A couple of thoughts about the e-commerce security
Recently, I stumbled upon the following question on Quora: “Is an e-commerce website safe”? Actually, it’s a broad question, but let’s have a quick look into it. First of all, let’s assume there’s no 100% secure solution or website at all. But one can get closer to that value. Some solutions are safer than others.
For example, Shopify. At its core, it’s a pretty secure system. You don’t have to think about your store security because the Shopify team handles it. And, actually, you don’t have much control over it. Again, it’s not 100% secure and history knows some Shopify security accidents, but since it’s a large company and platform, it’s kept as safe as possible. Things are going a bit differently with the **Shopify apps, **for example. There’s much less control over their security and each vendor uses its own infrastructure and the team members keep the code safe. As you understand, the “team” in this case can be 1 person only or an entire security department of 100 people - it depends on the vendor. The same is true for WordPress + WooCommerce. WP is a pretty safe system itself, but numerous plugins and themes make it vulnerable and error-prone. For example, here’s the official post from the WooCommerce crew about patching a critical vulnerability. There are websites collecting data about security issues on different platforms, you can find them on Google if you wish to see how many different security flaws different software has. This is, for example, a brief article about gaining admin access in WordPress using a recent (July 2023) security issue in WordPress. So as you see, many security threats are coming from sources that are not controlled by the official teams (and even the official software can contain different flaws).
The same here for custom e-commerce websites written from scratch. The benefit here is that the code is stored privately so no one knows about its vulnerabilities. But again, the control over the code is in the devs’ hands, which cannot guarantee that there are no SQL injections, file include injections, or that the user input is handled properly. The difference between custom apps and WordPress is that custom apps can be considered as a ‘black box’, i.e. it operates somehow and provides results based on input. The list of security vulnerabilities is pretty big - here’s a small part of OWASP’s top 10 list:
- Security Misconfiguration
- Broken Access Control
- Insecure Design
- Server-Side Request Forgery
But of course, It doesn’t mean that you can’t protect your store. The steps and their number vary depending on the way you’ve chosen, but there are some general methods you can follow. First of all, pick a platform you like, whether it’s Shopify, WooCommerce, Ecwid, or any other. Second, choose the apps or plugins you need. When you have a list of what you want to use, check security websites (for example, CVEdetails) to see if there are any unpatched known vulnerabilities in these plugins/themes/apps. After you’ve checked it and installed the latest versions that do not have publicly known issues, make sure to update them periodically and check the CVEetails database (at least, twice per month). Also, in the case of WordPress, you can install a couple of plugins to enhance its security, and a firewall if you’re using a VPS server and have access to it.
Hope this information will help you in making your business safe and secure!