Safeguarding your Web site -- especially sensitive site areas such as shopping cart software -- against hackers need not be an expensive and time-consuming affair.

With a few basic precautions, you can make your Web site extremely difficult and unrewarding to hack.

Your Web site is most susceptible to hacking through your shopping cart, so choose wisely. Here are three guidelines to help you choose the best one for your business:

Shop around. Use newsgroups such as's Search Newsgroups and online reports such as's Web Store Software Selector to verify the products you want to purchase are safe to use.

Avoid free software. Although it might seem an attractive option, downloading free shopping carts is extremely risky for three reasons: the source of the software is indeterminate; you can't check the creator's credentials; you have no one to hold responsible for hacking incidents.

Buy smart. Several ready-to-use shopping carts on the market today, including EasyCart,, and MerchandiZer, have been designed specifically for the small, online business owner. These are often available at little or no cost.

But be aware: No software comes with a no-hacking guarantee. There's always a chance that a hidden access password, or backdoor, might be lurking.

In 90 percent of all hacking cases, the most vital data had been provided from within the organization. Here are three rules to follow religiously:

Change the default password immediately. Whenever you purchase a ready-to-use shopping cart, your first step should be to change the default password that comes built into the software. Although this might seem an obvious precaution, it's one many people overlook. Change your shopping cart password frequently and guard it zealously.

Change passwords often. Frequently change passwords. Tell relevant passwords only to those who truly need to use them. Use passwords that include letters and numbers, and don't use a password that's easy to guess. Never write your passwords on sticky notes and paste them to your desk or monitor.

Restrict access to passwords. Never allow more than one person the use of your server access password. For example, the person in charge of packaging doesn't need to know your file upload password. If an outside agency designed your Web site, ask for all access passwords and change them immediately.

If any changes need to be made on your site, you provide the password and control access to your server at all times.

Many small, online business owners maintain their central work database and their Web server on the same computer. While this seems convenient -- and necessary for storing such information as product descriptions, prices and images -- any machine connected to the Web is dangerously vulnerable to attack.

Here are two ways you can thwart would-be hackers:

Delete sensitive data from the Web server. Sensitive customer data, such as addresses and credit card information, should never remain on the Web server itself. Even if the server is protected by a password, this data is only a few keystrokes from a talented hacker. Instead, devise an automated system to periodically copy any data stored on your Web server to a machine located on your premises and then delete the data on the Web server.

After the data has been copied to your off-line system, restrict access to that system as well.

Send sensitive data securely. Although the chances of a hacker intercepting data while it's being transmitted are very low, you can protect your customer's most sensitive information by providing a secure connection between your customer's browser and your server.

If you host your Web site on your own server, two companies, VeriSign and Thawte Consulting, offer this security using technology called Secure Sockets Layer (SSL). These companies provide a downloadable device called a digital certificate to verify to your customers that your company is a bona fide business.

If you don't host your own site, ask your Web host to provide a secure connection. Your host probably has a relationship with an SSL provider. It will cost you only a little more and it's worth it; SSL protects your data from hacking and serves as reassurance to your customers.

Regularly and consistently tracking activity on your Web site will help identify hack attacks. Here are three ways to do it:

Monitor server access. Ask your network administrator to install a remote access mechanism that lets you shut down your server remotely as soon as you find evidence of suspicious activity. This will stop any hacking activity in its tracks. Your network administrator should be able to install a real-time alert, such as a beeper alarm or an automatic e-mail message, to inform you of any unauthorized attempts to access your Web server.

Monitor site traffic. Changes in site traffic patterns sometimes indicate a hacker at work. A noticeable dip in traffic could mean something's wrong with your Web site and would require immediate attention. Be sure to monitor site traffic on a regular basis. Run extensive sitewide checks if you notice any inexplicable changes.

Run "preflight" checks. Make it a point for you or one of your employees to check the functionality of the entire site, especially the shopping cart area, every day. Here's a checklist:

  • Check whether the site is accessible on the Web.
  • Check whether the home page displays the correct data.
  • Perform random price checks within the Web site.
  • Check the help function to see whether any data has been altered.
  • Click links in the site to make sure they link to the right pages.
  • Test the results of your search functions.
  • Add random products to your shopping cart and proceed to checkout.

What if you still fall victim to a hacker's attack?

Develop an action plan to minimize further damage to your system and to avoid inadvertent destruction of evidence. Your plan should include:

  • Clear delegation of tasks to specific employees in the case of a security breach.
  • A contact list of your Internet service provider (ISP) and/or Web host, Web site designer, network administrators or any Web security contractors you might want to use to recover from an attack.
  • A contact list of local and national authorities to inform of the incident, including the FBI's 24-hour service for immediate guidance after the attack.
  • Periodic tests of your emergency procedures.

And remember: Firewalls and fancy measures notwithstanding, the big break for a hacker will most likely be one little, vulnerable password.

Copyright © 1995-2000 Pinnacle WebWorkz Inc. All rights reserved. Do notduplicate or redistribute in any form.