CAll Us: +1 888-999-8231 Submit Ticket

How To Prevent Data Leaks On Your eCommerce Store

Data is one of your eCommerce business’s most valuable assets. But it’s not only valuable to your business. It’s also valuable to criminals, who use personal data for identity theft and credit card numbers to commit fraud. Over the last few months, several major eCommerce retailers and many smaller stores were targeted by Magecart, a criminal group primarily focused on scraping credit card numbers.

Magecart is the most prominent victimizer of eCommerce stores, but they are far from the only one. eCommerce store owners should be alert to the risk of data theft and know how to fight it.

Attackers like Magecart rely on malware injected into an eCommerce store’s pages. Malicious JavaScript code grabs credit card numbers as they are entered into forms, sending them to servers owned by the attacker, a typical cross-site scripting attack (XSS). Cross-site scripting attacks only work if attackers can execute JavaScript in the context of a store’s pages. They use several strategies to inject JavaScript, all of which depend on flaws in the store’s security.

Store owners fighting this type of data leak should focus on preventing the attacker from injecting malicious code in the first place.

Keep software up-to-date. Attackers frequently exploit vulnerabilities in older software. If an attacker can compromise an eCommerce store via a known vulnerability in the operating system, utility software, or the store itself, they will inject malicious code, which will run in shoppers’ browsers. Updating fixes known vulnerabilities.

Ensure the database is only accessible via the web store. Database misconfiguration is a common source of data leaks. An eCommerce store’s database should only respond to requests from the application, not to requests from the internet. It should be password protected to prevent any access from unauthorized individuals.

Use a web application firewall such as ModSecurity. A web application firewall can mitigate the risk of attacks against a store’s front-end, including SQL injection attacks and cross-site scripting attacks. Hostdedi uses the advanced ModSecurity WAF on Magento and WooCommerce hosting accounts. To learn more, check out our post on Why ModSecurity Should Be Your Web Application Firewall.

Use two-factor authentication on your Magento or WooCommerce store. The easiest way for an attacker to breach a store’s defenses is to guess the right password. Simple passwords, popular passwords, and passwords based on dictionary words are easy to guess. Long and complex passwords are difficult to guess, and the longer they are, the more difficult it becomes. However, we can’t always trust users (or even developers) to choose a long and random password. Two-factor authentication, as provided by Hostdedi’ Sentry extension for Magento, helps to protect stores from poor password practices.

Disable unused store and server passwords. Unused accounts serve no purpose and increase the surface area of a store that can be attacked. Audit the user accounts on your store and server, deleting those you no longer need. On a related matter, when giving an employee or third-party access to your store, use a unique account created for the purpose. Once they no longer need access, delete the account.

Be aware of supply-chain attacks. The Magecart malware often finds its way onto eCommerce stores via a supply-chain attack. Instead of attacking stores directly, criminals target software used by stores: JavaScript libraries, extensions, themes, and so on. When the eCommerce store is updated, the compromised software is installed and the malicious code injected. Supply-chain attacks are difficult to defend against, but store owners should exercise caution when sourcing software. Use extensions from official repositories or trusted developers. Keep an eye on vulnerability reports for software downloaded from third-party sources, such as CDNs or GitHub. Consider implementing Content Security Policy and Subresource Integrity on your store.

If attackers can’t infect your store with malicious code, they can’t steal your shopper’s details or credit card numbers. By following a few security best practices, you substantially reduce the risk of data theft.

Posted in:
eCommerce, Magento

Source link

The New Drupal Layout Builder

The New Drupal Layout BuilderApril 10, 2019 – Drupal 5.7 is just three weeks away, and with it will come the Drupal layout builder.

Drupal has always been about accessibility, and the last several years have only seen that commitment ramp up as the teams behind the open source platform have begun to invest more in matching the true ideals of open source.

The layout builder marks a new stage in the CMS’s life; one in which content creators and managers no longer have to rely on developers for the minutiae of complex Drupal builds. Instead, content updates can be deployed quickly and effectively through a WYSIWYG editing interface.

The New Layout Builder: What to Expect

The new layout builder is essentially a WYSIWYG, with default theme previews, per entity customization, and connection between entity display, and views and other blocks.  

A powerful design tool, Drupal’s layout tool goes beyond standard layout builders by allowing sitewide edits to templated content. This incredibly powerful feature means that site builders and content managers can add content to pages throughout a site with minimal effort and time commitments.

What to Expect With the New Drupal Layout Builder

Another strong feature is the ability for content creators to easily create and push custom pages with unique designs and layouts. By adding blocks to a blank page, creators can easily push videos, maps, text, or custom-built widgets. As adoption increases for the layout builder, we expect more modules to appear that will add increasingly diverse functionality to the builder.

The Layout Builder: When Can I Get It?

If you’re looking to stay ahead of the crowd, you can actually download and install the beta module for the layout builder now. This will give you access and time to explore the new feature’s functionality before going live with it.

The full release will be with Drupal 8.7 in three weeks. Keep an eye on the layout initiative page for more up-to-date information.

Hostdedi and the New Layout Builder

If you’re looking to start adopting Drupal and the new layout builder with Hostdedi, you can currently install the module on your Drupal instance and begin working with it. Alternatively, when Drupal 8.7 is released, you can either update your instance yourself, or you can get in touch with our support team and they will update your Drupal site for you.

As always, we recommend testing any new updates on a development site before going live. We especially suggest doing so with the layout builder, to see how and if it will affect your existing site.  

Posted in:
Drupal

Source link