Online Store Security: 8
Must-Complete Steps Against Web Threats
From time to time, cyber attacks of different levels happen all over the world. The 2016 Dyn cyber attack caused multiple services to be unavailable, including Twitter, Amazon, PayPal, and Netflix.
After hearing such news, you want to act immediately to protect your online store and business, don’t you? This post will give you the bare minimum that helps to keep your store safe from the majority of cyber attacks. The sooner you implement these recommendations, the better.
Ecwid merchants won’t have to follow many of them, though. Ecwid conforms to the highest international safety standards that make your store as reliable as a large bank. So your store and your customers are safe. However, the following advice will be useful not only for online store protection but also for your everyday internet surfing.
Security Tips for Everyone
Please, don’t put off completing these steps.
1. Make sure you are the owner of your domain
If you’re using your custom domain name, and especially if it wasn’t you who bought it (but your IT guy, manager, or contractor), check who is the owner — it should be you. Otherwise, another person (or organization) owns your domain name, and they can technically sell your domain name or appropriate it to a different website.
In case your domain is registered with another person’s name, move it to your account using the instructions of your domain provider:
If you are about to buy a domain name, don’t assign this task to a contractor or at least make sure you are the owner. The owners of transnational corporations should register domains with their names too. Remember your login and password, as you’ll need them when it’s time to renew your hosting subscription.
2. Make sure you are the owner of your hosting subscription
If you need hosting for your online store (for example, if you added it to your WordPress.org, Adobe Muse, or Joomla website), make sure that you own your hosting subscription. Otherwise, you run the same risk as when trusting your domain name to someone else. The owner of your hosting account will be able to do anything with your website, even delete it.
You should also keep the login and password of your hosting account for renewing it.
Tip: Use hosting providers with a good reputation, for example, GoDaddy or Name.com. It’s even better to use a hosting provider that is adjusted for
3. Exclusively create strong passwords
Protect your accounts with strong passwords. Use recommendations from Google:
- Create a unique password for every account
- Your password should consist of at least 6 characters
- Use a mix of letters, numbers, and symbols
- Use upper and lower case
- General words and common expressions
- Keyboard patterns like qwerty or 12345
- Personal information: names, addresses, ID numbers, and other.
Change all your passwords to stronger ones, from your online store dashboard to your email and social media. Change passwords every time you share your accounts with a contractor or fire an employee.
4. Install a password manager
It’s hardly possible to remember multiple strong passwords from your hosting, admin, email, and other accounts. There’s a way out — password managers:
These services require remembering just one password (master password) from their service.
Moreover, 1Password and LastPass can generate unique strong passwords. Use this feature if you don’t have the time or inspiration for creating many passwords by yourself.
It’s very unsafe to have your passwords publicly available, for example by keeping them on paper. The paper can get lost, or damaged by water or simply by time. Don’t keep your passwords in a Notebook/Excel/Word file, as those data can be easily stolen or ruined by viruses.
5. Install an SSL certificate on your website
An SSL certificate securely protects your customer data — name, address, phone number, credit card details — from hackers who can steal and use it, for example, to get money from your customer credit card).
Plus, an SSL certificate helps to improve ranking in Google and gain customer trust. Another post will tell you more about SSL certificates as well as about how to get them for your online store.
6. Set up
two-factor authentication for your email
… And also wherever it’s possible. To access your inbox, you’ll need to type your login+password, and then type a verification code sent to you by SMS or generated in a special app called authenticator. The SMS is sent to your number only, and the app is connected to your account so no one but you can receive this code.
Even if some nasty guy guesses or steals your password, they won’t be able to access your account because the system will ask them to enter the verification code they haven’t got.
If you don’t use
Some services have
7. Install the latest versions of all the programs you use
This includes your browser and the operating system of your computer and mobile devices. Such updates are normally installed automatically or by your approval (always approve them).
- Update Firefox to the latest version
- Update Google Chrome to the latest version
- Update Opera to the latest version
If your website is built with WordPress.org, Adobe Muse, Joomla, or another site builder that requires hosting, don’t neglect updates and don’t hesitate to install them as soon as they are available. Monitor service security notifications and be ready to immediately install security patches to prevent your website from being hacked.
Check it out now and update your website if necessary:
If your website is built with a cloud constructor (such as Ecwid, WordPress.com, Wix), your service is updated automatically, no actions required.
8. Create a backup copy
If your website is created with a content management system (CMS) like WordPress.org, Adobe Muse, Joomla, and others, and is hosted by a separate hosting provider, you should create a backup copy every month.
Large hosting providers do backups automatically or allow you to set up automatic backups (for example, BlueHost). Check with your provider whether they do backups. If not, do it yourself, using one of the instructions on the web (you might need a developer here).
If your online store gets hacked, backup copies will help you find and delete unnecessary code pieces added by hackers. If your website gets completely deleted, a backup copy can save your business.
For Ecwid Merchants
Your Ecwid store is as protected as it’s possible today. Ecwid conforms to the security requirements of Level 1 PCI DSS, which is the highest international standard for secure data exchanges for
We regularly check Ecwid with security scanners, create backups of your stores, update the software, and keep the data on a secure hosting.
However, if you installed Ecwid on your own website, please take care of the site’s security. (Whether you do it or not, your Ecwid store will stay secure anyways.) Follow the steps above to protect your customers and yourself from cyber attacks.
If you are using an Ecwid Instant Site:
- Change the password from your Ecwid account (and from your domain account, if you’ve bought a custom domain) to a stronger one
- Install a tool (an authenticator) for encrypting and protecting your passwords
Nothing more to do
This is the first of our set of posts about internet security for online stores. We’ll be telling you how to confront phishing, which site builders are perfect for beginners in terms of security, and why stores must not preserve customer data by themselves. We’ll try to explain everything in a clear manner that is suitable even for those who don’t have any idea about these issues.
What questions about security bother you the most? Share them in the comments!