edit this page

Security

Administrator Access Levels

Navigate to Customers —> Administrators, from the home page of your admin area.

SuperAdmin Accounts

There is one more field in the Customers table that is related to Administrators, and that field is called IsSuperAdmin. A Super Administrator has full access to everything. Your store must always have at least one SuperAdmin account. By Default, Customer Id # 1 is set as the Super Administrator.

Employee / Limited Access Admin Accounts

1. Click to edit any existing customer record.
2. Set the field IsSuperAdmin to N or un-check the check box to disable it.
3. Set the field AccessKey to Administrator(A).
4. Click Save Changes and be sure the radio button below the save changes button is selected as Save + View Record.
5. You should now see a link below the Access Key field that says Edit Cust#123 Access Rules. Click this link to edit the Access Rules for this administrator. You can use this Access Rules page to grant or deny access to any area of your store.

SSL Certificates

SSL Certificates are required for any e-commerce website accepting payments online. SSL provides a secure communication between the customer's computer and the web server. Each website (domain name) must have it's own SSL certificate.

SSL Certificates are available in 64bit or 128bit. 128bit is more secure, however both are very strong and either will suffice. To purchase an SSL Certificate, you must contact your hosting company....

If you are hosting with Volusion, please follow these steps:

1. Purchase your SSL certificate online from http://www.volusion.com/ssl_certificate.asp.  From this link  you have the option to purchase a Volusion brand SSL Certificate, while only three other brands of SSL Certificates may be used.  These brands are Verisign, Thawte and Geo Trust.
2. The Volusion staff will process your order and install the certificate for you.

To verify that an SSL is installed on your website:

1. Go to the home page of your website(storefront).
2. Change the address bar in your browser to include https rather than just http. For example, if your website is http://www.<yourdomainname>.com then go to https://www.<yourdomainname>.com. If your site comes up at all, then your SSL is installed.
3. Whenever you are in secure mode you will see a LOCK icon in the right side of the address bar and in bottom right corner of your browser. You may double click the icon to view the details of the SSL certificate including the expiry date.

Enabling the SSL Security Seal:

The https and lock icon are both required to verify a website is secured by SSL. However, you can also advertise the fact that your site by displaying an SSL Seal graphic on your website...

1. Navigate to Marketing —> Nav Menu Promotions, from the home page of the admin area.
2. Find the appropriate pre-installed SSL Seal from the list, click to remove the check mark from the Hidden check box field to display the seal in your store front. By removing the check mark, you are causing the navigation menu promotion to be displayed on your website, usually on the left side below your navigation menu.

Troubleshooting SSL alert boxes

If you have installed any third party scripts on your website, such as tracking JavaScripts, this is the most common cause of a security alert box popping up on your website when visiting your site securely.

To determine the cause of the problem, try the following in order until the alert box is gone:

1. Remove any third-party JavaScripts from your website.
2. Do a view source on your website and then hit CTRL+F on your keyboard to pop-up the FIND dialog box. Search for http:// and go through each occurrence. On each occurrence you will need to evaluate if the occurrence is a possible cause of a security alert. The following are the ways to determine this:
   • If the occurrence consists of a hyperlink such as <a href="http://  then it is OK.
   • If the occurrence consists of an image source such as <img src="http:// then it is NOT ok. This would cause an alert box.
   • If the occurrence consists of a background image source such as background="http:// then it is NOT ok. This would cause an alert box.
3. If the occurrence consists of a JavaScript source such as <javascript src='http:// then it is NOT ok. This would cause an alert box.

If you find the occurrences above that are NOT ok, you will need to change them to https:// if that is an option depending on whether or not the server in reference supports SSL. If the server in reference happens to be the same URL of your website, you do NOT need to have an absolute path to your website, you will want to use a relative path for all images and hyperlinks.

For example:

• An absolute URL is: (aka absolute path) http://www.mydomain.com/mypage.asp
• A relative URL is: (aka relative path)/mypage.asp

Both of the above examples (absolute & relative) link to the same exact place. Therefore, you should always use the relative path when linking between pages and files within your own website. Never use the absolute path. Relative path has NO drawbacks, and is recommended for the following additional reasons:

• There will never be a problem between SSL and non-secure modes.
• You can change your domain name anytime and never have to change your hyperlinks.

IP Firewall and Settings

How to configure IP Address Security Rules :

Navigate to Settings —> IP Firewall, from the home page of your admin area. You should now see a purple link at the top of this page titled IP_Address_Security_Rules_Settings. Click the link to view/edit the IP Firewall Settings, here you will see the following:

• Config_Block_All_IP_Addresses_To_Admin: Disallows all access to your store's administration area, except for IP addresses that the administrator specifies in Settings > IP Firewall.
• Config_Enable_IP_Address_Security_Rules_On_Frontend: Enforces the IP address security rules specified in Settings —> IP Firewall. If the administrator would like to utilize the IP Firewall Settings for their store this box must be checked.
• Config_Max_Orders_Per_Day_Per_IP: Allows administrator to specify how many orders a single IP address can place per day. Once this value is reached, this IP address will not be able to place another order for a minimum of 24 hours.

Blocking or Allowing IP Addresses:

Navigate to Settings —> IP Firewall, from the home page of your admin area and click the Add tab. You will be able to edit the following:

• IP_Range_Begin (required): Allows the administrator to designate any specific IP addresses that they wish to either block or allow from or to the store.
• Allow_Or_Block (required): Tells the system whether to block or allow the IP address or range of address the administrator has specified.
• IP_Range_End: Is used for specifying a range of IP addresses to be blocked or allowed. This is the field to designate the final IP address to be blocked or allowed. It is also possible to block a range of addresses and then to allow an IP address or allow another range of addresses within that blocked range.
• Applies_To_Admin_Area_Only: Gives the option to block IP addresses from access to the admin area and still allow those IP Addresses to access to browse the storefront.