As you have already understood, we are going to talk about securing your WooCommerce website against malicious attackers.
No matter whether your website was custom built by the designer or created on the bases of a premium theme, whether you are a small company or a huge multi-million organization, you can’t feel safe from attacks that may take down your website. The worst scenario is when your users’ Personally Identifiable Information (PII) becomes vulnerable due to cross-site scripting.
Sorry to say that but the security that you enable for your website is more of a sieve than a shield. You can deflect big, obvious, and clumsy attacks, which make up to 97 percent of cyber attacks. But there is always smart and subtle one who can penetrate your defenses. Does your cyber‐defense include a plan for the case when your defenses fail? If not, then it’s not good.
Some of the most common attacks against websites are cross-site scripting, information leakage, and DDOS attacks. Read on and get to know how to deflect them.
Cross Site Scripting (XSS)
Cross‐site scripting is a dangerous problem. Unlike vandalism or a DDOS attack, cross‐site scripting attacks turn your website into a malware vector and can compromise your users’ personal information.
Let’s view a common example. Supposing you have a contact form on your WooCommerce website.
What do you think an attacker will put in these fields? It won’t be the name, email, and message, but some arcane code‐string. Then they will hit the ‘submit’ button.
What happens next? If you’re unlucky or un‐careful, that string of code worms its way into your website’s database and becomes a part of your site.
So, when a user visits your site, their browser renders all of your content right alongside the attacker’s code. This lets the attacker, for instance, record every user’s keystroke, and eventually capture their username, password, SSN, credit card numbers, and so on.
How to defend against cross‐site scripting?
The good news is that preventing cross‐site scripting doesn’t require buying an expensive security solution.
It can be your website developer who can bake protection against XSS for you as they build or modify your site.
It would be wise to treat all user input into your site as ‘untrusted’ because it could be someone genuinely trying to reach out to you, or it could be malicious code.
Therefore, you need this data to be encoded or transformed into the sort of text that doesn’t render in a browser before being added to your database.
Here is an example for you:
a user might put a comment on your site consisting of some text between these two characters: <text>.
Unfortunately ‘<’ and ‘>’ usually means <executable code goes here> in HTML — I caution you, it could be a trap!
With encoding, ‘<’ and ‘>’ get transformed into ‘<’ and ‘>’ — which are gibberish to both you and your HTML renderer.
Would you like to get more information on the issue? Click to read a comprehensive cheat sheet for preventing XSS put together by OWASP.
Besides, there are companies who provide paid services and will scan your website for XSS vulnerabilities which aren’t all as obvious as an unprotected comment‐box. They will suggest remediation as well.
This is the most common attack against websites based on a specific software vulnerability.
When you see this on your desktop, hit F12 on your keyboard as quickly as you can. Doesn’t work? Click the right button of your mouse to view the source code. In any case, you will end up seeing something like this:
You surely know that what you see is the HTML source code for some webpage. When you develop a page or a web application, you’re likely to leave comments in that code that indicates the presence of a bug or note something else.
May I ask you a question? Do you always take those comments out once the page goes live?
This is the information leakage home, it lives in the leftovers from the software development cycle.
The point is that leftover comments from the development process can reveal things like server configuration, software version numbers, exploitable bugs, and so on. Things like those make attackers happy.
Would you like to know the solution? It’s simple – don’t do this.
However, if you are a software developer, it’s difficult to avoid the mistakes as you work routinely 80 hours a week in order to deliver products to the customers. You do make mistakes from time to time.
Today time‐to‐market is utterly important, so very often security goes by the wayside.
If you order a third party developer to create your webpage, I would recommend you to ask a penetration tester take a look at your page when it is finished in order to sniff out these and other insecurities.
Distributed Denial of Service Attacks (DDOS)
Unfortunately, DDOS attacks are the worst.
They are based on the principle that it’s very easy to crash a website by sending a lot of illegitimate traffic to it at the same time.
A single user can generate a DDOS attack by spamming DNS traffic. A hacker can also use one or more infected computers that are being controlled remotely to accomplish the same task.
Why do DDOS attacks happen? They might be for ideological reasons, but mostly the attackers’ goal is cold, hard, bitcoins.
A lot of companies pay up because it’s easier to give $10,000 instead of several days that are worth of revenue.
DDOS attacks are not like the ones mentioned above. You might not be able to secure your website against them with sensible development practices alone.
However, there is a way out. You can mitigate these attacks.
At first, you need to monitor your DNS server using its built‐in software. If you notice a sudden considerable traffic spike, then you might be in trouble.
If you suspect that you may be vulnerable to a DDOS attack, I advise you to adjust the volume of queries your servers can handle.
I should warn you that this takes money, so the extent by which you provision your servers should take the form of a cost‐benefit analysis.
Additionally, tools like Anycast allow users to host servers across multiple locations using the same IP address.
Why is it beneficial for the user? If a hacker attacks your server in one location, you can use this tool to route traffic to servers located in other parts of the world. This allows most legitimate users to query your site without experiencing latency issues.
More About Attacks
As most of you reading are running WooCommerce websites and WordPress released a patch to fix a vulnerability that made its millions of users vulnerable to cross‐site scripting long ago the biggest security threat you’ll ever have to worry about will likely be the occasional spam comment.
The security of your WooCommerce website depends a lot on being up to date. The WordPress organization is commendably bullish on security and constantly released automatic updates that increase the security of the average user.
Though, updating the core WordPress software won’t protect you if you use an insecure custom theme.
Supposing your theme is secure, like this one, for instance.
Hackers might be able to steal your login details by attacking the computer(s) you use to control and make changes to your site. You’ll mitigate this risk if you run a firewall and antivirus (for home users) or enterprise‐level system monitoring.
You can use plugins specifically developed to purport and offer the full suite of security services, including a firewall, intrusion detection, and error logging.
What should you know about these security tools? Remember that simply having it on your system is not going to make you any safer. What you really need is to use it, understand what it’s telling you, identify a baseline that represents ordinary traffic on your site, and only then you will be able to understand if you’re coming under attack.
VPNs Are Components of Website Security
What do you think about VPN? Do you take it as a way to get around the restrictions on region‐locked videos, or maybe as a way to log in securely to your company’s intranet while abroad?
It’s very important to have VPN if your website provides things like cloud‐hosted software or data.
This secure connection prevents villains from listening in while someone is accessing resources that you want to place security around. They are credit card numbers, health records, and other PII. Do you have a VPN portal on your website? Then you need to take some important steps to make sure that the portal is secure.
Securethoughts.com provides a comprehensive list of VPN services on offer accompanied by reviews.
Prefer TLS Over SSL
Due to an exploit called POODLE, which is very similar to Heartbleed, SSL VPN is in fact obsolete. If your VPN portal still uses SSL, it may look like a red flag for your visitors.
Transport Layer Security (TLS) is the secure replacement for SSL. This is the one you want to use. Please note that for the sake of familiarity, many security professionals call TLS by the old, incorrect name of SSL. This can get confusing. It is also recommended to use the latest version of TLS as it offers significant improvements over the original.
What to Do When Everything Else Fails
I have already explained that most of the common attacks against websites can be deflected without using expensive tools.
However, there is the possibility that black‐hat techniques evangelists will get the better of you.
Nevertheless, there is good news. If you respond to the breach efficiently, this will reduce your overall costs and help to keep the customers loyal to your business.
What do I mean by responding to the breach efficiently? For example, you can reset all your customers’ passwords, and send out prompt and comprehensive notifications.
You will be generally lauded for exercising transparency and an abundance of caution.
Well, it looks like it’s time to wrap it up. So, my best advice is to invest intelligently in security. Use sound practices, and well-trained employees, don’t fully rely on tools.
You may not be able to deflect every attack every time, but if it happens, you won’t blame yourself for not being prepared.
Over to you
Did you ever have the bitter experience of hacker attack? Can you say that you have been prepared for it? Was it difficult to deflect it and eliminate all its aftermath? Please share your thoughts/questions/tips/advice with the community. Type everything you have to say in the comments and don’t forget to share this blog post with your friends if you believe that it makes sense 😉