As you may know, there are customers on the internet, but not only them. There are profiteers, hackers, pirates, and even just opportunists who are ready to take control of your online store and extort money from you in return.
The risks are real for e-retailers because there are many mafias that are constantly looking for new targets, they have tools and methods that often go beyond the skills of many e-retailers.
Moreover, an e-commerce site hack is like a burglary; it's only once you've suffered one that you realize you weren't protected.
To avoid having your e-commerce store hacked, here are some practical tips to improve the security of your e-commerce site. Note that these tips are valid regardless of your e-commerce CMS , open source or SaaS .
Why protect your e-commerce store?
Before we get into the “how to,” let’s quickly see why securing your store is essential.
You are legally responsible for the store, including in the event of hacking. This is a legal obligation, meaning that customers could take action against you in the event of hacking.
You risk losing money, or even losing everything: your website, your customer base, your brand, etc. The most serious cases can lead to the closure of your business.
If one of your systems is attacked, then it is possible that others will be too: your bank, your computer, etc. Imagine the damage once the hacker is at the heart of your system.
Reputation: In the event of a hack, you are required to inform ALL your customers, whether affected or not, of the scope of the data leak.
Limit administrators to full powers
The observation is simple: the more people you have “full powers” over your online store, the greater the risk that one of the administrators will be hacked, pirated or become a victim of phishing.
The first rule is therefore a separation of powers. We limit the number of administrators and distribute roles to each member of the team according to their needs.
The ideal is to have a single “manager” and to have roles for each person with the finest possible adjustment.
In "real life," people often have access rights that go far beyond their job scope for reasons of day-to-day convenience. Nothing is more annoying than having to ask the boss for a file or information every two minutes.
However, for sensitive roles like access to customer data, invoicing, payments, and technical modifications, it is necessary to limit the number of people as much as possible. If you are on Shopify Plus , also consider limiting access to each "sub-store" for added security.
Update your site
This advice is especially valid for e-commerce merchants using WooCommerce , PrestaShop , or Magento. Another important yet under-respected element: update your open source store to the latest versions. Yes, with every security update. Yes, it's expensive, but do you have any idea how much a hack costs?
You can read our article “What are the impacts of a hack on an e-commerce site” to get an idea of the risks.
This is the “real” price of open source: having to update plugins and e-commerce solutions regularly. It is often best to have these developments carried out by a web agency specializing in your e-commerce solution. When I think that we still see Magento 1.9 sites online, I understand that hackers manage to hack sites.
On Shopify, no need to make updates, the store is secure and updated by Shopify directly, this is included in the price of the Shopify license .
Enable two-factor authentication
This method is quite simple to implement in many CMS. For Shopify and Bigcommerce, for example, it is included as standard; for other solutions, you may need to use an application or plugin, or even a custom development.
This measure alone is very effective in protecting you from phishing. You'll need your physical phone to access the store even if your password is discovered or stolen.
Manage your merchant site passwords properly
Speaking of passwords, proper password management for your online store is essential. It's the foundation of security, so here are some rules or reminders to help you get back to basics.
We don't share passwords
Yes, in 2024, we should still be putting on a list of e-commerce security tips not to share our passwords. Do you need to do this? Use a password sharing tool like Nordpass, Proton, Lastpass, 1password, etc. There are dozens of them.
The best thing to do is not to share a password. Not by email, text message, phone call, or anything at all. DON'T SHARE PASSWORDS.
You can't imagine the number of times that, as an agency, a client spontaneously offers to give me their login/pass "it will be easier". NO. If an agency accepts, fire them. Especially on Shopify where they have partner access management included in the solution.
If you really must share, create a generic account managing access and rights and never share your administrator account.
Please note, if you work with an agency, you have the right to know who is involved and who has access to the site and logins that you have shared if you insist on doing so (don't do this).
Have a unique password for your e-commerce site and truly secure
This basic rule is as little known and respected as it is essential. Yes, using the same password on multiple sites is, in many cases, easier for you on a daily basis.
But for your e-commerce site, your bank and two or three other important elements, have a unique and truly secure password.
If possible, use a paraphrase, it's very secure and easier to remember.
Surprisingly, “jaimelecassouletdu11!” is a better password than ZjNcFKU32jVT9wx7duLKkpc3 . Why? Mainly because you can remember the former, but not the latter, so you’ll have to write it down somewhere.
When we talk about a unique password, it means that it cannot be reused elsewhere.
Therefore, it is forbidden to use “jaimelecassouletdu33!” on another site, or even “jaimelescanelesdu33!” On your e-commerce site, use a truly unique password.
No passwords on post-its
Speaking of writing passwords, you shouldn't write passwords on Post-its. Yes, it's convenient, but no, you shouldn't do it. Use a password management tool if necessary, but Post-its aren't one. Nor are password notebooks—yes, I saw that once.
Change your password regularly
Another piece of advice that may seem generic, or even common sense, is that changing your password on a few important or vulnerable sites is a good idea. The more sensitive and older the site, the more essential it seems.
A more secure, end-of-life Magento 1.9 should ideally change its password every week. Be careful, there's no need to "count" passwords like "password1" and "password2". This isn't a password change; it's laziness. Really change your password.
A password is private. Keep it to yourself or your browser. To help you come up with ideas, I asked ChatGPT to generate some easy and memorable passwords (don't use them as is!!!), this may help you come up with ideas.
Use an SSL certificate
Among the other solutions to effectively protect and secure your e-commerce site, we can mention SSL certificates . In the past, this recommendation was often number 1. Now that Google requires SSL across the entire site to even exist in search results, many online stores have taken the plunge and switched to SSL. On Shopify it's "automatic" but if it's not the case on your favorite e-commerce solution, it's time to migrate to Shopify, uh sorry, it's time to configure it.
Create backups
Yes, you need backups, and you also need to test that they're working. Regularly. At least once a month would be ideal, but 2 to 4 times a year, if done properly, is more beneficial. Obviously, the more your turnover skyrockets, the more you need to protect your store and perform regular backups.
And no e-commerce solution should be exempt from this. Even on Shopify, which is ultra-secure, you will have to, why? Because the weak point in the security chain is often between the chair and the keyboard (the human, therefore, for the two at the bottom who don't have the ref).
Remember to save:
- Your customer base
- Your product base
- Your order base
- Your theme
Ideally, you need all the elements to get back on track quickly.
Use a SaaS E-commerce CMS
If security is a priority for you, then you might want to consider switching to a SaaS solution. I know many purists will be against this idea, but you have to look at things realistically.
Choosing a cloud-hosted solution allows you to offload some of the technical responsibility for securing the platform. And given the technical challenges involved, it might not be a bad idea: you'll have more peace of mind and can focus on your e-commerce business.
Be careful, however, not all SaaS platforms are equal, and this does not guarantee total immunity, of course. Security issues can arise on all platforms from the moment they use a line of code. The main advantage remains that you are not alone, and it is up to the publisher to propose a patch and deploy it. Their responsibility is at stake; they are in the same boat with you.
Furthermore, using a SaaS platform does not protect you from the main problem: password theft/hacking. So be sure to follow password management rules to avoid any problems and maintain optimal security.
Use a high-performance outsourcing service
If you absolutely want to stay on a hosted open source platform like Magento or Prestashop for one reason or another, then take security seriously and secure the services of a capable IT service provider.
Outsourcing is the activity of managing web hosting. A good host is good, but a good “sys admin” is better. He will secure the server, manage DDOS attacks, manage peaks, redundancy, etc. He is your essential ally as soon as you make a few tens of thousands of euros per month in turnover.
Summary: How to properly protect your e-commerce site?
As we've seen, there are a number of best practices for strengthening the security and protection of your e-commerce site. But of course, the most important thing is to be vigilant, even a bit paranoid. It's hard to imagine the worst, of course, but keeping a watchful eye on security, reviewing processes, conducting tests, and not always aiming for the easy way out can, at the very least, make life much more difficult for a hacker, pirate, or blackmailer.
But even if security is everyone's business, we must also know how to remain humble, and anyone can be caught in a well-executed phishing scam. Proof of this is the numerous "CEO scams" that have been flourishing in France for some time.
And you, what are the best practices that you have put in place to protect your e-commerce?
