nopCommerce Security: A guide by CEO Andrei Mazulnitsyn

Roberto Popolizio Roberto Popolizio

SafetyDetectives had the chance to sit down with the security Andrei Mazulnitsyn, CEO of nopCommerce, a leading shopping cart solution based on Microsoft technology, currently powering 60.000 ecommerce stores, but onboarding new ones at a rate of 10.000 per year.

We will discover how NopCommerce ensures the safety of its customers’ data, and then take a look at the present and future trends of eCommerce security.

What is nopCommerce and how does it work?

nopCommerce is a feature-rich open-source eCommerce platform that allows businesses to customize and extend their online stores to meet their unique requirements. It is built on the Microsoft .NET framework and utilizes modern technologies like ASP.NET Core, HTML5, and CSS3.

It offers a wide range of features such as product catalog management, shopping cart, payment gateways, shipping options, and customer management. nopCommerce also supports multi-store and multi-vendor setups, making it suitable for various business models. With its user-friendly administration panel, businesses can easily manage their online stores, customize the UI design, and integrate third-party extensions to expand functionality.

What security measures have you implemented to protect your customers’ data?

First of all, Microsoft’s ASP.NET Core framework brings built-in security, which differs it from PHP-based platforms that require a protection system built from scratch. For example, ASP.NET has a feature that allows you to create a secure connection between the web server and the database. This is important because it helps protect data from unauthorized access.

To prevent unauthorized access to data during transmission, we employ SSL encryption techniques that ensure secure browsing and online store checkout.

To stop automated bots overwhelming our clients’ websites, we implement security measures like rate limiting and CAPTCHA challenges.

Additionally, we implement measures like support of Honeypot to prevent spam and strong and multi-factor authentication (MFA) to prevent unauthorized access to customer accounts.

nopCommerce also meets all PCI Compliance requirements.

Our development team adheres to industry best practices, tracks all the legislative changes (for example, GDPR support) and follows security guidelines to minimize the risk of data breaches. We also keep our platform up-to-date with security patches and regularly release updates to address any identified vulnerabilities.

Lastly, we also collaborate with popular security services and offer them as add-ons and additional plugins on our marketplace.

And how do you ensure that these security features do not negatively impact websites’ performance and user experience?

We made nopCommerce’s architecture extremely flexible. Users are allowed to switch on/off some security settings. For example, you can turn off CAPTCHA if your website isn’t under a spam attack.

Beware: This step can somehow simplify UX, but we strongly recommend being rational about such changes.

Our motto is “if you want people to stick to your security measures, you should ideally make them invisible.” Otherwise, we need to use the full potential of UX design to make users see less obstacles blocking their journeys.

What are the most common vulnerabilities faced by your clients, and are they mostly reactive or proactive to those?

Probably, the most common vulnerability is the risk of DDoS attacks. The runner-up is phishing attacks threatening sensitive information such as passwords or credit card details. At nopCommerce, we take a proactive approach to address these vulnerabilities, and users who chose our platform don’t need to worry about them too much.

Our eCommerce platform has a strong track record of uptime and has not experienced any major service disruptions due to DDoS attacks or phishing incidents thanks to proactive security measures and continuous monitoring. Our corporate website is powered by nopCommerce and has successfully survived malicious attacks without us giving it much notice.

What proactive measures can ecommerce businesses take to prevent cyber attacks and data breaches?

Always implement strong password policies and enforce two-factor authentication. Employing secure payment gateways and encryption protocols ensures that customer payment information remains protected.

Regularly updating software, plugins, and themes is crucial to patch any identified vulnerabilities.

In this context, conducting regular security audits and vulnerability assessments helps identify and address potential weaknesses. Implementing a robust firewall and intrusion detection system adds an extra layer of defense.

Additionally, educating employees on security best practices, such as recognizing phishing emails and practicing safe browsing habits, is essential.

Creating data backup and disaster recovery plans ensures business continuity in case of an incident. Also having a comprehensive incident response plan in place enables businesses to respond swiftly and effectively to any security breach.

Security Checklist for nopCommerce websites

  • Set up a password policy
  • Enable MFA and SSL
  • Take regular backups
  • Keep all your software, plugins and theme updated
  • Schedule regular security audits
  • Train your employees on security best practices
  • Have a disaster recovery plan and incident response plan
  • Choose a secure web hosting provider
  • Restrict IP address to access the backend
  • Enable XSRF protection
  • Enable honeypot
  • Enable Private key encryption

How do you educate your customers on those practices and online security in general?

We provide comprehensive documentation and user guides that highlight security best practices for our customers.

Our support team is trained to assist customers in implementing security measures and addressing any concerns. Last year, we launched an online course to better educate customers on working with our product. It covers all the development aspects, including security issues.

Furthermore, we offer blog articles, and always welcome our community to ask their questions and share experience on our forum. By promoting security awareness and empowering our customers with the necessary knowledge, we aim to create a safer online environment for their businesses.

How do you stay updated with the latest security threats and vulnerabilities in your industry? What blogs, newsletters etc. do you follow?

To stay updated with the latest security threats and vulnerabilities, we employ several strategies.

First of all, we maintain close partnerships with security researchers and organizations that specialize in identifying and reporting vulnerabilities. For example, we closely collaborate with Internet security and fraud detection services like Cloudflare (cloud cybersecurity) and IP Quality Score (fraud prevention and user validation).

We regularly monitor security advisories and alerts from trusted sources, such as Infosecurity Magazine, the Hacker News, Security Boulevard, and Security Week. We subscribe to industry-leading security blogs, newsletters, and mailing lists that provide insights into the latest threats, best practices, and security updates.

Are there any emerging security threats in the ecommerce industry that you find particularly worrisome?

One concerning threat is the increasing sophistication of phishing attacks and social engineering techniques. Cybercriminals are employing more convincing tactics to trick users into divulging sensitive information or installing malware.

Another concern is the rise of mobile commerce and the associated security challenges. With the growing popularity of mobile devices for online shopping, securing mobile apps and protecting user data on these platforms becomes crucial.

That’s why we made security one of our top priorities when developing the nopCommerce mobile app. To protect all the transmitted data, the app uses Bearer Tokens. The token is issued only to an authorized user and then facilitates the exchange of requests between the client (mobile application) and the server. The server-side token can be revoked, and then clients have to go through the authorization procedure to receive a new token.

Additionally, the expanding Internet of Things (IoT) landscape introduces potential vulnerabilities that can be exploited for inventory management, logistics, and customer engagement.

At nopCommerce, we closely monitor these emerging threats and continually enhance our platform’s security features to mitigate risks and provide a secure environment for our customers.

About the Author

About the Author

Over a decade spent helping affiliate blogs and cybersecurity companies increase revenue through conversion-focused content marketing and Digital PR linkbuilding.