Recently there have been several reports of hacking attacks on ecommerce sites. Investigations reveal that the recent behind this latest wave of hacking attacks is the Adminer. Here, in this guide, we explain how this hack occurred and how to fix and secure your site, if you're a victim. If you're one of the lucky few who hasn't been affected by this bug, read on to find how to keep your site protected.
The Adminer is a popular MySQL administration tool that ecommerce site owners use to enable remote access to their databases. The problem here is that most websites leave the Adminer publicly accessible. It paves the way for a hacker to attempt to log into the database of the ecommerce site using the Adminer login page.
Just like all other database tools, entry into the Adminer requires knowledge of the username and password. However, the vulnerability here is that the recent hacks show a way to circumvent this requirement. Hackers can obtain the database credentials if they are stored in configuration files on the server. Most popular ecommerce platforms like Magento and WordPress allow hackers to access the database credentials, as it's stored on the server.
It was found that the earlier versions of Adminer had a security breach via which hackers can access the file system of the server. Hackers can steal your data by looking for files with the extension .php and the word, “adminer.” Once they find the right files, hackers connect their own database instead of the site’s database.
The hacker can then access the contents of the files stored in the server, where the Adminer is installed. Not just the database credentials, hackers can get hold of your core ecommerce files like the wp-config.php (for WordPress) and local.xml (for Magento). Using this, hackers can steal all your login ids and passwords as well as other settings. Once hackers get access to the website’s database, they can manipulate the data.
Here are the steps to take to mitigate the damage done to your website and to prevent hackers from accessing your critical information:
The most effective way to protect your site from online cyber-attacks is by using HTTP with SSL. Get an SSL certificate from a recognized vendor. Install it on your ecommerce site and change the settings. Besides improving security, ecommerce sites with HTTPS get a better ranking from Google, thereby boosting your site's search engine visibility.
While choosing an ecommerce platform, besides the features, you also have to consider the security of the platform. Some of the most secure ecommerce platforms are Magento and WooCommerce. If you’re using Magento 1, you can consider migrating to Magento 2 to enjoy better security and improved features.
Once hackers gain entry into your ecommerce site, they can do a lot of damage to your customers by accessing their sensitive data. The best way to avoid this is by not storing sensitive customer data on your site. Opt for tokenization to prevent credit card thefts on your website. Another option is to send an automated email to your customers once every month, reminding them to change their passwords frequently.
Performing regular vulnerability tests on your ecommerce site help you spot risks before it becomes a major security breach. Once you identify security risks, make sure that they are addressed and fixed immediately. Some of the popular vulnerability scan programs include OpenVAS, Retina CS Community, and MBSA.
Make sure to update your ecommerce platform as soon as new versions are released. Also, don't forget to take periodic backups as it ensures that you can retrieve data quickly if your site was unfortunately hacked.
The Adminer hack is one of the many recent cyber-attacks. Note that, it occurred not just among Magento and WP ecommerce site, but Joomla online sites as well. While you cannot 100% guarantee your site from hacker attacks, by following the right security measures, you can increase your site’s security. Make use of the tips listed here and keep your data (and customers’ data) safe.
Techno Infonet is leading India and UK based Website Development, Mobile App Development & Internet Marketing company established in 2004.
Published on November 25 2020
Published on October 20 2020
Published on September 23 2020
Published on September 23 2020
Published on September 14 2020