With more and more people shopping exclusively online, ensuring a safe and trustworthy e-commerce environment has never been more important. It’s no fun dealing with hacking attempts, data miners, or DDoS attacks. Luckily there are a variety of things you can do to take the security of your website into your own hands and defend against any nefarious entities that come knocking. We thought it would be a good idea to explain some of the best things you can do to secure your webshop in 2022.
Strong passwords and two-factor authentication
It may be self-evident yet despite this, passwords are still a surprisingly common factor in successful hacks and website attacks. Passwords with long and complex combinations of letters, numbers, and symbols make an account far more difficult to compromise.
Having said this, passwords are only a first line of defense, and aren’t the be all and end all of website protection. For this reason, using an extra authentication layer, known as 2-factor authentication or 2FA, has become best practice. 2FA adds an additional layer that is more difficult for any intruder to access, for example a one-time QR-code or password connected via an independent authenticator app, or a one-time code sent to your phone number.
Use secure cookies
Secure cookies can only be sent via an SSL-certified connection. The extra layer of protection between server and client, means that any information contained in cookies is encrypted and safer from prying eyes. To be able to use secure cookies you need to have your website use sitewide SSL.
Use sitewide SSL
The lock icon that appears next to the web address in your browser indicates that you are currently using an SSL connection. An SSL certificate is an additional security layer that protects your visitors by encrypting any communication between your servers and your clients’ browsers. When using an SSL certificate, it’s very important that this be site-wide, rather than on some pages but not others. The latter would mean a visitor is being bounced between encrypted and unencrypted connections, making them vulnerable. Make sure to keep your SSL certificate verified and up to date with the latest security changes.
Consider Address Verification Systems
Using an Address Verification System or AVS, is one way that e-commerce websites try to prevent malicious actors from pretending to be real customers, as well as reject fraudulent payments. These systems try to verify the data provided by the customer during the customer journey. Data that doesn’t match this can be an indicator of fraud or a security threat. AVS is not a perfect solution of course and comes with downsides – such as an increased potential rate of false rejections, or lack of support for all common payment methods. Despite this it’s a commonly used tool in the arsenal of website protection, largely thanks to its ability to detect payment fraud.
Use a VPN
Sensitive data is generally much more vulnerable on public networks. Using a Virtual Private Network or VPN lets you cut access to this data for most bad actors. In essence it creates a protected tunnel for any sensitive data you may have. This encrypts data before it enters a public network, which can only be decrypted once it reaches the destination server.
Obscure your HTTP headers – hide your web host provider and version
HTTP headers can be used to share extra information between the client and the server. They are extremely common and are being used by vendors, for example, to track market share in the server hosting market. Showing the type and/or version of the web server while useful in some cases can be a good way to refine and speed up efforts by bad actors. The reason for this is because they can immediately look for vulnerabilities and openings specific to your web server. The best thing you can do is to obscure these headers. It means more work for any potential attacker and therefore an additional layer of protection for your website and your users.
Keep your software up to date
Updates are one of those things that tend to fly under a lot of people’s radar. The intuitive assumption is often if it isn’t broken, does it need fixing? Yet there are good reasons for why so many updates are released annually, and a big part of these are security related. These can be newly discovered vulnerabilities, loopholes in existing protective software, or additional security features or standards. Staying on top of all your software versions isn’t the most exciting of tasks but no less important for it.
Backup your website
Keeping your website backed up and safe is a good way to ensure you don’t suffer from corrupted data or data theft. The best thing to do would be to schedule backups to be consistent and up to date. Fallout from the lack of a backup can be extremely messy, you can lose everything and, in some cases, find yourself back to square one, needing to build everything from scratch. Thankfully this can easily be prevented, which is why backups are a no brainer for anyone running a website or storing sensitive data.
A distributed denial-of-service attack or DDoS can flood your server with requests or packets until the server buckles under the weight of them to the point of being unable to respond to real requests from visitors. For more on DDoS attacks see how we handle them at Hypernode.
Strong malware protection
Malware attacks are a danger to your customer data and can find their way in in spite of SSL protection and an encrypted server connection via VPN. Part of preventing malware is addressing the human element and ensuring everyone in your business is educated on the basic principles of cybersecurity. Tools can also scan through your eCommerce website and detect and prevent forms of malware from finding nesting grounds. Hypernode includes a malware scanner, for more information see our support page.
Ensure a secure online checkout process
Secure payment systems are pretty much a must have for any e-commerce store. This is a PCI-compliant tool which can encrypt information being transferred during the payment process. The Payment Card Industry Data Security Standard, or PCI DSS, is a global data security standard supported by most credit card scheme vendors. Ensuring that your website and/or your merchant service provider has a PCI-compliant way for customers to pay is of vital importance to their safety.
Time for a breather
No guide to protecting your e-commerce store can cover everything, no matter how exhaustive. Yet by acting to protect your data and your customers you can reduce your exposure significantly and sleep a little easier. If you can, try and put as many of these best practices into place. The best thing we can do is to stay vigilant and keep up to date with best practices. That way we can try to stay one step ahead of bad actors and safeguard customers and commercial performance.