Best practices for securing your store

As you can imagine, hacking into your store is not something to be taken lightly. It comes in many forms, from hijacking your means of payment to recovering funds or bank details, to recovering customer data and backoffice passwords.

 

That's why it's important to pay attention to the modules you deploy, their origin and functionality. A module retrieved from a forum can, for example, be an entry point, a security flaw or a Trojan. It's best to use PrestaShop Marketplace for your modules.

 

Technically, you may be a little confused by the new terms FTP, database, BackOffice. Just remember that the logins your host has given you and the access to your BackOffice are to be kept and communicated only to the right people.

 

Never communicate on a forum or on a service not dedicated to technical support. You are responsible for this information. They are like the keys to your house, giving access to your business and also to your customers' data. Today, you are responsible for this data and you need to protect it as much as possible ( RGPD).

 

Don't hesitate to opt for hosting with facilities management, which is more expensive but gives you a team who can take action on your server and make it more secure (updating the languages used on the server, managing security breaches, intervening in the event of hacking, etc.). It's important to remember that an e-commerce site isn't free: there are different costs involved, just like renting a physical store. It's important to choose the right server for your site and traffic, both for performance and security reasons.

 

What are the best practices to implement?

• If possible, check on a daily basis that your order tunnel appears visually normal and that access to payments corresponds to a normal state (you don't need to place an order).
  
  
• Regularly modify back-office access for yourself and your employees
  
  
• Create a different access for each person logging on to the site (this makes it easy to delete an access if a member of staff changes).

 

• Define different rights depending on the employee's profile and the actions to be assigned.

 

• Check on a daily basis whether transactions have been successfully transferred to the PrestaShop back office and the bank's back office.
  
  
• Communicate temporary accesses to the various supports you contact, which you can then remove once you've taken action. You control the back-office and create profiles, permissions and accounts yourself. Depending on your server package, you may not be able to do this for FTP and the database, but check with your hosting provider. The less your main accesses are communicated, the more secure you are. If you need to give FTP access to your server, create a new account that you'll give to the participants, so that you can delete it once the job is finished.
  
  
• Be curious! If a behavior on your site changes overnight, you might want to ask yourself some questions. Have I recently installed a module? Am I aware that someone is working on my PrestaShop? No ? Contact your web agency or PrestaShop and explain what you see.