Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WooCommerce Security - WordCamp OC 2018

90 views

Published on

WooCommerce Security - WordCamp OC 2018

Published in: Internet
  • Be the first to comment

  • Be the first to like this

WooCommerce Security - WordCamp OC 2018

  1. 1. SECURING YOUR WOOCOMMERCE SITE WORDCAMP OC 2018
  2. 2. Sitelock Community Evangelist WP Developer & Designer HI, I’M JAMIE SCHMID @jamieschmid @sitelock
  3. 3. IS YOUR SITE SECURE?
  4. 4. IS YOUR SITE SECURE? TICKETFLY’S WASN’T.
  5. 5. • External factors influencing your website decisions • Overview of a typical customer ecommerce journey • Security vulnerabilities, risks and solutions along the way WHAT WE’LL COVER:
  6. 6. • GDPR • loading speed • ease of payment processing • need to save data for returning customers • internal organization rules EXTERNAL FACTORS INFLUENCING YOUR WEBSITE DECISIONS
  7. 7. OVERVIEW OF A TYPICAL CUSTOMER ECOMMERCE JOURNEY
  8. 8. SECURITY VULNERABILITIES, RISKS AND SOLUTIONS ALONG THE WAY
  9. 9. User is on public wifi at a coffeeshop RISK •Use a VPN. •Force SSL. Browser settings: Always use HTTPS •Security software on her laptop •Use a VPN. •Force SSL. Browser settings: Always use HTTPS •Security software on her laptop SOLUTIONSRISKS • Man-in-the-Middle attack • The router may be unencrypted • Her OS may have malware • Someone may be snoopin’ & sniffin’ • The hotspot may be malicious
  10. 10. RISKS SOLUTIONS User is on public wifi at a coffeeshop SHE SHOULD: • Use a VPN. • Force SSL in her browser. Browser settings: Always use HTTPS • Have active security software on her laptop (Norton etc)
  11. 11. SOLUTIONSRISKS • Lead data is recorded by Facebook and analytics • Username enumeration • Passwords may not be stored securely • Host may not be secure User lands on your site via a Facebook ad
  12. 12. SOLUTIONSRISKS • Your site may already be compromised • Is your site vulnerable to DDOS? • Are bots targeting your site? • Do you have a backup in case your site goes down? User lands on your site via a Facebook ad
  13. 13. RISKS SOLUTIONS • SSL/HTTPS • Admins have strong passwords/login info, no password reuse! • Lockout policy/login lockdown in place • Keep core, all plugins and themes up-to-date • Use 2 Step AuthUser lands on your site via a Facebook ad
  14. 14. RISKS SOLUTIONS • 2 Step auth plugins: Authy, Duo, Google Authenticator • Login Lockdown plugin • SiteLock central dashboard for updates. ManageWP, InfiniteWP plugins. User lands on your site via a Facebook ad
  15. 15. RISKS SOLUTIONS • Have a good host with all your server software up to date. PHP7 is recommended by WordPress. • Use a firewall! • Access your site via SSH/SFTP • Automate backups! Updraft Plus, host-level backupsUser lands on your site via a Facebook ad
  16. 16. RISKS SOLUTIONS • Application-level firewalls: SiteLock, Sucuri • WordPress firewalls: Jetpack, All-in-One, WordFence • CDN: SiteLock, CloudFlare, Jetpack • Malware watch and removal: SiteLock, Jetpack, Sucuri, iThemes, your host may offer this service for a charge • Fail2Ban plugin for brute force User lands on your site via a Facebook ad
  17. 17. User enters her email in popup for 10% off with newsletter signup SOLUTIONSRISKS • Third party plugins are now loaded • WooCommerce, and any other third-party plugins or integrations, may not be secure • Her email info may not be securely stored • Your discount code may have been maliciously generated
  18. 18. User enters her email in popup for 10% off with newsletter signup RISKS SOLUTIONS • Keep all plugins up to date • Fully vet your third party plugins! • Use plugins in the WordPress repository • Read reviews! • Use third-party plugins listed on the WooCommerce website
  19. 19. User reads product reviews SOLUTIONSRISKS • Are these real product reviews or full of spam advertising Viagra and discount Coach bags? • Is the personal information collected in reviews securely stored? • Do you have permission to be storing and collecting this information on users?
  20. 20. User reads product reviews RISKS SOLUTIONS • Gain user consent for collecting information • Do not allow bots to register on your site. Use Captcha, email validation, a honeypot. • Many form plugins include captcha options
  21. 21. User clicks through to checkout SOLUTIONSRISKS • Checkout could be intercepted by a third party • Credit card data could be stolen • Payment processor may not be secure
  22. 22. User clicks through to checkout RISKS SOLUTIONS • Make sure checkout is secure • SSL! You NEED that lock symbol! • PCI compliance, certified • Use a trusted third party processor that stores information off-site
  23. 23. User creates new account SOLUTIONSRISKS • User’s account information is now linked to their email, name, address, password they used, potentially credit card info • User’s account information may already be compromised • User’s password may be easy to guess
  24. 24. RISKS SOLUTIONS User creates new account RISKS SOLUTIONS • Force secure passwords on new user accounts • Make sure you are not storing credit card data on the same server • Make sure your database is on a different server from your website
  25. 25. User submits payment and order information SOLUTIONSRISKS • Is your checkout secure???
  26. 26. RISKS SOLUTIONS User submits payment and order information • SSL! You NEED that lock symbol! • PCI compliance, certified • Use a trusted third party processor that stores information off-site • Enforce strong password use: iThemes Security plugin, Force Strong Passwords plugin
  27. 27. RISKS SOLUTIONS User submits payment and order information • SSL: Let’s Encrypt, wildcard, go with a host who offers SSL! • Enforce strong password use: iThemes Security plugin, Force Strong Passwords plugin
  28. 28. User receives confirmation in email SOLUTIONSRISKS • Someone may have access to her email, enabling them to see all her account information and receipts
  29. 29. RISKS SOLUTIONS User receives confirmation in email • Never send user’s password via email • Do not include credit card information in email
  30. 30. User shares her purchase on Facebook SOLUTIONSRISKS • Connection may be insecure • Plugin may be insecure
  31. 31. User shares her purchase on Facebook SOLUTIONSRISKS • Use a secure connection to authenticate to Facebook • Use a trusted third party plugin if you are not an API developer • ShareIt!
  32. 32. You may be tempted to skip out on security. Time or budget may be tight. Your client may not be convinced it is needed. DO NOT SKIP SECURITY! Website security is on you, the developer. Require security as part of your web development process. Educate clients on its importance. ECOMMERCE SITES ARE A LOT OF WORK.
  33. 33. TOGETHER WE CAN MAKE THE INTERNET A SAFER PLACE FOR EVERYBODY!
  34. 34. THANK YOU! SECURING YOUR WOOCOMMERCE SITE @jamieschmid

×