The document discusses securing a WooCommerce ecommerce site. It outlines the typical customer journey on an ecommerce site and identifies security risks and solutions at each step, including using public WiFi, landing on the site, entering personal information, making purchases, and sharing purchases. It emphasizes the importance of security best practices like SSL/HTTPS, strong passwords, keeping software updated, firewalls, backups, and avoiding skipping security measures for any reason. The overall message is that website security is critical and developers must require it as part of the development process.
5. • External factors influencing
your website decisions
• Overview of a typical customer
ecommerce journey
• Security vulnerabilities, risks
and solutions along the way
WHAT WE’LL COVER:
6. • GDPR
• loading speed
• ease of payment processing
• need to save data for
returning customers
• internal organization rules
EXTERNAL
FACTORS
INFLUENCING
YOUR WEBSITE
DECISIONS
10. User is on
public wifi at a
coffeeshop
RISK
•Use a VPN.
•Force SSL. Browser
settings: Always use
HTTPS
•Security software on her
laptop
•Use a VPN.
•Force SSL. Browser
settings: Always use
HTTPS
•Security software on her
laptop
SOLUTIONSRISKS
• Man-in-the-Middle attack
• The router may be unencrypted
• Her OS may have malware
• Someone may be snoopin’ & sniffin’
• The hotspot may be malicious
11. RISKS SOLUTIONS
User is on
public wifi at a
coffeeshop
SHE SHOULD:
• Use a VPN.
• Force SSL in her browser. Browser
settings: Always use HTTPS
• Have active security software on her
laptop (Norton etc)
12. SOLUTIONSRISKS
• Lead data is recorded by Facebook and analytics
• Username enumeration
• Passwords may not be stored securely
• Host may not be secure
User lands on
your site via a
Facebook ad
13. SOLUTIONSRISKS
• Your site may already be compromised
• Is your site vulnerable to DDOS?
• Are bots targeting your site?
• Do you have a backup in case your site goes
down?
User lands on
your site via a
Facebook ad
14. RISKS SOLUTIONS
• SSL/HTTPS
• Admins have strong passwords/login info, no
password reuse!
• Lockout policy/login lockdown in place
• Keep core, all plugins and themes up-to-date
• Use 2 Step AuthUser lands on
your site via a
Facebook ad
15. RISKS SOLUTIONS
• 2 Step auth plugins: Authy, Duo, Google
Authenticator
• Login Lockdown plugin
• SiteLock central dashboard for updates.
ManageWP, InfiniteWP plugins.
User lands on
your site via a
Facebook ad
16. RISKS SOLUTIONS
• Have a good host with all your server software
up to date. PHP7 is recommended by
WordPress.
• Use a firewall!
• Access your site via SSH/SFTP
• Automate backups! Updraft Plus, host-level
backupsUser lands on
your site via a
Facebook ad
17. RISKS SOLUTIONS
• Application-level firewalls: SiteLock, Sucuri
• WordPress firewalls: Jetpack, All-in-One,
WordFence
• CDN: SiteLock, CloudFlare, Jetpack
• Malware watch and removal: SiteLock, Jetpack,
Sucuri, iThemes, your host may offer this service
for a charge
• Fail2Ban plugin for brute force
User lands on
your site via a
Facebook ad
18. User enters her
email in popup for
10% off with
newsletter signup
SOLUTIONSRISKS
• Third party plugins are now loaded
• WooCommerce, and any other third-party
plugins or integrations, may not be secure
• Her email info may not be securely stored
• Your discount code may have been
maliciously generated
19. User enters her
email in popup for
10% off with
newsletter signup
RISKS SOLUTIONS
• Keep all plugins up to date
• Fully vet your third party plugins!
• Use plugins in the WordPress repository
• Read reviews!
• Use third-party plugins listed on the
WooCommerce website
20. User reads
product
reviews
SOLUTIONSRISKS
• Are these real product reviews or full of
spam advertising Viagra and discount Coach
bags?
• Is the personal information collected in
reviews securely stored?
• Do you have permission to be storing and
collecting this information on users?
21. User reads
product
reviews
RISKS SOLUTIONS
• Gain user consent for collecting information
• Do not allow bots to register on your site.
Use Captcha, email validation, a honeypot.
• Many form plugins include captcha options
23. User clicks
through to
checkout
RISKS SOLUTIONS
• Make sure checkout is secure
• SSL! You NEED that lock symbol!
• PCI compliance, certified
• Use a trusted third party processor that stores
information off-site
24. User creates
new account
SOLUTIONSRISKS
• User’s account information is now linked to
their email, name, address, password they used,
potentially credit card info
• User’s account information may already be
compromised
• User’s password may be easy to guess
25. RISKS SOLUTIONS
User creates
new account
RISKS SOLUTIONS
• Force secure passwords on new user accounts
• Make sure you are not storing credit card data
on the same server
• Make sure your database is on a different
server from your website
27. RISKS SOLUTIONS
User submits
payment and order
information
• SSL! You NEED that lock symbol!
• PCI compliance, certified
• Use a trusted third party processor that stores
information off-site
• Enforce strong password use: iThemes Security
plugin, Force Strong Passwords plugin
28. RISKS SOLUTIONS
User submits
payment and order
information
• SSL: Let’s Encrypt, wildcard, go with a host who
offers SSL!
• Enforce strong password use: iThemes Security
plugin, Force Strong Passwords plugin
31. User shares her
purchase on
Facebook
SOLUTIONSRISKS
• Connection may be insecure
• Plugin may be insecure
32. User shares her
purchase on
Facebook
SOLUTIONSRISKS
• Use a secure connection to authenticate to
Facebook
• Use a trusted third party plugin if you are not an
API developer
• ShareIt!
33. You may be tempted to skip out on security. Time or
budget may be tight. Your client may not be convinced it
is needed.
DO NOT SKIP SECURITY!
Website security is on you, the developer. Require
security as part of your web development process.
Educate clients on its importance.
ECOMMERCE SITES ARE A LOT OF WORK.
34. TOGETHER WE CAN MAKE THE
INTERNET A SAFER PLACE FOR
EVERYBODY!