Avoid security gaps in Shopware
Website Monitoring Magazine
Meanwhile, e-commerce is one of the most important sources of revenue for many companies. Online store systems](en/magazine/en/articles/ecommerce/shopsystem-demos), such as Shopware, must be robust and free of errors for this reason, because every failure means massive sales losses. But what is even worse than a "normal" failure are security-related failures. But what exactly is security about? There are three main objectives (information security):
-
Confidentiality: Data must only be read or modified by authorized users. In e-commerce, this means ensuring that our customer data does not fall into the wrong hands. This can happen if an attacker gains direct access to the database or if he can execute program code that gains such access.
-
Integrity: Data must not be altered unnoticed. We imagine this again for e-commerce. An attacker changes the store data and may be able to obtain discounts or free products in this way. But what is sometimes even worse is that he deletes peu á peu all products and customer data from the store. Sure you have backups, but importing them can often be problematic or they are outdated.
-
Availability**: Prevention of system failures. We have already written a lot about availability of online stores and websites. However, in the case of security-related outages, it is usually not so easy to get the server up and running again, as it often has to do with malicious code on the hard disks and thus a simple reboot will not have the desired effect.
To ensure confidentiality, integrity and availability in one's Shopware store, there are many best practices that one should follow. This article lists the most important ones.
Keep Shopware up to date
When you use Shopware, you are relying on a standard system that is already very stable out of the box. This is the good side of standards. The bad side is that you can often be attacked by standardized procedures. It's important to understand that the normal attack on an online store doesn't happen by hackers trying to infiltrate just this one store, but you take a standard attack and try it out on as many sites as possible. There will already be one store where it works.
Tools like builtwith.com are a great help because they provide lists of all known Shopware stores. This is of course worth its weight in gold for attackers. So let's remember: it's good to build on standards, but that also means being exposed to standard attacks.
.However, the solution to this is usually relatively simple. Keep the store up to date. Security vulnerabilities in Shopware are quickly found by the wide distribution and then also fixed. Often even before hackers notice it. Shopware 5 and Shopware 6 are very aggressive with the announcement of updates. This is also important, because it is not advisable to omit versions.
If you clicked away the pop-up, with the update info at the beginning, then you can always do it under Einstellunen > System > Shopware Update
.
If you like this article, please subscribe to our newsletter. After that you will not become one of our articles about monitoring and agencies.
Yes, I want to subscribe to your newsletterTrack Shopware vulnerabilities
Monitoring the shopware system can also mean getting information from the outside. That's why it's not wrong to follow the most common Shopware channels. If it's specifically about security, then the Shopware page is the first to be recommended, as it has an extra section for security updates:
Besides the official channel, there are also portals that specialize in security vulnerabilities:
- CVE Details Shopware - This portal lists all major security vulnerabilities that have been registered.
- CVE Details Symfony - Since Shopware (6) is completely based on Symfony, it can be useful to keep an eye on this project as well. However, this is really more of a professional tip and not feasible or useful for everyone.
Of course, all important "normal" channels should also be followed.
Keep plugins up to date
An outdated Shopware system is the biggest source of danger, nevertheless plugins also play a big role. If they are not secure, the Shopware system itself can be as up-to-date as it wants, the gaps still exist.
When it comes to plugins, we have to divide them into two categories. On the one hand, we have the plugins that are very often in use. Here, everything that applies to Shopware in general actually applies. Many potential attackers, but also many who care about Updated. So much update helps a lot.
The other plugin class then contains the rather unknown extensions. Security-wise, they can be dangerous because you don't know if anyone cares about updates. On the other hand, they are often not so vulnerable to standard attacks. Here, you have to decide for yourself which way to go. We would rather choose the top dog, even though it might not include everything you need.
One thing is true for both classes, though. If there is an update, then it should be installed. This is where koality.io can help because thanks to the plugin for Shopware 5 and Shopware 6, our customers are alerted as soon as too many plugins could use an update. Normally, this should apply to every plugin.
Backups
The problem with security holes is that you don't immediately realize that you've been hacked. Sometimes such loopholes are used to create admin users who then don't do anything they're not supposed to until weeks later. Pretty mean, but efficient.
But why do they do this? One reason is backups. The idea is to attack only after the malicious code has already reached the backups, so simply importing an old version is not enough. The solution here can be a clean backup strategy.
- Frequent backups: Depending on how many customers and sales you make, you should also perform backups regularly. We recommend hourly, but daily can also be sufficient.
- Maintain multiple backups: At koality.io, we keep the hourly backup available for 24 hours, save ourselves one daily for a month, and then another for each month. Then after a year we delete it for good. This could also be a simple model for many stores.
There are many services that specialize in backups in Shopware. However, we have no experience with this at the moment. Therefore, we do not want to make a recommendation.
Choose passwords securely
There is not much to say about this, because many others have done it before us. Nevertheless, it is probably the easiest attack on a website. The password is chosen too easy and someone gets into the store without even having a technical security hole. So just very briefly:
- Choose a new password for every portal
- Choose a secure password
- Use Password Manager
- Choose a very secure password for your e-mail address
Conclusion
It should be possible for everyone to achieve a good basic security for their store, if they take the time to set up a process for this. But this process has to be followed. Tools like koality.io can help with outdated plugins, for example.
It's nice that you are reading our magazine. But what would be even nicer is if you tried our service. koality.io offers extensive Website monitoring especially for web projects. Uptime, performance, SEO, security, content and tech.
I would like to try koality.io for free