It's every eCommerce website's owner's nightmare – getting hacked! Some of the real-life examples of what can happen when your site is hacked:
- credit card numbers stolen – your customer's card details can be stolen and sold to criminals.
- transactions intercepted – silent interception of your customer's details
- transactions completely stolen – you never see the transactions
- site vandalised
- industrial espionage or vandalism
- site used for phishing – google listed
- your site is hacked, and kept for later "use" in crime, bank fraud or illegal file distribution
We've seen most or all of these done to customers over the years – no-one is immune! The sites involved varied from small sites to huge sites with thousands of products processing millions of dollars per month.
There are three costs that you will face when you do get hacked:
- lost business while your site is down
- the cost of repairing and ensuring you can't get hacked again
- lost reputation and trust
The effort and money you spend on keeping your site secure should align well with the losses you could incur from the above! One successful model for this is to consider it like insurance – pay a little now, or pay a lot later.
10 tips for keeping your site safe from hackers
All of these could be expanded into complete articles – and we've done so for some – but here are some short-form tips that will introduce the key concepts.
Credit Card Security – don't store credit cards at all, or use methods such as tokenisation (which we'll write about in a coming article). The amount of effort you expend protecting your card numbers should relate directly to the volume of your transactions. If you are processing millions, you should be spending regularly on reviewing and updating your security practice. A major leak of credit card details is not merely embarrassing; it can actually cost your business millions.
SSL encryption to protect from snoopers should be a given. This ensures critical form data is encrypted as it travels over the internet – a common method for stealing card data is via WiFi sniffing, and encryption protects against this almost completely. This is an eCommerce basic; many customers will avoid your site if they don't see the comfort of a small padlock on the order screen. They usually don't realize that the padlock only covers one small area of security! In fact, most security problems actually occur on the client PC or the server, whilst SSL only protects the connection.
Secure hosting – most people don't realize that many hosts leave mysql open so that it's possible to view mysql databases belonging to other users. On LAMP servers, this is a side effect of the way PHP is run; it can be run securely so that this isn't possible. This mistake by your hosts is one reason shared hosting is considered insecure, but it can actually be very close to the security offered by a VPS. As an example, one organization we rescued got hacked during critical periods every time, via this method.
Update your website software regularly or you will eventually get hacked. You might like to consider the value of getting your website done using a technology that is regularly updated by competent developers. Open Source products such as Magento and WordPress offer this advantage at very reasonable cost. The key here is to choose a platform that will be around, and actively updated, for the foreseeable future – otherwise you can be left holding the proverbial baby when the updates stop and the hacking attempts continue!
Do regular backups using at least two separate methods, preferably complementing what your host does. Remember not all hosts do backups. Most don't guarantee your data. At least some of your backups should be "offline", some should be off the server, and some on server. Talk to your host about this.
Use a predictive firewall that blocks hackers. Ensure your host's firewall is capable of detecting hacking attempts and banning perpetrators so they don't get a free run – which will often yield access as they work through their extensive libraries of techniques. Your host might also virus/exploit scan uploads and prevent bad code being uploads, which helps delay or prevent many automated attacks. Remember, most attacks these days are automated – when they succeed in getting into your site the hacker is alerted and then can "use" your site for mischief.
Ensure your website is well documented. The more you have invested in developing it, the more you should expect to see documentation – one effective model adopted by many is the use of a "Wiki", the example everyone is familiar with is Wikipedia. The searchability of a Wiki, plus the fact that it is always available online, add up to a good long term tool. Often printed hardcopy documentation is just not read by anyone!
Keep your system software updated. It's an illusion if you beleive that VPS is more secure. It can actually be less secure than an actively maintained shared hosting environment. Actively maintained usually costs more – skilled system admins aren't cheap. These system updates are naturally done for you if you have quality shared hosting. Even if you keep your site secure, if your server gets hacked at operating system level (kernel/commands/services) your site is completely open.
Keep up to date with security practices – in a year or two, this article will be out of date; similarly, what is adequate now will not be enough to keep you safe in only a few years. As just one example, it's become best practice not to store unencrypted user passwords – yet many websites still store easily viewable passwords, which can be easily stolen. Without a built-in practice of reviewing security regularly, you'll find current practices will become insufficient over time, And of course, if you have a small site, many of the things listed here can be done by yourself – and you may already have them if you host with us!
Remember to upgrade your hosting as your business grows – it's not uncommon to find people relying heavily on budget hosting for a business that has outgrown that hosting years later. The budget hosting goes down and the business then loses a lot of money by being offline – hardly the fault of a budget provider who simply can't provide a cast iron guarantee at budget prices.
Summary – keep your perspective
It's important to understand that "preventing" hacking effectively means reducing your chances of being hacked. No single practice by itself can completely stop your chances of getting hacked. The trick is to combine the best practice common- sense methodologies listed above to get synergistic protection that means you are safe from all but the most skilled and determined hackers and luckily there are very few of those!