Basics - Security
Having an SSL certificate
You need an SSL certificate; it’s part of running an online store. It doesn’t matter that you don’t do onsite credit card collection; you still need an SSL certificate. Search engines will penalize you if you don’t have one.
Don’t let this be you!
Secure File Transfer
Do not use plain FTP to access your server’s files.
Although this was a common way to do it back in 2003, it is no longer a good practice, since it is not secure.
Some secure options are:
- FTPS
- SFTP
- Require explicit FTP over TLS
Availability of these specific options is hoster-dependent but at least one of them should be available.
If your hosting company does not offer some mechanism for secure file transfer, then they are most likely not PCI Compliant either, and you should be choosing a different hosting company who takes security seriously.
Secure access to your Admin
Be sure your admin/includes/configure.php file has all URL settings using https. This includes HTTP_SERVER, HTTP_CATALOG_SERVER and HTTPS_CATALOG_SERVER, and if it exists, HTTPS_SERVER.
Use an admin username other than admin (or nimda). Make it hard to guess.
Want more security? Secure access to your admin URL using a .htaccess file that limits access to specific IP Addresses. (You may need to work with your hoster to figure out how to do this).
Want even more security? In Zen Cart 2.1.0, two factor authentication is introduced, protecting your admin even more. See Multi-factor authentication in Zen Cart.
Secure cPanel Access
Just because you run an SSL on your site doesn’t mean your cPanel access is secure. Look for the padlock in your browser’s address bar, and tell your hoster to fix it if it’s not there!
Don’t let this be you!
Secure Passwords
Make hard to guess! Passwords like “ABC123” or “P@ssw0rd” are not hard enough to guess. Bad guys will try weak passwords, and if you use one, will get access to your site. Use a random combination of letters, numbers and symbols which is at least 8 characters long.
You Should Probably Change Your Password
“But it’s hard to remember all these passwords!” Yes, I know. That’s why there are Password Managers.
Use a Password Manager
Don’t rely on your memory or some Post-It notes for password storage. Use a proper password manager, and use the password generation functions that it has to keep your passwords hard to guess.
There are many password managers on the market, and many have free tiers; here are a few:
Use different passwords for each site
Don’t reuse passwords! Now that you have a password manager, allow it to generate and store your passwords so that each one can be unique and hard to guess.
Transfer passwords securely
Do not put passwords in an email. This is not a secure practice. If you have to send a password to a developer or co-worker, use a more secure means of transmission:
- Over the telephone using the phonetic alphabet
- Over SMS
- One time link generators like privnote.com or noteshred.com
- Your own password manager’s sharing facility
Scan your own computer regularly
Your own computer is also a potential target for bad guys, and if it gets infected, your website will too. Use anti-virus / anti-malware software and scan regularly.
PCI DSS
PCS DSS is a set of security standards from the credit card industry. If you handle credit cards, you must comply with the PCI rules.
No Manual Card Processing
A long time ago it was acceptable to store credit card information in your database. That time has passed! To be compliant with modern security standards, do not do manual card processing anymore. See migrating away from manual card processing if you need ideas for alternate methods.