Security is an often overlooked aspect of e-commerce. We have seen a lot of merchants that set up their site and never think about security again. This very bad practice and can put your customer’s data at risk. With new laws coming in place in the EU and with data breaches being more scrutinized around the world, security should be at the forefront of your mind. Data breaches can not only cost your company in reputation, you can also be held liable in some instances from your payment processor.
Since security breaches can come from many different angles we are going to go over some of the most common causes we have seen in the last couple of years. Not all of these causes are strictly server related either, some of them are related to modules or other software on the server causing security issues. If you follow our tips below you will have a great start to securing your thirty bees site.
Use a Managed Server
Using a managed server is more expensive than using a non-managed server, it’s logical that you are paying for management. You can get very cheap hosting from companies like Hetzner or Digital Ocean, some down to $3 a month, why would you pay more for hosting? The management is what generally costs more, you are paying more for a service. I have had other developers argue til they were blue in the face supporting the low-cost unmanaged servers, hosting their client’s and their sites on them. For me, it is not something I am willing to do. At thirty bees we are capable developers, we are generally very much in the know about server security issues and the fixes required to patch them. At the same time, we use managed servers. It does cost more, but it frees us up to do other things like make awesome software and fix our own bugs.
The reason why we recommend to use a managed server is simple, the hosting company handles the security updates for your server. This means you never have to worry if your server is patched for the current exploits. With Linux and the software that it takes to run your site, this can get tedious. It is not just PHP and MySQL that you have to worry about, it is everything. The underlying kernel, the FTP service, the SSH service, the mail service, there are tons of services that can have exploits that are just not thought about on a daily basis. Then you get into different patching methods for different Linux distributions, backporting patches for RHL and there is a whole mess that only systems admins want to deal with. This is just not a risk we are willing to take. We store a very limited amount of data on our users (none actually from the shops other than it was installed), the data from our forum, and from our site registrations. But we are not willing to risk that to an exploit that could be prevented.
Any vector an attacker can use to get into your server can lead to the exploitation of your user data. Sometimes attackers never even look at your site and just install malware for phishing, sometimes not. Sometimes we have seen them actively harvest credit card numbers from sites or even redirect their PayPal modules to a form to steal the login information.
Use a Panel Software
One thing I have noticed in my career is that site owners in the EU do not like to use a control panel for their sites in general. I have seen some that do, but I have seen an overwhelming majority that does not. I have heard excuses from it slows the server down, to it is more expensive, which in themselves both can be argued. But one you never hear is they are less secure because it is quite the opposite. We do not have time to get into all of the panel software and go through all the pluses and minuses of each one, that is an article in itself. For the sake of this article, we are going to talk about the two major ones, CPanel and Plesk. Both of these panel software allows for automatic updating and bug fixing. This is a huge reason why we run them on our servers. Generally, Plesk works better for a dedicated server, while Cpanel is more tuned to VPS accounts or shared accounts. But we recommend running one or the other, the automatic updates are invaluable and leave you with more time to manage your site and less time worrying about the security of your site.
Be Careful with Modules
In every community, there are bad developers who use bad practices for whatever reason they choose to. Over the last couple of years in the community, these bad development practices have come to light and many shops have been hacked because of these bad practices. Most of the modules were allowing unabated uploads of any types of files to the server without checking if the user was actually logged in or if the file was an accepted type. This was a very bad practice and it cost untold millions of dollars for merchants around the world.
There is no silver bullet on how to fix this issue. There are a couple of tips we will give at the end of the article that can mitigate the issue of bad modules and themes, but other than doing a line by line code review, there really is no way.
Do not use WordPress
Another vector we see often that leads to exploited sites is WordPress. A merchant will install a blog for their site in the same web space as their e-commerce site, write a couple of posts, then forget about the WordPress site. Their WordPress site and modules do not get updated and a vulnerability is found by a hacker. This introduces a vector into the server where the attacker can then gain control to your thirty bees site.
WordPress in itself is not bad, but we do not recommend running it in the same web space as your thirty bees site. If you blog gets hacked, it is not a big loss, likely it holds no sensitive user data and can be recovered very easily. On the other hand, if you run it in the same web space as your thirty bees site, the WordPress site can lead to your thirty bees site being hacked as well. Now you are at risk for leaking user data that would need to be reported to your users and likely your government as well.
Tools for Securing your Site
Sadly there are not a ton of tools we recommend for securing your website. There is a lot of misinformation floating around about some of the tools and what they accomplish as well. Cloudflare is a big one with a lot of misinformation. It is something we have found does not actually secure your site. Sure, it is great if your site is under attack from a DDOS, but other than that threat, its effects are very limited. Especially with the newer more modern attacks that access single compromised files.
ConfigServer
The ConfigServer scanner is one we highly recommend. It operates in an active way, which is different than most other security services for servers. Instead of scanning files after the fact, it scans the files during the file creation. This makes it impossible for most malicious scripts to be uploaded to your site. This is a software package we have relied on for several years and have always had awesome results with it. In fact, we have never had a server running it hacked because of a poorly written theme or module before.
PrestaVault
PrestaVault is as far as we know the only software specifically for thirty bees that scans for file changes and alerts you when files on your server have been changed. This module will let you know if a hacker has attacked your site and adds a backdoor to your site, modifies system files, or any type of phishing files to your site. You can set the module up on a cron job so it can scan your site an alert you with an email of any changed files or newly added files. Letting you know if you site has been breached.
As a merchant your customers trust you with their personal information, do your best to protect their information and be a good steward with their trust. This can go a long way in helping you grow your business while also making it easier to sleep at night.
