 2020, up 76% from 2019.
And these figures are just from one e-commerce platform! No wonder hackers get busy at this time of year.
The biggest threats to e-commerce security in 2021
There are a number of hacks that occur regularly, but the most common ones to watch out for are:
- Credit card theft
- Malicious redirection (when someone tries to visit your website but is taken to a different site)
There are a number of different ways that these things can occur, methods by which malicious actors get in as well as carry out the hack itself.
Sometimes, it can take a long time to figure out that a hack has occurred, especially in the case of credit card theft!
Unfortunately, if a hacker is able to steal customer credit card numbers from your e-commerce store, the hacker isn’t the one who will suffer. Angry customers will flood social media with angry complaints and your business reputation will tank.
Related: What your business can gain from good digital security
5 e-commerce best practices from the pros
Here are a list of simple e-commerce security tips that you can follow:
1. Keep your software updated
This first e-commerce security tactic cannot be stressed enough. Outdated WordPress plugins and themes can have security gaps in them that are discovered and used by malicious actors to break into your site. (If your WordPress website was built with GoDaddy’s Managed WordPress, skip to Tip #2, as all updates are taken care of for you.)
Once they’re in, hackers could program your site to redirect holiday shoppers to a malicious website where they might be asked to download software, for example.
In any website software, there is a section for checking for updates, just like on your computer. You wouldn’t put off a computer, phone, or phone app update … so why would you miss one for your website? Website software, just like with any other software, is always being upgraded and improved.
Sometimes these changes are purely for useability purposes.
As an example, here is an article that talks about some of the more recent security gaps in WordPress plugins that were closed by subsequent plugin updates.
2. Use strong passwords and update them regularly
It is often said in the cyber security world that humans are the weakest link.
Since each person generally comes up with their own passwords, weak passwords are a popular method of breaking into websites.
There are plenty of methods that malicious actors use to get into a website via a weak password. So our second e-commerce security tip is to ensure that you have strong passwords for all your admin (administrative) users in particular, and that they also update them on a consistent basis.
Anyone who has administrative access to your e-commerce store MUST use strong passwords and change them regularly.
There are a number of different ways to ensure that your users have strong passwords:
- Use plugins or free tools like LastPass that create strong passwords for you
- Most content management systems (CMS) have an indicator that will show how secure a password is
For a list of password best practices, check out these two articles:
How to create secure passwords for your website
3. Check the default privilege level for new users
Many small businesses like to give their customers the option to make a user account. After all, why wouldn’t they want a user account? This allows customers to see various things that are beneficial to you and them such as:
- Their past purchases
- Check on the status of their current order(s)
- Any points they’ve collected, etc.
If you plan to give your customers this option, you’ll want to check the privilege level (aka, the amount of access they have to make changes to your website) that is automatic for each new user. Always make sure to check this, and ensure that it’s set to the lowest level necessary.
For example, in WordPress and most site builders, there is a permission level for “Customer,” which would most likely suit e-commerce needs for any new users created. However, there is also the option for “Admin.”
An Admin user is allowed to do things like create and publish new pages, change items for sale, as well as their prices.
As this isn’t something that you would want to allow customers to do, definitely be sure to check the pre-set privilege level for new users and make sure it’s not Admin level.
Depending on the CMS or online store builder you used to build your site, you can check their support site for how to change access privileges. Here are articles explaining user roles, and also how to change them:
4. Get an SSL certificate (if you don’t already have one)
People talk about making sure to have an SSL certificate on your site, and how important it is for SEO (search engine optimization), as well as the security of your website.
But what does this actually mean? What does an SSL actually do for your e-commerce security?
SSLs encrypt information going into and out of your site.
Imagine you write a letter to your best friend. If you write that letter in plain English, anyone could pick it up, tear it open, and read it.
If the letter had any important information (your credit card information, perhaps?), that person could copy it down, stuff the letter back in its envelope, and then deliver it to your best friend.
For the sake of this example, your best friend and you may never know that the important information was copied/stolen.
The magic envelope
Now, instead, imagine that you write your letter, the envelope you put it in scrambles the letters and entirely changes the whole message for you. The same devious someone picks up your letter, opens it, attempts to read it, but can’t.
Because it’s not in any real language!
Then, when your best friend gets the letter and uses their secret decoder ring to read the message, you can be certain that your important information is kept safe.
This is, in essence, how SSLs work: they are the envelope that scrambles the message for you, so that only the people for whom the information was intended can read it.
This is not to be confused with website security! An SSL is only a part of website security, but is absolutely essential for e-commerce sites. You can read more on all of this here.
Note: An SSL is included with GoDaddy Online Store.
5. Purchase a Web Application Firewall (WAF)
This is a very simple e-commerce security step to take, as these are generally set up by an expert. You can purchase one and have it set up.
Imagine it’s like building a moat and drawbridge for your house, as well as putting bars on the windows. It makes it difficult for malicious actors to get into your site and cause trouble.
Here are some articles that provide more details about a WAF, how it works, and what it does.
Editor’s note: GoDaddy’s Website Security is a one-stop e-commerce security solution that includes an SSL, Web Application Firewall, daily malware scans and 24/7 monitoring.
Make e-commerce security a priority
If you’re ever unsure of how to implement any of these e-commerce best practices, you can always check what services are available through your hosting provider. If you have a web developer and/or designer, it is also a good idea to check with them about how to boost your online security. These are all simple steps that can be taken to ensure the security of your website, and therefore your business!
