David Deppner talks security

Hello there and welcome back to 

the Hussey Coding blog.

In June of 2019, founder of Hussey Coding and Developer Connection, Jonathan Hussey and I attended the Meet Magento UK conference. It was a great day all round for learning, sharing, connecting and most importantly acquiring great swag! (free stuff). As a side note, if you are ever on the fence about attending this event, please get in touch, we'd love to push you over the edge and encourage you to go, you won't regret it! While we were there, we heard a seminar by David Deppner, founder and CEO of Psyberware.

In this talk, David brings a case study of a medium and large-sized American company that has discovered that they are under attack. He talks about the extent of that attack and some of the vulnerabilities that led to its success. He goes on to give us 10 tips to create better security in our companies, some of which we've touched on in our blogs (5 EASY STEPS TO BETTER SECURITY and ANOTHER 5 TIPS TO SECURE YOUR STORE).

The video is just under 25mins long and is full of great tips and warnings that anyone with a Magento store or developing Magento should be paying attention to! Follow this link to watch it now on Youtube.

DavidDeppner - Meet Magento UK 2019

We hope you have enjoyed and found this series on cybersecurity helpful. Our passion here at Hussey Coding is to help the community become a safer, more secure environment and we would love to hear your thoughts on these blogs. Would you add some things? Maybe prioritise some things that we didn't? Is there something you were hoping we would cover but didn't? We would love to hear your ideas and suggestions on how we can improve and expand and in turn, help the community to grow, so please leave us a comment and let us know.

Thank you as always for letting us be a part of your day, we look forward to seeing you back here soon for another Hussey Coding blog but until then, stay safe and have a great day.

You can also join all the fun on our various social media profiles
Facebook - facebook.com/husseycoding
Twitter - twitter.com/husseycoding
LinkedIn - linkedin.com/company/hussey-coding

Sign up to developer connection at www.developerconnection.co.uk
Facebook - facebook.com/DeveloperConnection
Twitter - twitter.com/devconnectionuk
LinkedIn - linkedin.com/company/developer-connection

In the aftermath of a cyberattack

Hey there and welcome back to another edition of

the Hussey Coding blog.

Recently we talked about the necessity of having a RESPONSE PLAN, click the link if you missed it. Today we're going to expand on parts three and four of our response plan. Looking at some simple things that you can build into your company's DNA to help make recovery an easier task when you find yourself ...

The attack has happened, it's been dealt with and your company has survived. Now you are left looking over reports and having conversations about the damage that was caused to your store, systems and even companies reputation.

But what now? What are the steps you take to prevent another attack? Remember, just because you got through this one, doesn't mean there isn't another attack on its way! In fact, if someone is specifically targeting your company, then now is the perfect time to try again!

Here are 5 things that we recommend you do as standard in the aftermath of an attack.

#1 - Change your passwords

All of them, now! And not just yours, your staff too. There is no guaranteed way of telling exactly what your attacker had access to while in your systems. If the attacker managed to gain full access to your admin account then they could have deleted the logs as they went along and hidden their tracks and it could very well be that they have acquired several passwords and login details along the way which left unchanged will leave your business wide open to a secondary attack. If you missed our recent blog on CREATING STRONGER PASSWORDS, then click the link to read more about this topic. 

#2 - Check your access logs

Now that your passwords are changed it's time to see who's had access. You're looking for any unauthorised accounts or even old accounts that you may not have deleted. In our blog,

 6 COMMON CYBER ATTACKS TO WATCH OUT FOR, we saw that one of the most common motivations for conducting a cyberattack is revenge! Remember that ex-employee or contractor that felt their dismissal was unfair? Or that time communications broke down between you and a third party company? If nobody took the time to remove their log in details, then they may still have access to your systems. These are the things that you want to be looking out for.

#3 - Create backups

Regularly backing up your data will make the process of recovery so much easier!

The more often you backup your database, the less you will lose in the event of an attack, it will also help you keep your store running smoothly while you deal with other aspects of the aftermath. If you don't know how to do this, then check out our blogs on how to back up your M1 and M2 stores by clicking the links. 

 

NOTE: Since the writing of this article, Magento 1 no longer receives official support from Adobe. However, there are many still operating on the M1 platform. It is our recommendation that you migrate to M2 sooner rather than later, find out why in our blogs, M1 end of life, what are my options? and Headache or opportunity, migrating to M2.

Make sure that you also back up to a secure external location. If you only backup to one place and that location is compromised, then you stand to lose everything. Saving to one or two external locations will help you during the recovery process.

#4 - Check and update your security

Whether you got a developer or your company dealt with the attack internally, you should conduct a full security rundown of your systems. Check everywhere for anything that the attacker may have left behind to use at a later date. Look for other weaknesses regardless of the way the attacker got in and update the whole security package for your store and any devices that have access to your administration panel.

#5 - Be transparent

When you have done all of these things and, all those involved in dealing with the attack are 100% convinced that your systems are secure again it's time to ask the question, who needs to know?

You will need to notify anyone who may be affected by the attack, customers, clients, third-party partners and staff.

Why are you waiting until you're sure your company is secure again? If you go right away without being sure then, there is no guarantee that any updated data sent to you by clients or customers is secure, and you may find yourself in a bigger mess than if you were sure.

The key here is to be sensible! Don't do anything you don't need to do but also don't neglect to do the right thing either. If your company has undergone a failed phishing attack, then notify your staff and warn them of it. You don't need to go contacting all of your customers or clients about it. On the other hand, if you've suffered a Malware attack and the attacker now has your entire customer database, then you need to contact your customers informing them immediately of the security breach! Not doing so immediately and attempting to hide this will cause irreparable damage later down the line should the truth be discovered.

Obviously, this all boils down to the moral integrity of your company and the kind of reputation that you want to have. So I leave you with this quote by an old, wise man who once said

"We must all face the choice between what is easy and what is right" - Albus Dumbledore.

Thank you all again for taking the time to read this and all of our blogs thus far, we here at Hussey Coding really do appreciate the support you have shown. Please feel free to leave us a comment here or on our various social media profiles, listed below, we would love to connect with you!

 Until next time stay safe and have a great day.

You can also join all the fun on our various social media profiles
Facebook - facebook.com/husseycoding
Twitter - twitter.com/husseycoding
LinkedIn - linkedin.com/company/hussey-coding

Sign up to developer connection at www.developerconnection.co.uk
Facebook - facebook.com/DeveloperConnection
Twitter - twitter.com/devconnectionuk
LinkedIn - linkedin.com/company/developer-connection

The Response plan

Hi there and welcome back to another

security focused blog by Hussey Coding.

You're walking down the street and see a house on fire, your initial reaction is panic! Then a thought triggers telling you to call the fire brigade. You dial the emergency number and relay the information, a while later the first responders arrive, they assess the situation and then jump into action. Notice that they are first responders, not first reactors, what's the difference?
A reaction is something spontaneous, something happened now you react now, there is no time to think or plan, you just react, but a response is something planned, it is thought through and prepared. An irrational argument is a reaction, whereas a debate is a response.

Wikipedia describes a first responder as "A person with specialized training who is among the first to arrive and provide assistance at the scene of an emergency, such as an accident, natural disaster or terrorist attack."
The last thing you want when you're under attack by a cybercriminal, is panic, chaos, an environment where no one knows what's happening or where things, are out of control. This is why you NEED to put in place a ...

The response plan is simple, it's there to tell you and all of your employees what to do when an attack hits or is discovered. Please understand that while tech teams are amazing at what they do, it's not their sole responsibility to make your store or business secure. Attacks can come from anywhere and everywhere and so it is everybody's duty, including yours to keep your business safe.

If your company is being hit with a phishing attack, then providing your staff with an understanding of how this attack works and what it looks like could save your company.

If you're being hit with a DoS attack, then your customer service department will be one of the first to know about it. With the training you've given, they have identified the issue quickly and, have alerted all the necessary parties to be able to deal with the attack.

Your response plan needs to be in place from day 1, there's no cool-down period or safe zone when it comes to cyberattack. You could have launched your store as little as an hour ago and already be under attack so, a good knowledge of what to do next is vitally important! For the majority of businesses, a great deal of damage is done not because their defences were weak but because no one knew how to respond to the attack.

So what needs to be in your response plan?

Ultimately your response plan can be as detailed, as long, as short or as technical as you want it to be, it needs to work for you and your staff. If the plan is too complicated for your team, then you may as well throw it out. On the other hand, if it's void of details on how to deal with something or who to contact when discovering a particular type of attack, then it's equally as useless.

Below is a framework of 4 things that we believe should go into your response plan, please feel free to use, adapt or change it to help secure your store.

#1 - Preparation

The saying goes "if you fail to prepare then, you prepare to fail", this is true of your response plan. If you fail to produce a response plan, then you are opening your business to fail in the event of an attack. If your staff are not ready to deal with an attack, then you are again preparing your business to fail in the event of an attack.

This step of your plan needs to focus on preparing your company for an attack. Let everyone know what their role is when it comes to cyberattack, who do they contact? In what order do they inform people? What happens when your site goes down? What if it's down for a long time?

Train yourself and your staff to identify various forms of attack. If you've a quiet period in your calendar, schedule a practice attack in a controlled environment to see how your company responds. Remember to make changes where they need to be made, praise staff that did well and encourage those who maybe didn't.

However, this isn't a one and done deal! Schedule time to review the plan, are there new types of cyberattacks? Go back to the response plan, does it need to change to incorporate a new tactic or contact? And if so schedule time to train your staff in these new things. The goal here is to never allow it to become outdated.

The better oiled the machine is, the easier and quicker attacks will be detected, prevented and/or countered. The key with preparation is to encourage the attitude of "I'm ready when it happens" and not "I can't believe this is happening! What do I do now?!"

#2 -Recognition

The next stage is to identify and assess the level of threat to your company. This is where an attack has happened or is happening, and your response plan is put into action. It lets people know what to do, when to do it and how to do it for each type of attack or if they aren't sure what to do then where to go to find out. Let's use a spear-phishing attack as an example.

John from your accounting department has received an e-mail from Katie in purchasing. She's asking for some bank details that she has accidentally deleted because she urgently needs to purchase some supplies. Usually, John would gladly send these details through without question, the e-mail seems legitimate. However, he remembers the training that he, and the staff, including Katie, received the previous month. It stated that this kind of request can only be made using the companies internal phone system. John picks up the phone, dials Katie's extension number and asks her to confirm she sent the e-mail, Katie has no knowledge of ever writing it. On closer inspection, John can see that Katie's e-mail address has been slightly altered and by picking up the phone has just saved you thousands.

John successfully identifies this as a spear-phishing attack, but he doesn't stop there. He knows that when discovering this type of attack, he is to e-mail all company addresses notifying them of this attack. Anyone receiving a similar e-mail is to report it to Larry on the tech team.

It's then Larry's responsibility to assess and evaluate the threat and respond accordingly. 

#3 - Response

Your response will completely depend on the makeup of your company, if you have a team or contracted developers then by this point, you should have handed this over to them. If you don't have a regular developer or development team, then now is the time to pay out for one.

Whoever is dealing with the attack is going to need to focus on containing it to the already affected systems before it has change to cause more damage. Locating the origin of the attack and discover any weakness in the systems, eliminating all traces of the attack and then attempting to restore systems and data.

Depending on how long your company has been under attack and its severity, it could be a while until you are fully back up and running. It is frustrating and inconvenient you already covered that possibility during your preparation phase, didn't you? 

#4 - Learn

Nelson Mandela once said "I never lose, I win or I learn" and, this is the final step in your response plan. Once the attack is over and, the restoration of your company is underway its time to assess the damage and see what can be done to better prevent another attack.

Talk with those who dealt with the attack and find out if they found a weakness? Could it have been easily prevented? What can be done to stop a similar attack in the future? And what can be done now to improve company security?

We'll look further into some easy and practical steps you can take to help the process of recovery in an upcoming blog. For now, thank you for your time today, we hope that we have helped in making your store a safer, more secure place.

Until next time, stay safe and have a great day.

 

You can also join all the fun on our various social media profiles
Facebook - facebook.com/husseycoding
Twitter - twitter.com/husseycoding
LinkedIn - linkedin.com/company/hussey-coding

Sign up to developer connection at www.developerconnection.co.uk
Facebook - facebook.com/DeveloperConnection
Twitter - twitter.com/devconnectionuk
LinkedIn - linkedin.com/company/developer-connection

Creating stronger passwords

Hey there and welcome back to another edition of

the Hussey Coding blog.

In recent blogs, we have been looking at Cybersecurity, what it means, what you need to know and why it's so important. In this blog, we'll be looking at one of the simplest ways you can help keep your stores and sites secure and yet one of the most overlooked methods ever!

Everybody uses passwords these days they've become one of those facts of life but are they secure? Are they strong enough to keep people out, or are they so weak that anyone could guess given enough information? Maybe you are reading this and feeling really confident about your passwords strength, but what about Dorris in shipping? Or Luke over in online sales? How secure are their passwords?

Here's a list of 10 things that you can do or introduce into your company to help keep not just your business safe, but your staff and customers safe too.

#1 - Size matters!
Create a password that is over 8 characters long, the longer it is, the harder it will be to guess.

#2 - M1x 1t up
Throw in some uppercase and lower case letters but don't just stop there, numbers and symbols are also a gr8 Way 2 sT0p an @ack3r gu3ss1ng Y0ur PassW0rds

#3 - 3's a crowd
Don't bunch up your numbers and symbols, for example, Huss3yC0d1ng is much harder to guess than HusseyCoding123!

#4 - It's not personal
Steer clear of using personal information, a pet's name, a favourite place you brag about visiting every weekend, your maiden name etc.
Sure your password needs to be memorable but, that doesn't mean it has to be easy. Also, unlike the example above, try to avoid using companies names or references.

#5 - It takes 2 baby!
Two-factor authentication is an amazing little tool in helping keep your business secure and, you should use it whenever possible. Two-factor authentication is basically when a site will send you a PIN to input on logging in as well as your password. It is a feature that Magento supports and is mandatory from M2.4.0 on the admin panel.
Follow the link for a guide on setting up two-factor authentication by CLOUDWAYS on anything pre M2.4.0- HERE.

#6 - Get creative
Use different passwords for different accounts. Yes, it can be annoying having to remember them all but having just one password to rule them all is not good security!

#7 -Memories, all alone in the moonlight!
Don't store your passwords! Either physically or digitally as these are easily stolen, lost or passed onto undesired parties, giving hackers easy access to your store and other accounts. However, if you simply have too many passwords to remember, you can always sign up to a password manager.  Some of the services available are LastPass, Bitwarden or Keeper, you will only need to remember the one master password while the others are securely stored.
 
#8 - If you've got it, use it
If you use a mobile device to work then make sure you secure it with a secure password/number or when possible, enable fingerprint or facial recognition.
 
#9 - Ch-ch-ch-ch-changes
Change your password regularly, especially when people leave your company or contract ends with third party providers. A good number of security breaches happen because a disgruntled former employee or someone from a third party company still has access to sensitive data and decided to take advantage.
 
#10 - Log out and switch off
Log out of apps and sites when you are done using them, staying logged in is a great way for hackers to access your accounts, the log out button is there for a reason, use it.
On the same note, when you are finished with an application, don't forget to delete it and remove all permissions you may have granted it. Especially on your mobile device, all your gear might be secure but remember that game you used to play about 6 years ago that you never logged out of? How secure is that now?

Now I know we said this would be a list of 10 things but, because we like you so much and because you stuck with us to the end we're going to throw in a bonus tip.
 
- Adopt a password policy
Adopting a password Policy for your company will ensure that everyone is on the same page. Ensuring that you and everyone else who has access to sensitive data are not reusing old passwords or creating weak ones is vital.
A study performed by the University of Indiana found that making longer, complicated passwords mandatory almost stopped University staff reusing passwords and helped the overall security of the University.
Follow the link to read the full article HERE.
 
Thank you for giving us your time today and, we hope that this article has helped you and your company get that little bit more secure.
If you have any questions about this article, please feel free to leave a comment or contact us using our various details listed below.
Thanks again and until next time, stay safe and have a great day.

You can also join all the fun on our various social media profiles
Facebook - facebook.com/husseycoding
Twitter - twitter.com/husseycoding
LinkedIn - linkedin.com/company/hussey-coding

Sign up to developer connection at www.developerconnection.co.uk
Facebook - facebook.com/DeveloperConnection
Twitter - twitter.com/devconnectionuk
LinkedIn - linkedin.com/company/developer-connection

Another 5 tips to secure your store

Hi there and welcome back to another edition of
the Hussey Coding blog

Today we're going to be continuing our look into cybersecurity and giving you some more hints and tips that you can implement to help secure your Magento store. So what are you waiting for?

In this blog, we will look at

 - 1. KO the FTP

 - 2. Check the oil

 - 3. Who knows what?

 - 4. Practice, practice, practice

 - 5. I have a cunning plan!

 

 #1 -KO the FTP

If you are using FTP, then it is our strong recommendation that you stop!

Instead allow your server to use SSH, which in turn will allow you to use SFTP, giving you a much better and secure way of transferring your files. A typical method for hackers to gain access to online stores is by going after FTP passwords. Remember to also delete access to anyone who has had access in the past like old employees or third party companies as this is an easy way of allowing unwelcome access.

Getting yourself set up with SSH if you are using the Linux OS is easy as it's part of the package if you are using the Windows OS then follow this link to the "How to use PuTTY on Windows" guide by SSH.com

https://www.ssh.com/ssh/putty/windows/

or if you are using MAC OS check out SSH.com's guide for you here

https://www.ssh.com/ssh/putty/mac/ 

Or you can ask your development team to do it for you, don't have one?

Then take advantage of the free project creation offer available now at Developerconnection.co.uk

  #2 - Check the oil.

The same way you check your oil and water levels in your car, every now and then go over your settings, change your passwords and review who has access to what. You'll be amazed when you remember how much you forgot.

Ask your dev team to analyse your store for any vulnerabilities, if they don't find anything, great, if they do, get it fixed.

If you are using Magento extensions, do keep in mind that those extensions may not be updated often. This creates an opportunity for hackers to exploit out of date extensions until a patch or update is released. Using popular extensions is a great way to combat this as they will traditionally receive regular support and updates. When reviewing your extensions, ask yourself questions like "do I need this extension?", "is it still useful to my company?" Or "Is there another extension out there now that can do the job of multiple extensions I have running at the moment?".

 #3 - Who knows what?

Let's say that you have taken all of our advice, you've updated your computer and Magento store, you've even made sure that all your extensions are up to date. The big question now is "what about your staff?"

You may have heard of the term social engineering, this is where an attacker will manipulate individuals into unknowingly releasing confidential data for the use of illegal purposes.

Put another way, your bank just emailed your accounts department asking them to verify some details otherwise, there may be issues with payments further down the line, they even provided a handy link to follow and it looks legitimate. Once there, all they need to do is confirm your companies address, credit card number, email address, all the sorts of things your bank would need to know. A few months later, when you decide to "check the oil" you notice a steady stream of money is now missing, no one seems to know where it is and you end up spending more money hiring a team to find the root of the problem. You discover that your whole company has been breached and that you need to fire Susie from accounting who's been with you for nearly 20 years.

 

A massive number of companies spend all their cybersecurity budget on teams and software but considering that one of the biggest risks to your security is through social engineering you are going to need to invest some of that budget in training all of your staff in cybersecurity.

Training staff to identify fraudulent email, unsecure websites and general social engineering methods used by attackers could save your company, your reputation, your stock, your finances and Susie's job!

 

 #4 - Practice, practice, practice.

This might seem like an odd one but it's really effective, don't just tell your staff about cybercrime, let them experience it in a controlled environment.

Send out some emails with a fake link in it and see who opens them or if you have an IT department ask them to simulate a cyberattack and see how your staff respond. Simulated attacks really help to show vulnerabilities in your security, gives you and your staff real-time experience of the stress-filled, chaotic nature of an attack and an opportunity for all involved to learn, adapt and better prepare for the real thing.

 

Simulated attacks also shift your companies thinking from a reactionary mindset to a proactive one, what's that saying about the best defence being a strong offence? Thinking about what and how attackers might attempt to infiltrate your business helps you be better prepared than just dealing with an attack that has already happened or that you have heard about.

 

#5 - I have a cunning plan!

Form a response plan, have one in place from day 1, there's an old saying that goes "it is far better to have and not need than to need and not have".

There are various different ways that you can be attacked, some of which we have covered in our previous blog "6 common cyberattacks to watch out for (which you can read HERE), some very obvious and some are not.

If you think you are under or have been the victim of a cyberattack we strongly recommend you contact your developer/development team right away, if you don't have a regular team to keep costs down then now is the time to pay out for one as they will be able to identify the origin, type and extent of the attack and be able to take steps in preventing and repairing the damaged caused. As always you can contact us here on info@husseycoding.co.uk to take advantage of decades worth of experience using and developing the Magento platform.

Want some more pointers in what should be in a cunning response plan? Never fear, Hussey Coding is here! We have a whole blog dedicated to this very issue coming soon.

With all of these things in place, you are well on your way to having formidable security in place. Do remember that these are not the only things that can be done but a basic list of things that YOU can do to help secure your store! Also bear in mind that having the best security in the world doesn't guarantee that you will not become the target of an attack, nor does it guarantee that an attacker won't get through but having these things in place does help prevent both losses to you and your customers.

If you missed our first 5 tips to securing your store follow this link to read them HERE.

Thank you for taking the time to read this post, we hope it helps keep your online store secure and attack free. As always, should you wish to contact us here at Hussey Coding or at Developer Connection then all our details are below.

Until next time, stay safe and have a great day.

You can also join all the fun on our various social media profiles
Facebook - facebook.com/husseycoding
Twitter - twitter.com/husseycoding
LinkedIn - linkedin.com/company/hussey-coding

Sign up to developer connection at www.developerconnection.co.uk
Facebook - facebook.com/DeveloperConnection
Twitter - twitter.com/devconnectionuk
LinkedIn - linkedin.com/company/developer-connection

5 easy steps to better security

Hi there and welcome back to another safe and secure edition of the Hussey Coding blog.

Today we're going to be looking at some helpful hints and tips to help you make your business more secure. Please feel free to leave a comment on your experience with some of these things and to let us know your favourite security tip. Please bear in mind that these are not the only things you can do to help secure your store or business but rather a good foundation to begin your cybersecurity journey.

In this blog, we will look at

 - 1. Get your foundations in place

 - 2. Staying up to date

 - 3. Return to sender, address unknown

 - 4. Shhhh, it's a secret

 - 5. Under lock and key

#1 - Get your foundation in place

You can't build a house without a good, strong foundation and if your foundations fail then your house will fall down. The same is true here, making sure that the computers you use to access your administration panel are secure or having the best Magento security in the world will not help you if your computers have no security at all.

Make sure you update them with all the relevant security you need, keep your antivirus software up to date, only allow access to people who need to use them, delete users from the computers and the administration panel for that matter that aren't part of your company any more and never open anything suspicious, be it email or download, if it doesn't look safe then leave it be!

#2 - Stay up to date

Just like keeping your desktop/laptop security, OS and antivirus up to date the same is true of your Magento store. Magento is constantly being updated and improved by teams of skilled developers and this includes, but is not exclusive to, any vulnerabilities that may be found within the Magento platform.

Once found Magento will typically create a patch that will be part of the next version update, making it of the utmost importance that you A) keep up to date with all the Magento news and B) install all the latest versions, especially since running older patches can make your store vulnerable to new threats.

Not sure you have the latest version of Magento? follow this link to the Tech resources page to find out - https://magento.com/technical-resources

If for some reason you can't download the latest version of Magento then it's equally important that you download and install the latest security patches or alternatively speak with your developer/dev team. If you don't have one and need one then head on over to Developerconnection.co.uk

Remember this practice not only applies to Magento but to all other software that you have installed on your server, again, having the most updated Magento store is great but pointless if everything else is weak and vulnerable. It is also very important to remember that all official support from Adobe has now ended for M1 users so if you haven't begun your migration to M2 we highly recommend you do that as soon as possible.

#3 - Return to sender, address unknown! 

Your administration panel is the heart of everything you do to your Magento store, it’s where you can see, edit and manage everything you need to create the perfect store for you and your customers and so it must have great security built around it.

By default, your administration panel's URL will look something like this

http://magentosecurity.com/magento/admin

This is really easy for hackers to find and access and is highly susceptible to brute force attacks (an attack where automated software bombards your site trying to guess your username and password at incredible speeds to gain access) so what you want to do is limit the point of entry by changing the admin panels URL to something more secure, so secure that in theory, you wouldn't be able to find it unless you knew exactly where to look.

There is an option to change your admin panels URL using the admin panel it's self and there are many "how-to" guides out there showing you how to do it, however, we came across several issues when trying this method and it never worked for us.

But never fear as there are other methods, the easiest one and the one we would recommend is asking your developer to change your admin URL in the environment configuration file, it's simple and fast to do.

If you do choose to change it from the admin panel yourself then we wish you luck and advise that you put your developer on speed dial just in case.

#4 - Shhhh, it's a secret! 

Passwords! Good, strong passwords!

I know, super obvious, right? You hear people go on about this over and over and over again but the reason for that is because people keep using bad passwords!

Passwords that contain things that are easy to guess, like your pets name or the year you were born are not good passwords at all. Another common mistake is creating a great password and then using it for everything, meaning that once a hacker has your Facebook password they now have access to your store.

If you are reading this and nervously giggling because you know you fit into one of these 2 categories then please go and change your passwords now!

Not sure what you should change it to or what a strong password should include? Again, don't worry, when you're done reading this blog we have another one that covers this very issue - creating-stronger-passwords

 

#5 - Under lock and key

Get a padlock, literally!

Encryption, that's what we are talking about here. An HTTPS/SSL certificate will help to protect private information your customers send to you during transfer. It's important to note here that HTTPS/SSL just transports the data, once the data is with you, you need to secure it.

The way it works is that HTTPS/SSL will scramble the data during transfer and then unscramble it when it's delivered. That little padlock is the symbol your customers will be looking for and is the universal sign that you take security seriously.

Since 2017, Google will flag any website that does not hold an HTTPS/SSL certificate as "NOT SECURE", that is not something you want your customers seeing!

Great, so how do you get one? Follow this link to "How to experts" page on how to get yourself set up with a shiny new encrypted padlock

http://www.howto-expert.com/how-to-get-https-setting-up-ssl-on-your-website/

Hopefully, you have found these first 5 hints and tips helpful, "Wait? first 5?" I hear you ask, yes, in the coming days we will be releasing another blog with another 5 hints and tips to help you secure your store along with a few extra things in between.
Do remember that having the best security in the world does not make you immune to cyberattacks. However, it will help you reduce the damage and even stop an attacker in such an event. These are 5 quick and easy things that you can do right now to help defend against attack, so what are you waiting for?

Thank you for your time today, please help support the work of Hussey Coding by clicking those likes, hearts, thumbs up, follow buttons on the social media platforms that you use!
Until next time stay safe and have a great day.

You can also join all the fun on our various social media profiles
Facebook - facebook.com/husseycoding
Twitter - twitter.com/husseycoding
LinkedIn - linkedin.com/company/hussey-coding

Sign up to developer connection at www.developerconnection.co.uk
Facebook - facebook.com/DeveloperConnection
Twitter - twitter.com/devconnectionuk
LinkedIn - linkedin.com/company/developer-connection