At the beginning of this year, I talked to a fellow developer whom we helped move a Magento site to Bigcommerce Enterprise platform. It was quite a complex BigCommerce site – GraphQL, Bundled products, Server Side Cart API, custom video post type, etc. It was a challenging project, but the end result was satisfying. As per him, he had the most relaxing holiday last year – because he didn’t had to worry about server down time, security patches, server bandwidth issues, etc.
BigCommerce, as a SaaS platform, gives you peace of mind in terms of website security, server bandwidth, DDoS attack, Payment Methods integration updates, PCI compliance etc. STILL, some responsibilities lie with merchants to ensure the website’s security.
User Access management
- Regularly audit the users who have admin panel access to your site and remove unwanted users.
- Give appropriate access permissions based on their roles (eg: If someone is handling fulfillment, they don’t need theme assets)
https://support.bigcommerce.com/s/article/User-Permissions
WebDAV/File Access
- BC provides WebDAV access to host non-theme related assets to the store. Sometimes, developers may also add some scripts in the WebDAV and link within the themes.
- If a user is accessing WebDAV from an infected computer and your WebDAV access has been compromised, then it can cause a security risk on the site. So it’s recommended to keep the webDAV access disabled for users and enable on an as-needed basis.
Buy BC theme from trusted sources
- Do not download nulled themes from untrustworthy sites which gives paid themes for free. They can inject some malicious code within the theme and your site security can be compromised.
- Always buy themes from the trusted sources. I usually prefer to buy themes from the BigCommerce Theme Store because these themes are vetted extensively and are regularly maintained by the theme providers.
API Keys (Very important)
- As you’re using BigCommerce, you might have noticed that you have created several API keys. And even though the development work is done, the APIs are still present in the dashboard.
- It’s strongly recommended to remove the inactive API keys from the site.
- Also – when a private app or a developer request API key access, make sure you give access to appropriate scopes.
Eg: If the app just needs to do inventory sanction on daily basis, then just give access to product object. Don’t give access to orders, customers, and other resources.
Appropriate access for appropriate use case.
Third Party Apps
- When you’re installing an app, make sure you’re reading the scope requested by app. Always install the apps from trusted sources. I would hesitate to install an app if it’s requesting permission outside of its functionality.
- Apps are hosted on external servers by third party app providers. IF these third party servers get compromised, then it can pose a risk to your website and store data. That’s why it’s recommended to install an app from trusted partners and try to keep the number of apps to minimum.
- Too many apps can cause page speed issues and increase the possibility of security risks.
