Make Security Part Of Your New Year’s Resolutions

We’re at the doorstep to a new year, so there’s no better time than the present to check your site for security risks and brush up on your security habits.

Areas to focus on to get you started:

  1. Have all security patches been applied? (ask us to check or start with a free patch scanner at magereport.com)
  2. Have you changed your password recently?
  3. Have you run anti-virus/anti-malware scans on all computers/devices that access your store’s backend?
  4. Is your store’s backend URL unique?
  5. Do you have a backup plan in place?
  6. Is all the software in your site’s software stack updated/patched? (including Magento, WordPress, server side code such as PHP, etc)
  7. Are you adhering to the appropriate PCI Compliance level?
  8. Have you run, at the very least, an external malware scan on your site? (running one from the server side is always recommended, but a quick scan from Quttera or similar tool will quickly show you if you have any major problems)
  9. Have you been blacklisted? (here’s a good tool)

Hope that helps! Contact us if we can help out with anything or if you have any questions. Here’s to a safe & secure 2017!

Ps – Here’s some more security tips from a previous blog post: Magento Security Tips

The Heartbleed Bug And You

heartbleed openssl attack

What’s going on?

On Monday (April 7, 2014), Neel Mehta of Google Security & his team reported a bug, with potentially massive consequences, to the OpenSSL team. When I say massive, I mean experts predict that over 50% of all sites are or have been affected in the past and present.

Anyone use Pinterest? Yahoo? Airbnb? We recommend you listen up.

So, what is Heartbleed bug?

To boil it down, there’s a hole in the encryption process allowing hackers to access security keys & undermining a site’s security that is using a SSL certificate. They can move in, steal your important data, and leave without a trace. Most, if not all of these attacks can be done in such a way that they’ve been going on for the past 2 years & no one, not even Google, knew about them. That’s scary!

What are we doing about it?

Here at Wex Marketing, we develop all of our e-commerce sites around the latest & greatest security features & practices – including implementing at least a 256-bit SSL security certificate. Unfortunately the bug that was just announced has been “open season” for a long time (up to 2 years!). The affected versions are listed as: 1.0.1 through 1.0.1f on servers running Apache and Nginx software.

Since the announcement, we have been hard at work communicating with our host companies (who handle the SSL side of things) to make sure all our sites have been updated with the latest OpenSSL fix that came out shortly after the announcement.

What can you do about it?

As we touch up the SSL versions, we recommend you change all important passwords – including, but not limited to email, site backends, payment gateways, etc…even personal bank accounts! By now, we expect all the major institutions to have applied the fix, but just to be safe, change all important passwords!

Curious if your site (or a site you use) is vulnerable? Check it with this tool by LastPass

What to know more?

If you want to dig deeper, check out heartbleed.com or read the official announcement put out by the US-CERT (Computer Emergency Readiness Team, part of the Department of Homeland Security)