If You Have A WordPress eCommerce Site, You Must Check One Thing Now

Computer with security lock, every secure.

By

Posted On:

There was a time where I didn’t know much about online security, or what most of these acronyms that we read all the time in scary blog posts about security mean. But then I started developing websites and then tools for WordPress and had to learn.

Today, security is a pretty big concern for me personally and for my users. I don’t want to be alarmist, but I also use Orbot on my phone it encrypt and annonymize my mobile data usage.

Right now, in order to protect their users and themselves, all of the companies that process payments online are improving their security. That’s great, but if you’re not careful, it could leave your eCommerce site unable to process payments.

Many of the deadlines in place don’t require change until 2017, but I think you owe it to your customers to make sure your on top of security today, so I’d like to walk you through, in a way that is as non-technical as possible, what is changing, why, and how you can protect yourself moving forward.

What Does TLS Even Mean?

When a webserver talks with another computer — be it the browser of your customer, or another server, such as a payment processor — most of the time, it uses either HTTP or HTTPS. The S in HTTPS stands for “secure.” While this requires an SSL certificate, which is something you must have, SSL isn’t the technology that makes the exchange of information secure.

For the most part, TLS is the technology that encrypts messages sent via HTTPS. That encryption is essential. Without it, you’d be sending credit card numbers and other sensitive data in a way anyone can see. With it, your sending a random set of characters across the internet, that only the computer that is supposed to receive it can decode.

Sounds Great. What’s The Problem?

In a nutshell, potential hackers try to get your sensitive data by trying to decode your message with tools that allow them to make thousands of guesses every second about your encryption strategy. The basic idea behind data encryption is to make it so hard for anyone else to decode the message that it’s just not worth it to do. Harder encryption means more guessing, more guessing means more computing power, and computing power equals money.

No encryption is unbreakable, but good encryption takes years, not minutes to break.

But, TLS, like all software evolves over time, and the earlier versions are not as good. TLS 1.0 and TLS 1.1 are no longer considered secure. They are susceptible to certain known vulnerabilities and their encryption algorithms are not as robust as they need to be to counter modern hackers.

Simply put, the new version of TLS, which is what puts the secure S in HTTPS, is designed for the security threats of today, the older versions are too out-of-date to use.

Why This Matters To eCommerce Merchants

There are two reasons you should be concerned about this issue if you sell anything online. The first is you really don’t want to be responsible for one of your customer’s credit card numbers getting stolen. That’s just bad. But also, if you don’t have a server that uses TLS 1.2 and have your payment processor configured to use it, you may soon no longer be able to process payments.

This is a challenge that WordPress eCommerce merchants and developers of WordPress eCommerce plugins and payment processors must be aware of. For example, while the current version of our Stripe add-on for Caldera Forms is totally compatible with Stripe’s new and stricter security rules, older versions of our plugins are not.

My Plugins Are Updated. Am I OK?

If you have the latest version of your eCommerce plugin, and whatever payment gateways you are using, you should be fine, if your server is properly configured. This is a big challenge. Here at CalderaWP we’ve been working to stay ahead of changes to payment processors. For example, we updated our Authorize.net payment processor for CalderaWP to make sure that it uses their new, more secure API URLs.

But, if you have a server that is not properly configured, updating your plugins might not be enough. Some hosts do not provide TLS 1.2 support or provide out-of-date versions of PHP.

How To Know If Your Server Supports TLS 1.2

Screenshot of TLS check pluginLuckily our friend Jason Coleman, the author of Paid Memberships Pro, has a super simple plugin to test for TLS1.2 support. Simply follow these steps:

  1. Install and activate the plugin “TLS 1.2 Compatibility Test” through the WordPress plugin screen.
  2. In your tools menu, click the  “TLS 1.2 Test” link.
  3. At the top of the test page you should see, in big green text, “TLS 1.2 Enabled.” If not, contact your host immediately or get a better host.

That page also will tell you if your PHP version is up to date. If you’re not on PHP 5.6 or PHP7, you really should update, those are the only two versions of PHP still supported by the PHP project.

Stay Safe Friends!

A Squirrel That Is Worried Hackers Might Steal Its AcornOne of the reasons we all love WordPress is the commitment to backwards compatibility. Payment processing companies like Stripe, PayPal and others don’t want to cut off payments by making these changes, but they also can’t afford to open themselves up to fraud and theft.

This is one of the many reasons why keeping your plugins up-to-date, and using a quality WordPress host is essential for keeping your WordPress-powered business running. Keeping your WordPress-powered eCommerce safe and secure is important, but with the right tools, and a little vigilance shouldn’t be hard.