How To Make Your Online Store Secure

1 July 2009
A tutorial describing how you can make your online store more secure, thus increasing consumer confidence in your brand and website.

Introduction

In the UK, Internet sales by UK businesses rose to £163 billion in 2007, figures published by the Office for National Statistics (ONS) show – this is an increase of just over 30% on the 2006 figure of £125.2 billion. Internet sales by UK businesses rose to £163bn in 2007, figures published today by the Office for National Statistics (ONS) show. This is an increase of just over 30 per cent on the 2006 figure of £125.2bn.

Over 70% of UK businesses have a website, many of which also have an “online store“. For many businesses, selling online is a great idea, as it opens up the doors to a wealth of new customers not just from Britain but from all over the world. However, because the Internet is largely unregulated, unmanaged and uncontrolled, it poses a wide range of risks and threats to the systems operating on it.

What Happens If My Online Store Gets Hacked?

Aside from potentially having a non-functioning website, this may also cause serious implications for your business and also for your customers. Here are some examples:

Hackers may carry out a ‘DOS (Denial of Service) attack‘ – severely impacting the performance of your web server or in a lot of cases it may cease operation completely.

If your online store’s admin control panel is insecure, hackers can use a number of methods to gain unauthorised entry to it, for instance initiating a ‘brute force attack‘ to find out what your username and password is.

If a hacker is successful in gaining entry the security of your online store has effectively been compromised, and they can now access sensitive information such as customer’s personal details, price lists, and other intellectual property – they may also alter or destroy this information, so if you have no backup of all this information this could potentially be catastrophic for your business.

Implications Of Being Hacked

As if having your website hacked wasn’t bad enough, consider the following implications to your business:

If your website is found to be in breach of the Data Protection Act or the Computer Misuse Act, you could be prosecuted – if you haven’t taken steps to ensure the security and privacy of your customer’s data, you could be sued.

Loss of market share and consumer confidence – your customers won’t want to buy anything from you any more if they think that you don’t care about the security of your website.

Your business may have to cease trading – in the very worst case scenarios, you may have to cease trading/file for bankruptcy if you have a severe loss of customer confidence and are subject to one or more litigation proceedings.

How Can I Make My Online Store Secure?

There are several steps that you can take to reduce the likelihood of any of the above happening to your website and ultimately to your business. Here’s how:

1. Get An SSL Certificate

You may have noticed that when you do any online shopping or you log in to your bank’s Internet Banking website that the URL (website address) in your web browser is preceded by https:// rather than http:// and you see a padlock icon in the address bar too. This means that any information you send on that page and any subsequent https:// pages is secure and encrypted – so if a hacker was to use a packet analyzer on any network traffic over your network or Internet connection, they would be unable to view any personal or log in details transmitted over a secure page.

We recommend having a 256-bit SSL certificate, and obtaining one is usually inexpensive. Your website host will be able to provide you with more information and prices to set up an SSL certificate for your website. Some hosts will offer a free ’shared’ SSL certificate, however the downside of this is rather than having a website such as https://www.mydomain.com it would probably look something like https://secureserver.mywebhost.com/~mydomain – as you can see it won’t fill your customers with confidence as they may think they are being transferred to a ‘phishing‘ website and thus you will lose potential new customers and orders.

2. Secure Your Online Store’s Admin Control Panel

A lot of business owners overlook this rather important aspect of their website. You may already encrypt your customer’s log in and registration details, but is your online store’s admin control panel secure as well? Here are four simple ways to do so:

1. Give Your Admin Folder A Random Name – the most common admin folder name is funnily enough, ‘admin’, so you should rename it to a phrase that only you (or yourself and whoever else in your company needs access) knows about. This may not be possible with certain ecommerce solutions, so check with your software vendor first.

2. Use ‘.htaccess’ And ‘.htpasswd’ To Password Protect The Folder – a good security measure is to have a double log in procedure for your admin folder. If you use ‘.htaccess’ and ‘.htpasswd’ files to secure your admin folder, then every time you want to log in to your admin control panel your web browser will pop up a box asking you to type in the username and password that you’ve set in these files. Ask your website host for help on setting this up, or have a go yourself.

3. Access Your Admin Folder Via SSL – make sure the URL you use to access your admin folder is preceded by https:// instead of http:// so that your connection is secure.

4. Don’t Link Your Admin Folder From Any Part Of Your Website – pretty simple this one. Search engines (and hackers) can’t find your admin folder if they don’t know where it is.

3. Remove Any “Powered By …” Footer Text

This may be a little tricky to do as it depends on what ecommerce software is used on your website and what the software license says about this, but basically removing any “Powered By …” text that is in the footer of each web page on your online store will make your website less susceptible to any hacking attacks. Why? Well consider this scenario – a hacker has discovered a vulnerability in a popular ecommerce software package. They can then use a search engine to find any websites that have “Powered By …” in their web pages. Now they have easy access to a list of websites they can easily hack into. By removing this portion of your online store’s footer text, your website will not be in the list of sites that they will want to attack.

If you still want to show what is ‘powering’ your online store (either because you have to or you want to), it would be wiser to instead replace the text with an image that has the software vendor’s logo on it for example – but give the image a random filename (don’t use the vendor’s name as part of the filename) and if possible don’t link the image to their website.

4. Test Your Website For ‘SQL Injection Attacks’

Even with all the above security measures in place your online store may still be vulnerable to ‘SQL injection‘ attacks – inserting SQL database commands in form fields such as text boxes – so it would be worthwhile looking into having your website tested for such attacks. There are some online tools that offer to do this automatically (free and subscription based), or you can hire the services of a security consultant to test this for you.