Our very own Head of Development at Pinpoint, Doug, knows a thing or two about keeping Magento sites secure. Working with clients and third-party providers, he holds impressive experience and expertise to make staying on top of site security that little bit easier.
We chatted with him about all things site security and Magento development. Sharing insight on how the platform helps to keep merchants and customers safe alongside how businesses can consistently keep their sites secure from cyber-attacks, take a read to find out what he had to say.
What is meant by site security?
Site security covers a multitude of touchpoints on a site, but it essentially boils down to keeping the information on your site safe and secure. This includes making it as hard as possible for people to get into your site and not making data available by accident. This data could be customer addresses, credit card details, telephone numbers, a list of your products, cost points of your products.
Why is site security so important for eCommerce stores?
The amount of personal data that’s stored and processed by eCommerce stores is often higher than a lot of other websites. For example, with lead generation, you might gather people’s names, phone numbers and email addresses. Whereas for eCommerce you’re likely to collect more information such as card details and billing addresses which means you can really impact people’s lives on the fraud side of things. Customers put a lot of trust in eCommerce providers to keep their data safe.
And it’s not just the eCommerce providers that need to be trustworthy, it’s the third parties they work with too. For example, when a customer enters their card details into a checkout that uses a third party such as Klarna or Braintree, they’re actually entering their details into the third-party system even though they’re purchasing on the eCommerce website. It’s rare for a merchant to store card details themselves as this would make their PCI compliance really high.
How does Magento keep sites secure?
As a core, supported product, Magento offers certain features that help to uncover vulnerabilities. Magento, or people using or implementing Magento, identify these issues and vulnerabilities. When reported and fixed, Magento will then patch it and in the next version a fix for that issue will have been provided. They will also provide patches outside of the release cycle if it’s a more severe vulnerability, but a lot of patches are now done within the quarterly release cycle.
Magento.com has a site scanning tool as well. So, it will scan your store against a bunch of different criteria, like is the admin URL available at /admin. This in itself isn’t an issue, but it’s kind of like telling everyone where you live. You’re not telling them that you’ve left the key under the door mat, but you’re telling them the first piece of information they need to compromise your store. The platform also offers things like two-factor authentication on the admin system and reCAPTCHA on the front end. Those are designed to hopefully make attacks less likely.
Magento also has a disclosure where the idea is that if I was a concerned citizen or a white hat hacker, I could submit something to Magento and say, I’ve found this vulnerability, please go fix it and I won’t tell anybody about it until you fix it. As soon as Magento has fixed it, it’s fair game for me to write a blog post all about it if I wanted to which is often what happens. The issue is only patched for merchants who have bothered to apply the upgrade so if anybody’s on an old version of the platform, the vulnerability could still be exploited. For this reason, Magento updates are really important.
As a Magento agency, we usually recommend waiting a few weeks after the update is released to ensure it doesn’t affect site performance. Fortunately, Magento has a great community, so they are very vocal about whether there are any issues. This means you can quickly identify whether the new update is going to cause you more problems or not by applying it – this is also something your agency will be able to advise on.
I don’t want to generalise but often, the majority of compromised stores are compromised because they don’t follow the basics which means they’re a lot easier to attack. You do hear of large, high value companies that get compromised though such as British Airways who were targeted for a very specific reason.
How can a business stay on top of site security?
Site security is a constantly moving goal post but there are some actions that can be taken to make it easier.
For starters, make sure you’re up to date on your platform. And make sure that you’re updating your server software when it’s needed or you’re working with a partner who’s doing it on your behalf. We recommend working with someone like Sansec who offer a monitoring tool that essentially scans your Magento codebase and database and notifies you of any compromises. You can also use a company like SecurityMetrics who do PCI compliance scanning or penetration testing, they can carry out monthly or quarterly tests to see how secure your setup is.
Magento is an open-source application so it needs to be hosted somewhere. You need to work with a third party to make sure your hosting is secure. You could make Magento as secure as possible but if someone is sat on your server because your site isn’t hosted, they can make as many changes as they want.
If you or your agency makes changes to your code, make sure that it’s being done correctly, and no data is being exposed. For example, you may need to send Klevu a price list so you can start displaying prices in your search bar. The prices need to be specific to the customer that’s doing the search, so no incorrect data is displayed.
If you are using third parties on your website, it’s important to be aware of their retention policies and what their process are if they experience a breach. For example, let’s say you’re using Braintree as a payment provider and a breach occurs. Do you as the merchant find this out before your customers?
Backups are also important to cover – make sure you have backups as regularly as you can afford to lose data. I’d also recommend making sure that everything’s logged such as where compromises came from and what happened. Again, you can work with a third-party provider to keep that information if you need to.
It’s also really important to make sure your internal policies are up to scratch and followed. This includes cycling passwords every 90 days, making sure you only get a set number of password attempts, enabling two-factor authentication, reminding people not to leave their email and password on a post-it note on their monitor…
Finally, I’d say prepare for the worst just in case it does happen. For example, have disclosure agreements in place that say what the process is if card details, or any other data does get stolen. Basically, try to stay one step ahead and make it as difficult as possible for someone to gain access to any of your systems.
Your website might be an extension of your business, or it might be the core of everything you do. Either way, keeping your eCommerce site secure must be a top priority to protect both your business and your customers.
As more and more people make the move to shopping online, attacks and vulnerabilities are only becoming more common. Keep up to date with security measures and use the expertise of a specialist agency to help you with your site security.
If f you want to chat more about your website’s security, feel free to reach out to the team today.