A step by step guide to nopCommerce security
Thursday, October 3, 2019
nopCommerce security is one of the hottest topics in e-commerce discussions. Everybody knows how security is important in online stores. In your nopCommerce store you have collected sensitive data, so it's the most crucial part of nopCommerce security. Have you ever wondered how to secure your nopCommerce? How nopCommerce specialists secure their nopCommerce? In our comprehensive guide you will find the step by step guide to secure nopCommerce store. It's dedicated for each user. Even beginners are able to secure nopCommerce and protect data of customers.
nopCommerce is an open source e-commerce platform, suitable for small and medium size retailers. It’s based on ASP.NET Core and uses the MSSQL database. nopCommerce in numbers:
nopCommerce is developed and supported by professional team since 2008. If you want to read more information about nopCommerce, nopCommerce history and features, it's the best time to visit nopCommerce official website.
It can be a very detailed section. And we will cover it in a different article. But for now we can install nopCommerce in few ways. First way of installation requires to have a ASP.NET Core hosting provider which provides the nopCommerce as part of their application installer. As an example we can use the nopCommerce app on Microsoft Azure. This way is called as automatic nopCommerce installation and you need to control one thing – please be sure that hosting provider provides the latest version of nopCommerce.
nopCommerce can be installed manually. You will have to download proper version of nopCommerce, upload it to your server and install. This is more complicated, but with our guide even beginners will be able to handle it. And the best option for us and if you don’t have time also for you, is a custom installation made by certified partners. In this case, we will install and configure nopCommerce store for you.
Software updates are always the most tricky part for store owners. Mostly for those, who are not developers and technical geeks. We really know that it can be a pain in the neck. In general, nopCommerce update is a process when you need to copy your files, download newest version, run the nopCommerce upgrade script in your database and copy back configuration files. Looks simple, but it may brings confusions. This topic also will be covered in our nopCommerce comprehensive guide for beginners.
nopCommerce is one of the most secure open source e-commerce solution. In the parallel with e-commerce development, nopCommerce team took the security cases very seriously, and they provided a software which meet all PCI DSS requirements and it offers all the in-store features that you need to run a secured and successful e-commerce site.
On the market you will find many tools that are able to scan your website, to check if vulnerabilities may exist on it. Below you can find the result of our nopCommerce demo test.
nopCommerce meets all requirements to have a PCI DSS certification, but nopCommerce Team did not try to get certificate. In fact, you are able to use it with any kind of payment gateway. What is the PCI DSS? Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes.
Below you will find little table, which will give you a clearer picture of what PCI is, table comes from digital.com.
In nopCommerce you will find many fields where you can improve your store security. I hope the following list will help you in the store configuration to bring you the best nopCommerce security. Your code is also one of the factors which can impact on the general nopCommerce security, so I suppose that you use only verified solutions. Invalid plugins or themes may break your security, so it's very important for your safety.
I’ve mentioned it in the earlier parts of this guide. Each version of nopCommerce constains a long release notes. In each release notes you will find new features, but what’s important, you will find also the security bug fixes. This part is crucial. Usually nopCommerce Team releases new version twice a year. This time guarantees that you will get matured and tested solution and you won’t be suprised with any unplanned nopCommerce vulnerabilities.
Unauthorized access is a potentially major problem for anyone who runs online store or any kind of online business. It's the most common reason of data loss, data deletion or thefts. Have you ever wondered how to create strong password? There are few fundamentals of strong passwords:
- passwords should be long and complex,
- because long and complex passwords are harder to break by hackers and programs,
- good passwords should contain at least ten characters and have a combination of characters such as commas, percent signs, and parentheses, as well as upper-case and lower-case letters and numbers.
nopCommerce allows you to require such complicated passwords from your users. You can specify your own password policy in nopCommerce admin panel. To create one, please login as an admin user and go to admin panel, then Configuration -> Settings -> Customer settings and look for the "Password and security" tab. With listed settings, you are able to create your own password rule.
It goes without saying that spammers are the most annoying part of the internet. Mostly it's problem of bloggers, but it's also very common issue in e-commerce. The best information for you is that nopCommerce allows to enable reCAPTCHA in your store. If you don't know what is reCAPTCHA, please visit the official Google help page.
If you want to enable captcha in your store, please login to your store as an admin user, go to administration panel, then to Configuration -> Settings -> General settings and look for CAPTCHA tab. Turn on the only one existing setting - CAPTCHA enabled. You will see the list of places, where CAPTCHA should be enabled. It depends on you. Choose fields, that exist in your store.
Last two fields are responsible for your reCAPTCHA credentials. To generate CAPTCHA keys, you need to visit Google reCAPTCHA page. Login to your account and click the plus button, highlighted on the screenshot below:
On the next page fill the necessary fields and what's important, check the reCAPTCHA v2. nopCommerce doesn't support the reCAPTCHA v3 yet. After successful creation you will have possibility to copy the public and private key, which are used in nopCommerce. It's very simple.
Few years ago, SSL certificates was treated as something exclusive. That times have gone. Nowadays, everyone can install Let’s Encrypt certificate and it’s a must have thing for each store owner. It’s important to mention that from July, Google Chrome highlights non-secure websites, so websites without SSL Certificate.
It's very simple process, if you installed SSL on your server, it's time to login as user with admin access and go to Admin panel -> Configuration -> Stores -> Edit on your store. On the screenshot below, you will find highlighted setting, which you should turn on. After that, please enter the store URL with https protocol.
If it's still too complicated for you, let's rock the world with us! Our certified nopCommerce developers will help you with the whole process and install it for you with pleasure. Just check the premium support services and let us make a magic for you!
Regular backups may rescue you from many critical situations. Why it is worth to make backups? There are few points, why it's crucial for each digital product like online store or blog:
As it's presented on the screenshot above, in nopCommerce you can create database backup directly from your admin panel. To achieve that, your nopCommerce has to be deployed on the same server with database. Otherwise, you will have to get in touch with your system administration or your hosting company, to create such backups for you.
In nopCommerce, just login as an administrator, go to Admin panel -> System -> Maintenance and bottom section of the page, will be responsible for backups creation.
nopCommerce allows you to restrict access to your admin panel. Even if somebody will get to know your administrator login and password, won’t be able to login to your admin panel. To restrict access we need to login to admin panel, navigate to Configuration -> Settings -> General Settings -> Security tab. First textbox is called „Admin area allowed IP” and it’s the place where you should provide each administrator IP address.
The huge number of nopCommerce plugins and nopCommerce themes means that you will find the good quality plugins and the bad ones. You can’t be mad about that fact, because it’s a foregone conclusion. It’s impossible to check each solution and test it. Sometimes it’s also impossible to keep a straight face when you see new nopCommerce community themes or plugins, but in general it’s a part of open source.nopCommerce has its own marketplace, where vendors are able to upload their products: nopCommerce plugins, nopCommerce integrations and nopCommerce themes. As it was mentioned in the first chapter. nopCommerce marketplace contains over 2000 community products and it’s important to choose only trustworth Solutions. Please remember that each product may be bad and can impact on your work. In a fact, it doesn’t have to breake down your store and steal the customers data, but for example badly optimized themes will slow down your stores speed immediately. It’s also important to include changes one by one, it’ll be easier to track the issue. If you make all at once, the reason of problem could be find only by trials and errors, what’s unwanted scenario.
How to decide which product is better? On nopCommerce marketplace you will find also the review system. Everyone can leave review about particular product and it can be a proof that nopCommerce plugin which you have found is used by community and appreciated.