One of the dumbest features for a web site admin
I remember talking to the owner of the software company about this a long time ago. For the most part with CPanel your web server is protected and PHPMyadmin is protected. By having a function in the admin of your stores software that allows people to backup and download your DB is just about the dumbest idea you can have in a web store. I don't know how many times I have been able to walk into a stores admin and download their DB which includes all their customers which has their CC info attached. I must add that I have been able to do this but have not done it. DB's are protected for a reason and this function removes several layers of that protection.
One of the first things I did was remove the code that does this function. Our site does not store CC info and we do not have access to the CC numbers at any time, I prefer it this way as if there is ever a problem having the actual number is not going to change the outcome of the problem. There is no reason that a store owner needs to know the customers CC number, if it is declined then they just need to know that it was. If the customer does a charge back knowing the CC number is not going to improve the chances of fighting it.
Getting back on track here the less information you have in your DB the better off you will be in case of an attact and the harder it is for people to get at your DB the better off you are.
posted by JavaRoasters at 8:23 a.m.
4 Comments:
Yeah, I agree.
To add to the "hacker" threat, most ecommerce sites have people "unskilled in the internet" checking and processing orders or updating prices and such (like the company accountant) and you are just asking for trouble if you give non-internet-savvy people access to database functions, configuration settings, etc.
11:19 p.m.
Being one of those non-internet-savvy people, but learning a lot as I go along this journey I do know and understand my limitations. That is why I hire people to do the things I can't do and I look/watch what they do and learn from them. After being in business for 9 years I also understand limitation of liability so NOT having access to CC numbers at any time certainly limits this.
Having said that I do have my limitations I am smart enough to understand that someone looking for the URL http://www.beancoffeeshop.com/xmlrpc.php is up to no good. Another IP BANNED!!!!! ASSHOLE.
6:56 a.m.
Peter, I've managed sites that have had over 20,000 visitors a day, so take this with a grain of salt-
If you try to ban every single IP that does a hack attempt, you are going to go nuts :P
Secure your site, run secure scripts, and let it fly. I once banned the entire continent of Asia, and it still didn't stop hack attempts. But thats ok, they are only "attempts" right?
9:33 a.m.
Hi Chance,
They have stopped and I did look at where they were coming from first. I only sell to Canada and USA so the rest of the world does not need to see my site. I am going to get a security test on the site over the holidays just to make sure. Every fix is in there so I think it is safe but better safe than sorry.
Since I do get the emails if I don't ban them the emails keep on coming .. and coming, so the simplier solution is to ban them as long as it does not interfer with legit customers getting to the site.
9:42 a.m.
Post a Comment
<< Home