Optimizing Security On Ecommerce Websites

The global ecommerce market is growing by roughly $500 billion a year, as companies and consumers increasingly look to the web for goods and services. In 2017, this market was worth $2.29 trillion, while 2018’s figure should reach $2.75 trillion. And though Amazon remains by far the biggest ecommerce provider, there are plenty of other global brands whose annual online sales are measured in billions of dollars.

Securing customers and your website

Ecommerce may well have been even more successful by now had the public felt less concerned about the sanctity of personal information. Regular press stories of data thefts and database hacks have made people wary about handing over financial data, and the internet is still associated with security problems like phishing scams and cloned websites. To overcome these legitimate concerns, retailers have to ensure their ecommerce security is watertight. It should also be beyond the reach of most cyber criminals, who will usually gravitate towards easier targets.
Whether your ecommerce site is run through WordPress or hosted on a server in your home office, there’s always scope to improve ecommerce security. These are our tips and recommendations for ensuring customers feel safe when giving you their custom…

Learn from the market leaders

A good way to start improving security on your own website is to consider which sites you use, and why they’re reassuring. Despite being the undisputed ecommerce market leader, Amazon has yet to be named in any major data hacks or phishing scams. Its website uses cookies to remember new clients, and even the homepage is https. Google’s superior ranking for https websites reflects the benefits of a fully encrypted platform, with fewer browser warnings triggered by external resources like JavaScript codes. This unbreachable link between host server and recipient device prevents data theft during transactions.
Other online retailers and service providers have their own protocols that your company could learn from. Financial service firms typically require two factor authentication to log in, making unlawful account access far more difficult. Many retailers send their notification emails from no-reply email addresses, with order numbers and customer names prominently displayed to ensure authenticity.
Technology has its part to play, too. Hacker protection software like firewalls will scan for malware, preventing brute force attacks on your databases and servers. Automated data backup tools can be valuable if the worst happens and your site is compromised, enabling a rapid return to operational duties with minimal disruption. Manually rebuilding customer information databases and product inventories may be impossible.

Use free tools and techniques

While the suggestions in the last paragraph are all worth every cent, it’s easy to overlook free ways to improve ecommerce security. People might assume that making a website secure by encrypting any communications with clients would be expensive. Yet WestHost includes SSL verification in every hosting package, at no extra cost. It costs nothing to conduct site administration through a secure connection, rather than using an open wifi network in public spaces like cafés. Resetting default administrator credentials is another cost-free way to boost site security, alongside logging multiple failed login attempts.
Quick tests often reveal flaws on your site, such as loading and using it on outdated browsers to see if they perform effectively. Another free security test involves entering an apostrophe into a form field and seeing which errors are generated. This may reveal SQL injection vulnerabilities, which is one of the most common ecommerce attack methods. Regular web searches might reveal industry trends that you can prevent on your own site, or identify weaknesses like cross-site-scripting vulnerabilities. There are even tools that will do this for you, such as Symantec’s Web Security package.

Simplify checkouts

Many issues and vulnerabilities arise at the checkout stage due to poor site construction or design. Some sites effectively trap people at the payment portal by refusing to let them return to the homepage or product pages. It can also be difficult to discern how far through the payment process you are without page numbers or on-screen prompts. Make it very clear which fields are compulsory (and which aren’t) to avoid page reloads. Always ask for the CVV code on credit or debit cards too, to reduce the risk of remote fraud.
These are other popular ways to streamline and simplify the buying process:

  • Offer a two-field login for returning customers, allowing everyone else to check out as a guest and register later once they’ve entered a robust password.
  • Ensure any logos for security credentials like VeriSign or Verified by Visa are prominently displayed.
  • Have a “Need help?” button on every screen of the checkout process, which is immediately responded to if anyone clicks it.
  • Do everything possible to minimize the time between clicking “Buy now” and the browser displaying a message concluding the transaction.
  • Ensure confirmation messages are instantly dispatched by email or text.
  • Allow customers to securely return to the homepage if they wish to continue shopping.

Manage WordPress sites effectively

WordPress is the world’s most popular content management system. However, that also means it’s uniquely susceptible to hacking and spamming. The wp-config.php file is frequently targeted since it hosts usernames and passwords, while /etc/passwd/ is also a common target for obvious reasons.
The custom nature of any WordPress install means there are numerous free plugins ready to take charge of ecommerce security. These are some of the best free plugins presently available through the WordPress.org plugin directory:

#1. Sucuri Scanner

A variety of buttons enable webmasters to harden their site’s security with a few mouse clicks. Sucuri also offers blacklist monitoring and malware scans.

#2. Bulletproof Security

A one-click setup installs a comprehensive assortment of tools from login security and idle session logouts to DB backups and cookie expiration.

#3. Wordfence Security

With an average rating of 4.8 out of 5, Wordfence’s acclaimed open source security features include firewalls, configurable alerts and recovery tools.

#4. All In One WP Security & Firewall

Doing everything its title promises, this highly rated package offers a simple grading system to identify remaining areas of weakness.

#5. iThemes Security

Formerly known as Better WP Security, iThemes offers thirty ways to secure a site. Key tools include 2FA, password expiration and daily malware scans.
It’s essential to keep any WordPress platforms and plugins regularly updated, particularly ecommerce ones. Equally, replace plugins that are no longer supported since they could provide a gateway onto your site for nefarious individuals.

Publish a privacy policy

Finally, upload a concise privacy policy onto your website, with an effective start date. It needs to outline what information you’ll collect, why you need it and how it’ll be used. Explain how cookies are used across the site, and clarify what you will (and won’t) do with customer information. Use positive language like “to improve the site” rather than being negative or fearful – there’s more than enough scaremongering and media hysteria about online security already.
There are huge fines for companies who allow financial data to be stolen, so it’s often best for smaller firms to avoid retaining payment information at all. Without card or bank data on your servers or databases, the most a hacker will obtain is customer login credentials. If storing this information is important or necessary to your operations, outsource it to a third party payment service like PayPal or Braintree. These firms have the military-grade security systems to keep hackers out, and some even support repeat orders and subscription models.