SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Member
    Join Date
    May 2011
    Location
    UAE
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How can I secure my shopping website from hackers?

    Having a shopping website and I want to secure from hackers, how can and what have to do?

  2. #2
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Keep your shopping cart software up to date
    Subscribe to any security alert notifications available from your cart software vendor
    Use reputable high quality hosting, ideally a dedicated server or VPS
    Ensure your PC is kept secure and has up to date anti viral software
    Add extra security e.g. .htaccess the admin directory

  3. #3
    SitePoint Guru Jason__C's Avatar
    Join Date
    Oct 2009
    Location
    Racoon City
    Posts
    660
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I reccomend going with a hosted e-commerece solution. That way the company takes full responsibilty and security is on them. It will cost $$$ but, you will be feeling worried-free the moment your site goes live. Why do the hard work when someone, experienced, will take care of the work for you.
    Chuck Norris is so tough,
    mosquitos ask for permission before they bite him

  4. #4
    SitePoint Zealot ChrisWiegman's Avatar
    Join Date
    Sep 2010
    Location
    Austin, Texas, United States
    Posts
    177
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What software are you running your shop in?

  5. #5
    SitePoint Member
    Join Date
    Jul 2011
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In which platform your are running this ?

    1. Install Firewall (APF or CSF Firewall with BFD)
    2. ModSecurity (Web application firewall)
    3. ModEvasive (Prevent DDOS attacks)
    4. Harden SSH server
    5. Fix Open DNS Recursion
    6. Install RKhunter
    7. Install ClamAV (Antivirus)
    8. XInet Servers Hardening (Disable Telnet/Finger or unwanted services)
    9. Securing PHP
    11. PortsEntry (tool to detect portscans)
    12. Harden host.conf (against IP spoofing)
    13. Check User Uploaded files
    14. Secure /tmp Folders (noexec, nosuid)

    If you have done above stuffs in a Linux server then you are almost there, but always the application vulnerabilities results in hack, so make sure that you update the software regular.
    Geeks make it simple

  6. #6
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,680
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    PVSI,

    Mike (EastCoast) has the correct answer (USP's host using your weak passwords will not help, CW's question about cart is irrelevant as every cart can easily be affected and PA's list is too generic and does not deal with the question asked) but Mike failed to STOMP on the issue of using STRONG passwords - without which you may as well not even use passwords at all.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  7. #7
    SitePoint Member
    Join Date
    May 2012
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hire experienced staff to handle your shopping cart. Make sure those professionals only who have worked in the same domain previously.

  8. #8
    SitePoint Member Igal Zeifman's Avatar
    Join Date
    May 2012
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Good list and good advice but...

    1. ModEvasive will not prevent DDOS attacks. It is only semi-effective for url DDoS (which is not commonly used for serious attacks) and even for url DDoS it will provide you with many "false-positives".
    Full DDoS protection can only come from "front-gate" solutions that will provide absorption and filtering (i.e. Cloud CDN + WAF like Incapsula or, for more high-end site, Akamai).

    Everything you have on server level cannot be 100% effective since it can only deal with traffic that have reached the server.
    Remember, DDoS traffic reaches server = DDoS succeed.


    2. ModSecurity can be nice and personally I think it`s a great OS project.
    That being said, this is not a "plug and play" solution and is not fit for serious security threats. Default setting will leave you extremely vulnerable (it is OS and the default is there for all to see).
    Also, constant upgrade is needed and if you are already indeed of DDoS protection , Cloud CDN+WAF can be a 1-in-2 solution.

    For more information read this:
    http://blog.ivanristic.com/2012/06/m...-bypasses.html


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •