eCommerce Platform Security and Backup: Prevent a Data Breach

What Happens in an eCommerce Data Security Breach

This week we will talk about the website security aspect of eCommerce platforms. I don’t know if you’re aware of this, but systems out there like BigCommerce, Volusion, Shopify, 3dcart, and Miva have their own internal backup processes. However, they don’t have it on a per-store basis. If you have a website or if you have an eCommerce site on Shopify, your store is not individually backed up.

What could happen to your store?

Number one, your template could be screwed up; somebody messes up the template. Number two, one of your staff members might delete a product by mistake or category by mistake. The moment that you delete it from Shopify or any other eCommerce platform, you’re going to have the contact them and say, “Hey, can we do a restore?” It’s a pain in the butt.

Unauthorized Access

Another reason we want to talk about this today is that Volusion’s system got hacked last week. It seems like some credit cards were stolen off Volusion. We believe that Volusion handled this really well. They informed the authorities right away, but it goes to tell you that anybody could be hacked and anybody could be affected by this at any point.

We can talk about 50 other examples of how other people try to hack you. There are JavaScript issues that you have with hosted solutions. Somebody send a bot to your website, trying to order and add to cart and steal credit cards if you have any unsecured JavaScript on your front end pages. Many things could happen.

What happened with Volusion?

Hackers found the hole in the system in version one. They were able to gain access to credit card information and user data. We can’t remember exactly what percentage of users it affected but Volusion caught it pretty quickly and they were able to combat it.

You don’t know how these problems will affect you from a security standpoint. If your JavaScript is hacked or if your website is hacked, you are worried about the operational issues that you might have. You have to continue selling so there’s no load issue, et cetera, but if the platform gets hacked, then obviously the platform needs to resolve this.

In Volusion’s defense, any platform could be hacked. The CIA and FBI are hackable, for example. The issue is how fast you handle the damage control.

How do we ensure that our clients are affected at a minimal level of when something like this happens?

One, I mean, we always make sure that we have proper firewalls in place, whether it be on the server level or on the site level. Then the second thing is we’re always constantly taking backups. If something does happen we want to ensure that we can easily back up not just the entire side as a whole, but also individual products and categories, and we separate it.

Because oftentimes, I might make tons of changes to my site for updates. Then all of a sudden, something happens to my product pages. Now, I need to do an entire site backup, losing all the changes that I originally created just to get my products back.

It’s really important that you have those individual backups, whether you host on Shopify or BigCommerce. Without the data, you lose all the new products, orders, all the new customers.

Access and Information Security

eCommerce owners give access to multiple people. Sometimes the person that you’re giving access to might not know what the hell he or she is doing. This is a problem.

Very few people know this actually, but Optimum7 is a hosting company as well. We host our own web services and this is for all the integrations that we do with BigCommerce, Shopify, Magento, 3dcart, VTEX. All the code, all the infrastructure is hosted on our service, so we could easily get hacked as well if we weren’t careful.

Even if we were careful, a good hacker could say, “I’m going to hack Optimum7,” and break into our system. It’s impossible to be hack-free.

Constantly update your backups, including templates and products. Maintain a firewall and an SSL store configured on your website. If you don’t have either, you’re really, really vulnerable.
Look at the JavaScript codes on your site, the tracking codes, et cetera, et cetera, to see vulnerabilities.

How to Prepare Your Online Store for a Security Breach

Our Security Measures For Clients

In terms of the hosted solutions like BigCommerce, Shopify, Volusion, and 3dcart, we have a daily backup service. We back up your templates, products, customers, and entire database on a daily basis. It’s not an expensive solution. I think it’s better to be safe in these kinds of situations.

If you have any kind of credit card encryption, the third party bank or the third party provider handles all of that so you don’t have to worry about that. Volusion is a PCI-compliant company with the highest level possible, but its systems were hacked.

It doesn’t mean that you avoid hacking. Instead, you will have the backup that you need them regardless of what happens, and this is true for all hosted solutions as well as the open-source solutions. These include Magento, X-card, some versions of PrestaShop, WordPress, and WooCommerce.

Top eCommerce Platforms at Risk: WordPress and WooCommerce

These open-source sites are some of the most vulnerable, easiest to hack because you implement at least 10 plug-ins.

Then you need to update the plug-ins. You don’t have an auto-update. The plug-in owner doesn’t update their software. It’s so easy to get hacked, and we see some banks on WordPress, some financial institutions on WordPress.

What’s the solution there, Joe?

Get off of WordPress. You can’t be on an open-source platform. You need to be on a secured server, a secure hosted solution.

WordPress is great as a CMS, right?

Yes, for lead generation. Nevertheless, if you are an eCommerce site and if you are running WooCommerce we’re saying you should not be on WordPress. The only exception is if you have hard-to-replicate customizations.

A hosted solution would be better and safer. Again, there are pros and cons just like every platform out there. WordPress is a phenomenal CMS. You’re most likely going to get a lot more visibility.

Keeping Customer Data Confidential

If you are dealing with any credit card information, however, that counts as confidential customer knowledge. As the owner, you are liable for this information. If you have a thousand credit cards in your system and they get stolen, Visa, MasterCard, American Express, companies, and the law will find you. Even if one of your employees goes in, exports this somewhat and shares this with somebody else, they will be able to trace it back to you and fine you upwards of half a million dollars in fines.

You could still be on WordPress and utilize their CMS and just have a shop dot or sub-domain that directs you to one of these hosted solutions, or if you’re lucky, potentially subindex the WordPress CMS.

If you are on WordPress and WooCommerce and you still want to remain there, there are some plug-ins that give you these firewalls and different IP banning functionalities. You could also leverage that. With that being said, definitely, you should be backing up your Shopify, BigCommerce, Volusion, Magento. Back this up, regardless of hosted or open source.

Preparing For a Data Security Breach

You need a daily backup of your entire database because if you have this, then you have options. If you don’t have this, you could be out of business in 24 to 48 hours. If your site or if the system that you’re using got hacked or if, God forbid, one of your employees hated you and did something behind your back, definitely start paying attention to this.

This is just like insurance. Nobody wants to pay for online security, but everybody needs to make the investment. We’ll talk to you guys next week.

Has your eCommerce website been hacked?

Want to improve overall website security?

Speak to an Expert