Websites can be made & built in many different ways. Magento, WordPress & BigCommerce are just some ways that your website can be built. These platforms have their own unique benefits and drawbacks, however, they do have some things in common with each other. Magento, WordPress, and BigCommerce all have software used to create a website and/or an e-commerce site and receive regular security and feature updates. But most importantly they all rely on underlying server software.
When approaching cyber security and mitigating risk it is important to make sure you’re running the latest security patch at a minimum and therefore a major version of the software that still receives security patches (We are looking at you Magento 1).
Having said all that, there is another side to the coin that the less technical people out there might not fully appreciate. To be able to run software such as Magento and WordPress etc. there are many software components that contribute and serve different functions that collectively allow you to run your website, blog, or e-commerce store, and these lie outside of the application itself.
For example, with Magento you’ll need the following on your server:
- Apache2 or NGINX
- MTA (Mail transfer agent (email server)) or a third-party mail server to connect to for transactional emails
- An operating system!
These components all have their own versions, their own release cycles, and their own vulnerabilities that need patching regularly. It is therefore important that either you keep these up-to-date or instruct a third party (potentially your hosting provider) to update them regularly.
PHP is the worker, it is the scripting language that Magento and WordPress are written in, in fact, 70% of WordPress Version 7 is written in PHP. The currently supported version(s) are 7.4 and 8.0. However, whilst the current latest version of Magento supports PHP 7.4, security updates will stop being released for it on the 28th of November 2022. With this in mind, now is a good time to upgrade your Magento account to make sure you are protected against cyber criminals.
MySQL is an RDMS (relational database management system). MySQL holds all the data, everything you put into your store as well as configuration items, etc. Being that it hosts all your users, order data, addresses, etc. it is extremely important to protect it.
ElasticSearch is a search engine that supports all the search functions on your Magento (required on v2.4.x) store (at least). ElasticSearch is free to use and has been since its release in 2010.
MTA / Email Server
This software service sends out emails, e.g. order confirmations, and password resets. Etc. Having a high-quality email server for your business is important as people don’t like waiting for order confirmations as the longer they wait the more they think they have gotten scammed. As well as this, a good email server can keep people coming back to your website.
Overall Operating System
This is the overall software that runs the server (computer) which then in turn runs your site software. There are many different things to choose from, at Home it's probably either Windows or Mac OS, however, on your Magento or WordPress site, it’s most likely a ‘flavour’ of Linux, e.g. CentOS, Debian, or Ubuntu.
That sounds like a lot! How do I protect it all?
The job of cyber security and protecting your information assets is never really done, it's a never-ending and constantly evolving mission. The best steps to take to mitigate the risk is to keep everything up to date and on supported versions, just like you would with your site software.
Packages can generally be kept up to date with your chosen OS package manager (e.g. apt-get upgrade or yum upgrade for RedHat users) and your Linux Kernel can be done in the same fashion, making sure to reboot after!
As well as the above, you should make sure you’re running a supported version of your operating system. For example, if you’re running on Ubuntu 14, Debian 7, or Windows Server 2012, you need to upgrade. Whilst you can perform an in-place upgrade, it is always advisable to build a new server and migrate everything over.
If you don’t control your hosting server and associated software(s), get in touch with your hosting provider and ask them to do it all for you.