6 Steps to secure your website


Why secure your e-commerce site? More than 32% of annual cyber attacks target online stores. 6 months after the attacks, 60% of them close down…

Credit card fraud, phishing, DDoS attacks, data hacking… E-commerce sites are a prime target for hackers, as they collect your personal and financial data, as well as your customers’.

In case of an attack, you don’t only lose money, but also the trust of the buyers. This hampers the sustainability of your business. Strengthening the security of your e-commerce is therefore essential. Here are our tips for securing payments, data and your online store in general!

Secure payments on your e-commerce

It is impossible to do without payment technologies on an online store. However, they are often subject to cyber attacks or hacking. The first area to strengthen the security of your e-commerce is payment solutions.

Here’s how to do it:

Enable multi-factor authentication

Multi-factor authentication helps limit hackers’ access to customer and payment information. It requires the customer to log in with more than just a username/email and password.

Typically, the buyer must enter a verification code sent to their email address or via SMS, or answer a security question, as here with Vinted :

Even though this procedure adds an extra step in the purchasing process, and potential friction, it allows you to secure your transactions and protect your customer.

The key is to warn the user, informing them that this additional process guarantees the security of their data. They will be more reassured and encouraged to continue with the purchase.

Limit credit card fraud

Credit card fraud occurs when a cybercriminal uses stolen card data to purchase products from your online store. In this case, the shipping and billing addresses are different. You can detect and limit these activities on your store by installing an address verification system (AVS).

AVS ensures that the billing address entered by the customer matches the billing address registered with the card-issuing bank. This protection does not trigger an authentication procedure, but blocks the transaction in case of proven fraud, or creates a surveillance alert if there is any doubt.

Install the 3D Secure authentication protocol

Developed by Visa and Mastercard, the 3D Secure system is a multi-factor authentication protocol that prevents unpaid bills and protects your customers’ banking data.

Before the payment of his purchase, the customer is redirected to an authentication page of his bank. Depending on the bank, they will either have to enter a one-time code (received by SMS) or connect to their bank’s mobile application to validate the transaction, all within 5 minutes.

In case of wrong code, or not logging in to the app, 3 times in a row, the transaction is blocked.

Advantage of 3D Secure: it can be customized. You can set it up to be activated from a certain amount of purchases. This allows you to reduce the friction that it can cause, especially for small orders.

To reassure your visitors, consider displaying it clearly on the shopping cart page, like here:

Securing personal information

Are you an e-merchant and are you concerned about the security of your customers’ personal and banking data?
You are right: the security of your e-commerce site is essential to protect your customers but also to show that you are a trustworthy company in the eyes of your visitors.

Hackers are always looking for the slightest loophole to steal your customers’ personal data. To secure your e-commerce, especially user information, here are some actions to take:

For better cybersecurity switch to HTTPS protocol

The HTTPS protocol allows you to secure your users’ sensitive data. It entitles you to the SSL certificate which encrypts the data exchanged between the servers and the devices of your customers, preventing any interception. Without it, hackers can easily access passwords, usernames, credit card numbers and other confidential information.

In addition to providing an extra layer of security, SSL helps make your e-commerce more reliable. The URL of your website displays the padlock symbol, which is a guarantee of security for browsers and Internet users. An element that reassures the most attentive Internet users (and they are more and more numerous)!

HTTPS also allows you to protect yourself from Man In The Middle (MITM) attacks, during which a hacker blocks the communication between the client and the server. He can then access the data transmitted on the server, usurp the IP identity and steal your place from the server.

Demand strong passwords

Requiring your customers to create a strong password to access their account is a simple but effective action to make their data less vulnerable.
Indeed, the stronger a password is, the more difficult it is to decrypt by a malicious person.
What is a strong password?
The following factors influence the strength of a password:

  • Its length (at least 12 characters recommended);
  • The presence of lower and upper case letters;
  • The presence of numbers;
  • The presence of special characters such as punctuation marks, parentheses, etc.

Preventing SQL injection attacks

An SQL injection attack is used by hackers to collect your customers’ personal data, such as credentials or banking information. They attack your query submission forms to access your backend database. Then they corrupt it with code, collect data and erase their trail.

It can take several months for a company to realize that it has been the victim of an SQL injection.

Here are some best practices to secure your e-commerce against malicious SQL injections:

  • Use customizable queries
  • Create whitelists of your data
  • Opt for an e-commerce platform that hides sensitive user information behind multiple layers of code
  • Enable logs and include Artificial Intelligence agents to detect intrusions

Avoid cross-site scripting with CSP

Cross-site scripting consists of installing malicious JavaScript code on your online store to target your visitors and customers. These codes can access cookies, modify visited pages and steal information.

To prevent such attacks, implement a Content Security Policy (CSP) in your site header. It allows you to detect and mitigate attacks like Cross Site Scripting (XSS) and data injection attacks.

Implementing a CSP to secure your e-commerce consists in going to the .htaccess file and including the following line of code:

Secure your e-commerce site against web skimming

Web skimming is a form of attack similar to XSS, but which targets only the payment card processing protocol. The injected code, called “Magecart”, steals many personal data such as login credentials, credit card information, account numbers….

Currently, it is impossible for customers to detect if a website is compromised, as the malicious script blends into the payment page and shows no signs. The compromised site looks normal to the Internet users.

To protect your e-commerce site from this attack, it is recommended to:

  • Regularly update your security tools, plugins and software.
  • Deploy anti-malware software.
  • Change the default login credentials on all systems (the famous “admin” of WordPress, for example).
  • Separate and segment network systems to limit the ability to switch between them.
  • Regularly check JavaScript code on sensitive e-commerce pages for changes.

Update your site and your software

All software and applications are regularly updated, especially to close security holes.
If your site and the tools you use are outdated, you run a real risk of hacking and you threaten the personal data of your customers.
In this regard, we recommend that you read our tips for updating your WordPress site.

Be PCI DSS compliant

The PCI DSS standard was created by the major payment card companies (Visa, Mastercard, etc.) to secure online payments and banking data. The standard emphasizes different points:

  • Ensure network security;
  • Protecting credit card data;
  • Managing vulnerabilities;
  • Implement strict access control measures;
  • Monitor and test networks;
  • Implement an information security policy.

Any company that processes or stores payment card data must comply with this policy.
You can view the latest version of the standard online to learn more about its guidelines.

By applying these 7 tips, you will be able to better guard against the dangers of the web and protect your customers’ data.

Use cybersecurity plugins

Whether it’s to analyze your e-commerce site, detect XSS attacks, avoid web skimming or protect yourself against brute force attacks, plugins exist for WordPress, Joomla or Prestashop. Let’s take a look at the essential extensions to secure your e-commerce!

RS Firewall, a firewall for your e-commerce security

If your online store runs on Joomla or WordPress, RSFirewall is a plugin you can rely on. It scans your e-commerce for any malware, prevents brute force attacks, locates and removes dangerous files in real time.

In Prestashop, you will find the Defender module which offers the same features.

BadBot Protection, the plugin to block bad bots

Some hackers, sometimes working for the competition, develop special bots to explore your e-commerce site in search of information about stocks, prices, content… These bots can also voluntarily hinder the performance of your merchant site, inject automatic spam codes or spot security flaws.

With the Joomla BadBot Protection plugin, you can detect and block these bots quickly. On the WordPress side, there is an equivalent extension called Stop Bad Bots.

Wordfence Security, the all-in-one plugin to secure your e-commerce site

Wordfence Security is a popular plugin for WordPress users. Very complete, this firewall regularly scans your online store to identify and block malware. It also has a spam filter and protection against brute force attacks.

There is a similar extension at Prestashop, named Security Pro.

Hide My WP Ghost against SQL injection and XSS attacks

Hide My WP Ghost works like an intrusion detector and notifies you as soon as a threat is detected. You also get the attacker’s IP address, username and the date of the attack.

Furthermore, the plugin adds security layers to your e-commerce to prevent malicious script injection and brute force attacks.

Make your customers aware of phishing attacks

One of the ways to secure your e-commerce site is to make your customers aware of phishing. This practice, which consists in sending fraudulent emails supposedly coming from your store, can quickly deteriorate your reputation and the trust in your site.

Whenever possible, launch an awareness campaign and :

  • Inform your customers of the tone and style used in your emails
  • Remind them of the situations in which you send emails
  • Educate them on the types of links you should never click on and the types of information you should never ask for
  • Provide an address to contact in case of doubt

Also, ask your customers to strengthen the security of their passwords by using phrases instead of simplistic terms or anniversary dates.

Banks are regularly victims of phishing. To raise awareness, they do not hesitate to talk openly about it on the homepage of their website:

This best practice can be used to secure your -e-commerce site.

Create frequent backups

Finally, make sure you back up your critical data frequently. If your e-commerce site is hacked or targeted by hackers, you will be able to put it back online quickly, without losing data

Be aware that most web hosts offer automatic and regular backups. Check if yours has this option. You can also make them manually, from the FTP, or use a plugin. Several backups are always better than one!

Our tip to secure your e-commerce site

Securing your e-commerce site is essential to reassure your customers and ensure the sustainability of your business.

Share On Social Media