If you think you’ve heard a lot about data breaches in recent years, you’re not alone – internet security is an ongoing concern for everyone, but especially if you run a digital product store.
It’s one thing to protect yourself, but when you are responsible for handling the money and sensitive information of your customers, security becomes an even greater priority. If you’re an expert on the topic, that’s no problem, but many people aren’t.
The fact is that security is a complex thing, but while a 100% impenetrable website may never exist, there are multiple components that can be optimized to minimize risk. So, what are some practical steps you can take to keep your business and your customers safe from intrusive forces?
We’ve put together this brief guide to help you out, so you can keep moving forward and worry less!
Why should you be concerned?
Websites of all shapes and sizes are at risk of being compromised, but unfortunately, small businesses can be especially vulnerable. Site owners who run smaller-scale stores tend to underestimate the threat due to their lack of visibility compared to big names, but the truth is that hackers are often specifically looking for sites with more lax security.
Regardless of the scale of your operation, protecting your site may seem daunting, but it’s doable!
Stay up to date
When it comes to internet security, one thing that tends to get overlooked is the importance of software and security updates. This includes your computer operating system, content management platforms like WordPress, and any software and plugins you may use.
Using the latest (most recent) versions of WordPress and WordPress plugins in particular is essential, as falling behind can actually put your website in a vulnerable position. How is that? Well, consider that the vast majority of security breaches happen to websites that are running out-of-date software!
Often times, the updates themselves are released precisely for the purpose of fixing a security issue or vulnerability of some kind, so keeping on top of the latest releases is the very least you can do.
Be conservative with plugins
Plugin vulnerabilities account for well over 50% of compromised WordPress sites, according to Wordfence – which means that plugins should be high up on your list when it comes to security. While WordPress is fairly secure overall, it is not immune to security threats.
Use caution when installing plugins on your site, taking care to check them for high ratings and reviews – or a lot of installs, if taken from WordPress.org. Plugins that are actively updated, and from trusted or reputable sources will always be your best bet! As a general rule, avoid “nulled” or pirated themes or plugins, as some may have malware injected into them.
Lastly, only install what you need. If a plugin isn’t necessary, skip it, and if there are dormant plugins that you’re no longer using, uninstall and remove them. It’s better to err on the side of caution than to have regrets (and damage) later! Plus, keeping your plugins on the lean side not only minimizes security risk; it also makes for a faster-loading, less bloated, and more stable site.
Make sure your web hosting is as secure as possible
Hosting is an essential part of any website – and a good web host can provide you with peace of mind knowing that your security bases are covered. So, what should you expect from your host?
Some hosts offer built-in firewall management (like Kinsta, Cloudways, etc.) so that when new vulnerabilities are discovered, you will be protected. But, what if your site does get compromised? To be prepared for this, look for a host that has a good backup and restore policy.
Cloud-based hosting is also something to consider, if you don’t use it already. One of the advantages is the reliability and increased security of using a large number of physical servers in different secure data centers. Another advantage is that this type of host tends to have more experience with different types of attacks due to hosting many different types of sites. Consequently, they can adapt the rules to offer a wider range of protection.
If your site is self-hosted, it’s important to make sure that the server stack (server software) is up to date, using the latest versions of PHP, MySQL, Apache, Nginx, etc. If you use cloud / managed hosting, this will probably be taken care of for you, reducing the stress and work for you – and allowing you to focus on your business!
One of the bonuses of going with a dedicated managed WordPress host is that the server software stack will be optimized specifically for hosting WordPress sites, enhancing performance, security, and stability all at once.
Lock down your accounts
Another potentially vulnerable element of digital stores is user accounts – especially when it comes to brute force attacks. To prevent against these kinds of attacks, consider the following precautions:
- Enforce strong passwords. Requiring (or encouraging) customers to create more complicated passwords is a good security practice. In terms of your own passwords, long, randomly generated passwords with a mixture of characters are the way to go, as they are much harder to crack. Use a password manager like LastPass or 1Password to keep everything secure and organized with randomly-generated passwords.
- Create unique usernames for admin accounts. Steer clear of obvious usernames like admin. Unique (ideally random) ones provide you with extra protection against brute force attacks.
- Implement two-factor authentication. If possible, add a two-factor authentication option to your login process, giving customers the ability to further protect their accounts. Of course, it’s especially important to use this security measure for your own accounts as well!
- Only have user accounts if you really need them. Unless it’s absolutely necessary, having customer accounts only adds to your security (and liability) concerns. Consider foregoing them altogether. For example, EDD customers can get access to their purchases in purchase receipts without registering on the website.
Take additional protective measures
Looking for some more ways to improve your site security? Here are a few more ideas you might want to think about:
- Put your site behind Cloudflare. Free to use, Cloudflare is a DNS provider that offers both CDN (content distribution network) and firewall protection. It’s a bit like a middle man between the internet and your site – and because millions of sites are already behind Cloudflare, if malicious users have already tried any tactics on other sites, they will be automatically blocked or challenged before they get to yours. Consider using the Pro version if you want to enable WordPress-specific firewall rules.
- Consider blocking countries that are high-risk for fraud and hacking. Although it might seem like a more extreme measure, depending on your target demographic and customer base, you might find that minimizing any security risk is more valuable to you than the sales you get from those countries.
- Block temporary email addresses from purchasing or signing up for your site. Temporary email addresses (or email addresses that self-destruct after a short period of time) are frequently used in the case of site attacks to allow the attacker enough time and access to do the dirty work. The Validator.pizza plugin helps to prevent temporary email addresses from registering or commenting on your site.
- Use Google Suite for your company email. Not only is it better for scalability; it’s also more secure because your emails are stored off-site / within Gmail.
- Install a good spam plugin. If you want to reduce the amount of spam you get on blog posts, content pages, or contact forms, consider using a plugin like Akismet. In general, only enable comments if you really need them!
- Keep it minimal. The less “attack surface” (or total digital real estate with potential vulnerabilities) that you have, the better. Only use what you need and skip the rest!
Be proactive and ever-vigilant
Above all, staying one step ahead of the game is the best thing you can do to protect your digital product store from falling prey to attackers. Whatever you need to do – whether it’s subscribing to internet security newsletters and software update alerts, following relevant publications, and educating yourself on the terminology, methods, and latest news – do it!
Take the initiative to learn, and understand that whether you’re just getting started, or if you’ve run your store for years, your security work is never done. While your marketing, social media, product, and content decisions might be up for debate and experimentation, your site security is no casual matter – and you owe it to yourself, your hard work, and your customers to be prepared.
What are some of the most effective methods you’ve used to improve security for your own digital product store? Join the conversation below!
great advice! Unfortunately for the last year I could not find any two-factor authentication plugin which works with / is currently supported by the edd-login method – any news on that?
Thanks for your kind words on the article!
We are looking to introduce support for two-factor authentication plugins eventually (though no given date at this time), with the shift towards using the wp_signon() function/method for our login forms, which will allow security plugins to “hook” in and apply the rules required.