All that fancy PCI and PA-DSS security, firewalls and authentication windows, antivirus and antimalware software we have running on the servers will not help a bit if the person who holds a grudge against you has all the logins to your account. We just spent half a day restoring 30 domains for a client whose webmaster from India decided to resolve an argument by deleting all the domains in client’s account on the server. This is not the first time, so I decided to write a short article to remind everybody – change the damn passwords!
Just examples of the situations when you have to change logins or start praying because nothing will protect you:
- as soon as a third party you hired finished working on a project – if you need them to work there again – you’ll give them a new password
- as soon as you suspect any of your hires is unhappy with anything
- as soon as you are unhappy with the work and decide to change the developer or webmaster but before you notify the first offender
- before you let go an employee who had access to the store
What you need to do:
- disable or at least change the password for store administrator account assigned to that user (you did not give them your master admin account, right?). You can do this in “Users” menu in X-cart or “System” -> “All Users” menu in Magento
- change the password for the hosting control panel or notify us and we will change it for you
- change FTP/SSH password
- remove email used by that employee and set it as an alias to another user so you will get messages sent there
- if you are using IP whitelist for your store’s control panel – remove that IP from the list
Even if that developer or webmaster is a decent person and will not want to do any harm to your business, what if his or her computer will get hacked and a hacker will get FTP password for your site? I can tell you for a fact, many of those guys are not too paranoid about securing their computers or anything on it and longer your active logins sit outside your office, greater the chance they will be “shared” with somebody else.
Yes, it takes some time to change the logins but will keep your store secured and, if you do not want to do it yourself, just send us a quick note. We’ll do it for you and there is no extra charge. Updating logins takes much less time when fixing the mess after.
So, once again : if you used a third party developer and they are done or had to fire an employee who had logins to the store – change the passwords right now!
Keep safe.