Securing Your Store

Introduction

Now that you are an actual business man/woman, you really can’t afford to have your site get hacked. After all, it’s not just you they’re screwing with anymore, you are actually responsible for protecting other people’s information (sucks being a adult doesn’t it?). If your site gets hacked, your e-commerce reputation can be seriously damaged, and people won’t buy from you any more! Your store will go out of business. You will be destitute, thrown out on the streets, an outcast to all… ok maybe we are exaggerating a wee bit. But seriously, you do not want your store to be hacked.

Luckily, there are steps you can take to prevent this!

Get an SSL Certificate

Depending on your payment gateway, you may not technically need an SSL Certificate, but we STRONGLY recommend you get one from your hosting company anyway. An SSL Certificate is a digital certificate that authenticates the identity of a Web site to visiting browsers and encrypts information for the server via Secure Sockets Layer (SSL) technology. In other words, it pretty much builds an impenetrable fortress around your website. Depending on your hosting company, a Standard SSL Certificate (which is all you need) will probably run you around $30 a year.

Once you get an SSL certificate, you will want to make sure your site knows it’s now secure. To do this, go to Store > Settings > Admin and change all of the URL settings to display “https” instead of “http”.

Be Password Savvy

Some vulnerabilities can be avoided by good security habits. An important element of this are passwords: do not use your own name for your password, do not use a dictionary word (from any language) for your password, do not use a 4 character string of numbers as your password. Your goal with your password is to make the search space as large as possible, so using numbers and varying capitalization all make it more difficult, statistically, to brute force a password. This is particularly important if you do not rename the administrator account. In that case half the puzzle is already solved for malicious users as they know what username will give them significant privileges to edit files and databases. The Automatic Password Generator can be helpful in generating reasonably complex passwords.

Hide Your Plugins

Be sure to hide anything that will give away what WordPress plugins you’re using and what version they are. It is easy for evil-doers to track down known vulnerabilities in older plugin versions, and if they can see what plugins are running on your site. Add blank index.html files to directories you want to protect, or add this to your .htaccess file: Options All -Indexes

Note: Before making ANY CHANGES to your .htaccess file, make sure you save a copy of it, in case you screw things up. The .htaccess file is very mysterious and powerful, and can easily kill your site if you don’t know what you are doing.

Install Security Plugins

WP Security Scan Plugin – helps tremendously when it comes to protecting your WordPress installation. However, you still need to maintain good passwords, check plugins and themes before installing them, and keep good backups of your files and database in the event that you do get hacked.

Admin-SSL plugin – If you have an SSL certificate (which we STRONGLY recommend) you can secure and encrypt all of your communication and important WordPress cookies using this plugin. It works with both Private and Shared SSL.

Security Through Obscurity

Rename the WordPress administrative account: You can do this in the MySQL command-line client with a command like

update tableprefix_users set user_login=’newuser’ where user_login=’admin’;,

Or you can do it using a MySQL frontend like phpMyAdmin.

Updates, Updates, Updates

Keep your WordPress install and all of your other plugins updated as much as possible. Staying on the leading edge of updates keeps your store from becoming vulnerable to known security vulnerabilities.

Restrict Admin Access

If you’re a single person shop, you should consider restricting your wp-admin directory to your IP address. Make sure your IP address doesn’t change before doing this. Edit your .htaccess file in your wp-admin directory and add:

Order deny,allow

Allow from 111.111.111.111 # Replace with your IP address

Deny from all

Step #6 – Logging

It is possible to log all $POST variables sent to WordPress. Standard Apache logs do not offer much help with dealing with security forensics.

Mod_Security – Logs and Prevents using Apache

Postlogger is a plugin that logs using WordPress

Step #7 – Read the Following Articles

Security and Hacking: Protect Thyself and Thy WordPress Blog

10 Steps To Protect The Admin Area In WordPress

Hardening WordPress

For Goodness’ Sake BACKUP EVERYTHING

Backup your data regularly, including your MySQL databases. Data integrity is critical for trusted backups. Encrypting the backup, keeping an independent record of MD5 hashes for each backup file, and/or placing backups on read-only media (such as CD-R) increases your confidence that your data has not been tampered with.