Website Security & PCI Compliance

Much like death and taxes, hackers are one of the certainties of life in the internet world. A single shared server can have dozens of hacked websites on it and a website can easily be hacked multiple times a year if not properly defended. Being small and obscure isn’t necessarily going to save you either. Hackers very seldom target individual sites, at least initially. Your average hacker is going to start with a network scan of a large block of IP’s, sometimes several thousand. After your hacker gets a list of IP addresses that respond, they’ll run a vulnerability scan on those servers.

The vulnerability scan will likely come back with a series of potential hacks, or exploits that could be employed in order to gain access. The important thing to note here is that an attacker doesn’t need to know that your site exists in order to find it on the web, locate a security vulnerability, and exploit that vulnerability.

So how do you stay ahead of the hackers?


The easiest way to keep hackers at bay is also the most mundane. Update everything. Software vendors are constantly releasing updates and patches to help keep you safe but most sites are woefully behind on updates. Updates and upgrades often take a back seat to work that seems to more directly impact the business but they’re the heart of security. Both your web software & your server should be checked for updates and kept up to date regularly.


Web Application Firewalls

You’re probably familiar with the firewall that runs on your computer and it should stand to reason that a firewall is even more critical on servers that are constantly exposed over the internet. A Web Application Firewall is a piece of software or hardware that’s responsible for blocking malicious traffic to your website. A WAF can be a physical piece of hardware you’ve purchased and dropped in a rack or it can be a service, like CloudFlare, that your route your traffic through before it hits your server.


DDOS Protection

DDOS stands for Distributed Denial of Service and it’s a method of attack that relies on overpowering a web server by throwing massive amounts of generic traffic at it. A DDOS is less common than a exploit because it generally requires the attacker to have access to a large pool of machines to initiate the attack from. Unlike an exploit, which generally seeks to access restricted data on your website, a DDOS exists purely for the purpose of taking you off of the web. As a general rule, if you’re being DDOS’d, you’ve either upset someone or you’ve got a hacker testing his abilities on your website. The attacking party has little to gain from this brand of attack.

So how do you stop a DDOS? Your two options tend to be to bulk up, or add enough resources to handle the traffic, or to employ a DDOS prevention service. These tend to be expensive but they’ll filter out the illegitimate traffic before it gets to your site.

Unless you’re running a very large business, employing a DDOS protection service can often be fiscally unfeasible. I would recommend leaving this one alone, unless you happen to be attacked, or trying to find a hosting service that offers one bundled at a discount rate, as many do.


Penetration Tests & Vulnerability Scans

A penetration test, or pen-test for short, involves hiring an Ethical Hacker to attempt to break into your website and show you where it’s vulnerable. Someone running a basic vulnerability scan is also an option and often cheaper. The difference? A vulnerability scan will look for holes in your security, a true pen-test will seek to exploit them.

It’s important, if you’re considering running a pen-test, to speak with your hosting provider prior to the test. If you’re on a shared server, your fake hack attempt could be seen as a real hack attempt on other websites on your server and may constitute illegal action. A good ethical hacker should be able to provide you with information about what is legal and what’s not when it comes to testing a website for vulnerabilities.

PCI Compliance

PCI stands for Payment Card Industry and PCI Compliance is generally a requirement to accept payments on the web. So, how do you find out if your website is PCI compliant?

PCI Compliance is often determined by a PCI compliance scan run by your credit card gateway provider. That could be someone like PayPal or Normally, while your site is still small, you’re not going to see too many of these. As you start to increase revenue, you’re more likely to start getting messages from your payment provider to become PCI compliant.

The next question that comes up is how we get there. Well, there’s not really one path to PCI Compliance. Every scan is going to turn up different results and different vulnerabilities and standards that need to be met. I can suggest a few loop holes to get around it entirely.

The first is to avoid processing credit cards on your website at all. Using services like PayPal standard and 2Checkout, where a customer is directed to an external website to pay, will completely remove you from the scope of PCI Compliance. If you never actually take a credit card number, you can’t be liable for one.

The second(almost as good) method is to use services like Direct Post. In this scenario, visitors are putting in their credit card number on your website but it’s sent immediately to without ever going through your web server. I won’t get into the technical details of how this works, but it greatly lowers the scope of your PCI requirements.

As a final note on PCI, never, NEVER, store credit card information on your own website. Even though it’s possible to be PCI Compliant while storing local credit card numbers, the risk is simply higher than the reward could ever be. Do you remember what happened to Target recently? Imagine that being your business with hundreds or thousands of customers with credit card numbers filched from your store.E

This post is an excerpt from the short e-book, Understanding Websites from a Business Perspective, available on Amazon.

What CMS Should I Choose?

What CMS Should I Choose?

If you’ve ever sat down and tried to figure out how to put your business online, you’ve probably come across thousands of different ways to set up a website. There are self-hosted options like WordPress, Drupal, and Magento along with a plethora of proprietary platforms from personal websites on Wix to massive online stores on BigCommerce. How are you ever going to choose? You can always hire a consultant but never underestimate someone’s ability to make suggestions based on their own needs instead of yours. I’m going to walk through some of the major content and E-Commerce platforms and try to help you understand the difference before you get on your next phone call with a developer ready to sell.

Self Hosted Platforms

What exactly is a self-hosted platform? Well, put simply, a self-hosted platform is a web application you can either buy or download free that lives on a web server that you own or are leasing. There are two categories here. There are compiled web applications which are generally considered closed source. These are platforms that someone’s sold you that run on your server but you or your developers have no access to change the code. All customization must be done by the company you purchased the software from or through administrative tools they provide. If that company goes under, you may have a web application you can no longer support. This is what I would consider the worst of both worlds. You have a web app that you have to manage while still dealing with a single proprietary vendor.

The second option is this space is an open source web application or a web application that allows you to read and edit the code. Now, there’s a much broader definition of “open source” and it includes a discussion about software licensing as well as code access. Open source usually means something that is free and can be both edited and re-distributed. To quote Wikipedia:

Open-source software (OSS) is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose.[1] Open-source software may be developed in a collaborative public manner. Open-source software is the most prominent example of open-source development.[2]

So why am I making such a big deal about this? Well, not everything you can edit and manage yourself is actually “open source”. Some of the options we’re going to discuss are closed source(owned by a company) but are things that still have the code available for you to manage yourself if you choose to.

Before we go on, I would like to formally introduce PHP. According to Gerard Millares, over 75% of the top web sites globally use PHP as their server-side language. PHP is the primary language behind products like WordPress, which powers 74.6 Million websites and Magento, one of the fastest growing E-Commerce platforms on the market. Additionally, PHP is used by Internet leaders like Facebook and Wikipedia.

What makes PHP so powerful is that it’s a scripted language. Unlike an exe on your computer, PHP is present in plain text and is interpreted by the web server instead of being compiled for deployment. That means that any application written in PHP that hasn’t been obfuscated can be read & modified in real time by a developer. While there are pro’s and cons to interpreted languages, the important thing to note now is that any application developed in PHP can be maintained by your own development staff without involving a vendor. Having a PHP application is kind of like owning a nice dependable Ford. You can work on it, your friend knows how to work on it, and you can find another fifteen mechanics in a ten mile radius who can help you if it breaks.

Now, without further ado, let’s get into talking about the actual platforms.


WordPress is the unchallenged king of the internet content world. Powering over 74.6 million websites, it’s running a solid 25% of the modern web. The fact that one in every four websites on the planet runs WordPress is a testament to its stability, security, and ease of use.

Now that I’ve touted it, what is WordPress? WordPress started out in 2001 as b2 Cafelog to provide a personal publishing platform and was forked in 2003 to become WordPress. It’s a CMS, or Content Management System. Simply put; WordPress is a system that will allow you to log into a Web Administrator and create and edit content. WordPress is designed around content(think blogging, publishing, etc) but has the capacity to handle E-Commerce(online sales) as well. A few of the pros:

  • WordPress is a highly extendable platform. If there’s something you want to do, from simple forms to E-Commerce, there’s a decent chance somebody has written a plugin for it.

  • WordPress is easy to upgrade. WordPress upgrades generally “just work” instead of requiring hundreds or thousands of dollars in development fees and multiple weeks of preparations. In WordPress, you hit a button and you’ve updated your site to the latest version.

  • WordPress is cheap to maintain. In general, because of its overall ease of use, hiring a developer for WordPress is much less expensive than hiring one for most other platforms. There are truly massive numbers of people who know how to work with the platform and are comfortable developing on it. You’re still going to pay a premium for top developers but that premium will be much lower than you might expect.

  • WordPress is cheap to host. Continuing with the cheap theme, WordPress is very cheap to host. A good WordPress host could cost you as little as $20.00/month with cheaper options all the way down to $5.00/month. Even with massive amounts of traffic, you’re unlikely to get past the hundreds when talking about WordPress hosting.

Now that we’ve covered some of the better points, let’s talk about when you might not want to use WordPress:

  • Large Scale E-Commerce – If you’re intending on hosting hundreds or thousands of products on your website, WordPress may not be the best open for you. While plugins like WooCommerce allow E-Commerce functionality its not the platform’s primary strong suite. WordPress is perfect for sites that want a primarily informational website with some products, not a site that needs to be primarily products with some information.

  • Recurring Billing/Support – If you intend to build your website around the idea of recurring billing or want a support structure built in, I would recommend looking at other platforms.

This kind of gets into a “What WordPress is and what it’s not” discussion. Do use WordPress for all of your front-end website content. Don’t attempt to turn WordPress into a billing system, a support system, or a full scale web store. There are plugins available for all of these things but there’s also a time and a place for a plugin v.s using a different system designed for what you’re trying to do.


Magento currently holds a place as the fastest growing E-Commerce platform and for good reason. It’s probably the best free platform available when it comes to putting large numbers of products online. Like WordPress, Magento is written in PHP and can be maintained by your own developers. The pros:

  • Handles large numbers of products well – Magento is surprisingly good at handling anywhere from 500 to 15,000 products quite well. The platform is developed with catalog management in mind and it clearly shows.

  • It has highly configurable products – Out of the box, Magento gives you the ability to heavily configure products. Things like bundles, drop downs, multi-sku products, downloadable products, and more are there right out of the box. No plugins, no coding, it’s just there and it works.

  • Supports most payment & shipping providers – Out of the box, Magento supports most of the major payment & shipping providers.

  • Generally Configurable – Building on the last two points, just about everything is configurable. Magento is the fastest growing E-Commerce platform for a reason. It won’t be pretty but, if you were so inclined, you could launch a functional E-Commerce site from the ground up without touching a line of code. I don’t recommend it, but it can be done.

So, to the cons:

  • Magento is expensive to maintain. I can’t stress this point enough. Magento is a big complex system. The fact that it offers so much out of the box also makes it a bit of a pain to work on from a development standpoint. Most things are configurable but, if you need it to do something that’s not configurable, writing the code can take an exceptionally long time. That translates into higher costs for the business. If you have to have major functionality that Magento doesn’t have, and you can’t find a plugin for it, be prepared to shell out a few thousand dollars, at minimum, for the modification.

  • Magento is expensive to host. In the modern web where speed is a ranking factor, going cheap on hosting no longer makes sense. It’s possible to find relatively fast Magento hosting options as low as $25.00/month but once you start to get popular, expect your monthly hosting bill to be several hundred dollars.

  • Doesn’t handle REALLY large numbers of products well. No, I’m not contradicting myself here. Magento is awesome up to that 15,000 product mark but you’re going to start seeing performance problems when you go higher than that. It can be done but, if you’re intending on launching a 50,000 product store, you may want to budget in a good Engineering team and some very high-end hosting to ensure the site actually works properly.

Back to self-hosted.

Now that I’ve rambled a bit about two of the top platforms, I’d like to get back to the pros and cons of having a self-hosted platform in the first place. When you’re dealing with self-hosted platforms, your major benefits are:

  • Less vendor lock in – There are thousands of companies comfortable working with both of these platforms and many others. If you decide you don’t like your developer, designer, or hosting company, you’re free to pack up and leave. Using a self-hosted platform, you are in full control of who you choose to work with.

  • Extendability – Both Magento & WordPress are written in PHP and are extendable platforms. What that means to you is that they have the ability to be modified beyond their default capabilities if you’re willing to pay someone to make those modifications. This doesn’t sound that important until you get into a situation where you need your website to do something that’s a little out of the ordinary. With an editable self-hosted platform, you can pay someone to build the functionality you need. Using a cloud based service(which we’ll cover next), you’re stuck with the features they’re willing to give you.

  • Easy to Learn ­ By their nature, popular self-hosted platforms tend to have vibrant communities built around them because they present business opportunities for external vendors. Books, videos, and free tutorials are a few clicks away on the web.

The cons of self-hosted options can be grouped into one major item, you have to manage it.

If there’s a new security patch or upgrade, you or your developer has to apply it. If it breaks, you have to pay someone to fix it. If your hosting isn’t quite fast enough, it’s up to you to go on the hunt to find something different. It’s not quite as bleak as it sounds though. There are plenty of awesome developers and web hosts who can help guide you through some of the challenges of running a website. My only advice is to go in with your eyes wide open and understand that you will need to have these people around to help make a self-hosted site a success.

SAAS Platforms

SAAS stands for Software as a Service and basically means any piece of software you use on the web that you’re not responsible for managing or maintaining. Think of things like Gmail and Facebook. You don’t have to maintain the software for these services. They’re something you just log into and use. There are plenty of E-Commerce options that fall into the same category. Let’s explore a few.


Wix( starts off at $10.00/month for their cheapest unbranded package and presents you with a series of templates and a drag-and-drop interface to build a website yourself. If all you need is a basic page on the internet to post your business name, phone number, and some other basic info, look no further. Wix is probably the cheapest easiest way to cross off the “Have a website” checkbox for your business.

That being said, Wix isn’t going to do all that much for you as far as content or products. If you want to build an industry leading blog or E-Commerce store, Wix isn’t the way to go.


BigCommerce( is a SAAS solution for E-Commerce providers that’s designed to scale. Much like Wix, it offers a site builder to create your site without coding experience and is a relatively easy way to get a website with an expandable product catalog up on the web. Plans start at $29.00/month and span upwards to $199.00/month before offering the option to call for an Enterprise package. If your goal is to sell online without managing your platform, BigCommerce might just be the best way to go.


Wait, didn’t we just cover WordPress under self-hosted platforms? Well, yes, let me explain. WordPress( is an amazing open-source platform you can download and run anywhere. is a SAAS provider that will give you a WordPress website in an environment that you aren’t responsible for managing. For as low as $2.99/month, you’ll have most of the benefits of the most popular CMS in the world without the hassle of figuring out how to install and support it. Using, you’ll lose some of your ability to customize but it’s one option to simplify your blogging experience.

So the upsides of SAAS solutions are pretty obvious. It’s a platform that allows you to log in and (mostly) easily build a website without paying for expensive developers to build it for you. Much like your favorite online services, you log in and it just works. So why wouldn’t you want to go SAAS?

  • Vendor Lock In – Simply put, once you decide on an SAAS vendor, you’re stuck. If you decide you don’t like the customer service somewhere like BigCommerce or they suddenly make all packages $1,000/month, you can’t just pick up your site and leave. They ultimately own your data and have full control of how your website works. If they decide to take away features you like or change the way something works, there’s nothing you can do about it. You can always go with another provider but you’re going to have to re-build the website you’ve put so much time and effort into.

  • Feature Availability – If you’re going with a self hosted platform like Magento or the self hosted version of WordPress, you have the capability to hire a developer and have them build out absolutely any functionality you need to run your business. An example here; If you wanted a feature that would allow you to merge customer accounts and none of the platforms we’ve covered had that feature, you have no way to implement that with a SAAS provider without putting in a feature request, waiting, and hoping they give it to you. In the self-hosted world, you can hire a developer and have those features built. In the SAAS world, you get the features they decide to give you.

SAAS solutions can be an excellent way to run a business more cheaply than hiring a vendor to build a website for you but using one of these products is a long term commitment to both the company and the feature set. If you’re just getting started with just a few dollars to spend, using a SAAS vendor can be a quick & easy way to get your first site up and running without investing in something more easily customized. Both options have a time and a place to be used. My goal with this chapter isn’t to push you in one way or the other but to give you a good idea of what’s available when it comes time to make your decision.

This post is an excerpt from the short e-book, Understanding Websites from a Business Perspective, available on Amazon.