Smartstore regularly tests the code of the core application for security vulnerabilities. We work with security researchers, project managers and developers to prevent new security vulnerabilities from entering Smartstore.
Patches for bugs and security problems are made available to customers in a timely manner. Various vulnerability assessment tools and external vendors are used to test and verify compliance. The complete code base is regularly scanned with these tools.
We also work with GitHub Security Lab to identify affected repositories early and make Smartstore secure. However, if you have found a vulnerability in Smartstore, please let us know immediately.
The most important reason to protect your online store is that you need to protect your customer data as well.
These tools ensure a secure operation for your Smartstore online store
Granular rights management (ACL) via tree structure and Menu control (Menu Builder) via customer groups
The rights management (ACL) in Smartstore allows a very fine assignment of rights. Rights are assigned and controlled in a tree structure
in the visual editor. Differentiated rights allow a very precise person- and role-specific assignment of rights over customers and
customer groups. Customer groups can be used to control menus, controls, pages, product groups and products. Via the rights management,
employees are only given the rights they need.
ACL is helpful in ensuring that no one makes changes in areas which are not their responsibility. ACL can also be used to control external, automated access via Web-API very precisely.
The "ACL" feature is a proprietary development of Smartstore AG for the Smartstore e-commerce software and is already
included in the Community Edition.
The Smartstore Menu Builder and CMS page navigation
The Smartstore Menu Builder is a visual manager for all types of menus. It allows you to seamlessly embed your own CMS pages into existing menus or simply into a new menu structure, at any position, without programming a single line. All menu items, i.e. existing system menus and also self-created menu items, can be restricted by rights management. Discover the new look of Smartstore in a new way!
Benefits:
- Improved user experience through professionally designed menu
- Easy content marketing by inserting new content into existing store navigation
- Generally better usability
- Contents, sub-menus and menu structures can be displayed for specific target groups
Display and hide content in a target group oriented way via customer groups
The limitation to customer groups allows the store administrator to restrict access to products, categories, CMS pages and others based on user groups. In a way, the administrator can create a private area for each user group, where only pages and products assigned to that group are displayed.
The following elements can be restricted by customer groups:
- Product groups
- Products
- Discounts
- Manufacturers/Brand
- Pages
- Menus or individual menu items
The rights management via customer groups is a very powerful yet easy to use feature. The store admin has the flexibility to provide customer groups with their own areas by restricting products, product groups, individual CMS pages and menus. This way, a big customer can be shown only products in suitably large bundles, or directly a separate page with special products only for this customer.
The "customer groups" feature is a proprietary development of Smartstore AG for the Smartstore e-commerce software and is
available starting with the Community Edition.
Encryption of sensitive data using a private key
Encryption using a "private key" is an encryption process in which sensitive data is encrypted and decrypted using a key, in this case a series of numbers. Smartstore uses this very secure method for sensitive data such as passwords, credit cards and bank details. "Private" means that the key may not be passed on or published under any circumstances.
reCAPTCHA on all interactive pages
Google reCAPTCHA protects your website from fraud and abuse
Google reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to prevent malicious software from performing abusive activities on your website. Meanwhile, legitimate users can log in, make purchases, view pages or create accounts, and fake users are blocked.
The reCAPTCHA benefit
- Proven: reCAPTCHA has been a leader in bot mitigation for over a decade
- Customer-friendly: A seamless fraud detection service that stops bots and other automated attacks while authorizing valid users
- Adaptive: reCAPTCHA's risk-based bot algorithms apply continuous machine learning that considers every customer and bot interaction in order to overcome the binary heuristic logic of traditional challenge-based bot detection technologies
Further use cases
- Scraping: theft of content to redirect advertising revenue or for competitive use
- Fraudulent transactions: Purchase of goods or gift cards with stolen credit cards
- Account Transfers (ATO): filling in credentials to validate stolen accounts
- Synthetic accounts: Creation of new accounts for advertising value or future abuse
- False contributions: Publication of malicious links or distribution of false information
- Money laundering: Bot generated ad click revenues on fraudulent websites
Geo-Blocker
Cyber attacks are increasing significantly. DoS or DDos attacks are a threat for e-commerce. More and more online stores are paralyzed in this way temporarily. Fake customer accounts are also often created, for example to place spam in ratings. Much more dangerous, however, are direct hacker attacks by hundreds or thousands of bots simultaneously. The Geo-Blocker protects your Smartstore online store from these bots.
Overview of functions
- Smartstore Geo-Lock technology detects the exact location of visitors
- Access restriction due to geo-location and/or IP addresses
- Definition of IP addresses with value ranges
- Exception rule for registered customers
The Smartstore "Geo-Blocker" Plugin is a proprietary development of Smartstore AG for the Smartstore e-commerce software
and is included in the Smartstore Premium Flat, in addition, the plugin can be purchased via the Smartstore
Marketplace.
SSL Support
SSL or TLS is an encryption protocol for secure data transmission on the Internet. The encryption is realized by certificates or so-called keys. SSL encryption ensures that confidential information such as credit card numbers, social security numbers and log-in data is transmitted securely. Without SSL encryption, the data is exchanged from the web server to the browser and vice versa in plain text, making it easy for attackers to spy on the data.
The SSL feature is included in all Smartstore E-Commerce Editions starting with the free Community Edition.
Security checklist for your Smartstore online store
UPDATE IN TIME
Software updates bring you not only new features, but also bug fixes and
the elimination or removal of vulnerabilities. For this reason it is extremely important to use the currently available software versions.
It works for both Smartstore and the server software.
SECURE YOUR SMARTSTORE STORE REGULARLY
You can't protect yourself 100% against hackers,
but there is a certain way to feel safer: Regular backups can save you from many problems. Save regular backups, don't even try to save
them on the same server as the original website, and regularly restore your copies to a sandbox to make sure they work properly. Having
your backup files on the same server as the original website is not only unsafe because you need your copy to be safe in case your server
crashes, but also because a hacker who gains access to your server will get their hands on it.
USE SECURE PASSWORDS FOR YOUR SMARTSTORE STORE
Did you know that 123456 was the most popular
password? The administrator password is the latest state of your Smartstore security. Simple passwords can be brutally enforced. So use
more than 10 characters, including upper and lower case letters, as well as special characters like $%! # ^ . This way your password will
not be hacked, as it will take even modern devices years to find a match.
DO NOT USE YOUR SMARTSTORE PASSWORD ANYWHERE ELSE
In fact, this Smartstore security
issue works with any password-protected data you have. According to passwordresearch.com, more than 15% of users choose identical
passwords for more than one service. Too many people don't realize that using identical passwords for multiple logins actually carries the
risk of losing all your accounts at once.
DO NOT STORE PASSWORDS ON YOUR COMPUTER
A significant part of Trojan software steals
stored passwords. You must be careful with FTP clients and browsers, as passwords are more often stolen through these applications. Never
store passwords with this software without the master password (a password that encrypts the rest of the passwords and also stores the
credentials). Ignoring this warning can lead to data leakage when logging in.
CHANGE PASSWORDS REGULARLY
Passwords should not be lifelong. We recommend changing
passwords every 3-6 months. Even if your passwords have been leaked (and even if the hacker didn't use them), regular changes will render
the previously leaked data useless. Make sure that passwords are changed for everyone who uses the site.
USE A FIREWALL
Set up a firewall to deny public access to everything but the web
server. If you do not have a permanent IP address to access it through the firewall, use a VPN or port knocking technology. You can also
install a web application firewall (e.g. Naxsi) to protect your store from SQL injections.
SEARCH THE LOGS FOR ERRORS OR SUSPICIOUS ACTIVITIES
Regularly monitor the Smartstore web
server logs and check for errors or suspicious activity.
USE HTTPS / SSL FOR THE BACKEND
If you use a public hotspot in a café or shopping mall,
there is a risk that you will be attacked. To avoid this, use secure connections for authorization. To use SSL, you do not even have to
buy a certificate! Just generate a self-signed certificate and make it a trusted one in your browser.
FORGET FTP
The FTP protocol was created when the Internet was born, and security was
not the problem at that time. Nowadays, the use of FTP is highly undesirable, since authorization is done with plain text and can be
easily intercepted. Use the SFTP protocol, as it also frees you from problems with IP streaming (NAT), as not everyone has a public IP for
Internet use. Follow these instructions to configure SFTP for Smartstore.
USE AN ANTIVIRUS SOFTWARE
Use trusted antivirus software and update it regularly to
the latest version as they add new information about new scumware to their databases daily. This increases your privacy and protects you
from malware that steals information and sends it to hackers.
BLOCK UNWANTED COUNTRIES
Protect yourself from hacker attacks and unnecessary load on your
server. Use e.g. the Smartstore Geo-Blocker Plugin.