Application exploits are a regular feature of the ecommerce landscape, but in most cases they can be avoided. When an application is compromised, the methods used are often involve something simple, such as a missed security patch or leaked user credentials.
If you were recently compromised and have yet to identify the cause, start with the list below before proceeding to more exotic exploits.
Or, even better, adopt these as best practices before you are compromised. As with medicine, so with site security: ounce of prevention, pound of cure.
Applications do not age well. This is true for nearly every content management system (CMS); WordPress, Magento, ExpressionEngine, and countless others gain serious vulnerabilities over time. This is not a reflection on the developers for these applications, just the nature of the beast.
Maintainers for credible applications will release announcements for new vulnerabilities as they are found, and quickly release a patch that blocks them. If you are not already a subscriber to these maintainers’ mailing lists or feeds, then doing so will keep you informed, current, and much less likely to be compromised.
Third party extensions and custom code
Even if your CMS is current, any outdated third party extensions can likewise expose your site. It is not unusual for a site administrator to add ten or more extensions to their application for additional features and functionality. Not all extensions are created equally, and each must be watched for vulnerabilities and updates.
Custom code cannot also cannot be ignored. While not be as obvious or widespread as publicly available extensions, regular code audits and testing will prevent many problems before they start. , as are vulnerability scans from an Approved Scanning Vendor (ASV) and penetration tests against your application.
Weak or shared passwords
Weak passwords are an all-too-common vector for malicious attacks. Simple or obvious passwords (birthdays, names of family members or pets, your social security number, and so on) are easily obtainable, and brute-force attacks can make millions of guesses per second.
Even a strong password can fail if shared carelessly between individuals or applications. If you duplicate passwords across applications, it takes only one successful attack to threaten all of those applications.
For a list of best practices regarding password management, see How to create a secure password.
Vulnerable logins and services
Maintaining proper access control lists (ACLs) for your application is also crucial for proper security. Nearly every CMS has an administrative login to manage the application.
Moving these logins to a non-standard web address, or even better, restricting access to only your IP address will do much to hamstring potential attackers. Other ancillary applications, such as file managers and administrative tools like PHPMyAdmin, should also have access locked down to your IP address as well.