Absolutely minimum security tips for your online shop
Today I’ll suppose you are already on the train of making money online with an online shop. Whether it’s an independent shop, or a shop run by some 3rd party it doesn’t matter, because what we’ll see are some tips on how to reach a minimum level of security for your online shop in order to prevent any catastrophic event.
So what’s the minimum you have to check on your website/server to be sufficiently confident that the average attacker won’t kick your ass? This list can help you:
- Use SSL to protect any transaction on your website: Whether you receive credit cards or just passwords you should use SSL to protect the transmission of that kind of data.
- Be sure to keep the last stable version of the software that operates your website: If you use some kind of Content Management System (CMS) for your website, get sure you are constantly updating it to the latest version, because every time your vendor release a new update there are chances that they have solved (un)known security issues.
- Be sure to use the last stable version of your webserver: Below your CMS there is the webserver, and during the years webserver’s vulnerabilities have been used to successfully attack websites from all sizes and colours. This is a task for your system administrator, if you have the luck to have one different than yourself ;).
- Get sure your housing provider has some protection against Denial of Service (DoS) attacks: DoS have put Google, eBay and Amazon on their knees, but they learned their lesson and now they are a lot less vulnerable to them. Anyway, DoS are tremendous attacks that prevent websites to handle authorized request by flooding them with garbage data. Unfortunately, prevent DoS is a little difficult for the average Joe owner of an online shop because that’s an issue for a good system administrator, so be sure your hosting or housing provider already has the barriers to prevent those kind of attacks in their servers, and therefore in your website.
- Use impossible-to-guess password for your accounts: Yes, they have to be impossible to guess, not just hard to guess. Not every merchant out there is of the geeky type, so there are chances that you use a password that’s very easy to guess. Stop now and use something very difficult, with at least 8 characters long and alphanumeric characters. A good mnemonic and security rule is to change some letters for numbers and use that transformation in every password you use. The passwords have to be difficult for every account you own, from administrator accounts to email accounts (if they can access your email account, they will be able to get your website’s passwords too).
- Run some vulnerability assessment (VA) scan over your website regularly… and get sure your security level is GOOD. SSL is just a way to protect data transmission, but it is useless if the server has open doors and windows for attackers. To “measure” security levels is because VA tools did born. The bad part is that there is not a standard metric for security so the only option you have is to trust in your VA tool and get a good grade in at least 3 of them. Some good VA tools are Nessus (free), Retina (mainly Windows) and Confianze Analyze, a web-based VA tool developed by this humble blogger and his nice partners
This article was not intended to be a guide or a replacement for regulations like Sarbanes-Oxley, HIPAA or the PCI Data Security Standard imposed by Mastercard and Visa. This was just a list of basic security measures you can follow no matter in what country your business is based on, and is intended to be useful even for merchants that sell through payment gateways like Paypal or 2checkout.
Now you are a little more secure, so improve your chances to be even more secure by subscribing to RobertoAlamos.com by email and RSS. I’m the CTO of a security-focused business, so I know what I’m talking abount 
