There is one thing that might bring you comfort if you take it to heart: there is simply no such thing as an un-hackable, un-stopable web site. And just as most locks can be picked by anyone who took a $50 correspondence course, most web sites can be "messed with" with off-the-net standard utilities common to any self-respecting hackers toolbox. And just as with home security, under normal circumstances you simply will not be able to prevent a determined or well-equipped burglar. Accept this basic fact of life and then plan to at least not make it too terribly easy. In the world of computer security there are very, very few 'James Bond' type capable hackers; many fewer than the popular press is capable of distinguishing. You can be sure that they are moving in worlds you will never be exposed to. But right now there are also lots of 'crack head' hackers out randomly vandalizing neighborhoods. It would be a prudent time to lock your doors.

Barbarians at the Gate?

What follows are 5 tips for locking the doors on a Miva Merchant e-com site. Nothing terribly dramatic, but there are links to that stuff at the bottom of the page. These tips are not any where near complete -- but they are better than nothing. You will learn nothing about 'how to hack"  Merchant on this web site.

 1. Put things in context
    First thing to do is be realistic. If you are selling a selection of new age frivolities or small doll houses, you are not exactly prime to attract malicious hackers. But if you sell fur coats, KKK memorabilia, porn, or politically oriented merchandise you might gain the attention of a breed of 'grey-hat' hackers commonly called Samurai. Samurai often specialize in attacks for geo-social reasons. And they are usually very good. They are better than you will be able to defend against, in normal circumstances. Not a value judgment on my part; just simple common sense.
    So take things in context: if you might possibly generate enemies selling the same product line at a store on "Main Street USA", you may have a problem no matter where you sell your goodies.  Even if you sell small dollhouses some bozo still may smash in your front window; but the potential risk for you would not justify a high-tech security system. Lock your doors and get to know your neighbors, but do not be naive and assume that 'no one would harm my doll shop'. Sad truth is that weak prey get eaten first.
    If there are simple, logical steps you can take to protect your customers you owe it to them to consider the matter. Do what you can, but do not assume that zillions of evil types are out to steal your dolls. Your common-sense will protect you from many threats -- listen to it!

2. Keep the door locked
    In the case of Miva Merchant, the 'front door' is the Admin interface. If someone gains access to Admin-level privileges in your mall they can cause an immense amount of damage in a very short time. After they create a new administrator's account and lock you out (and you know how to get back in, don't you?) they are free to rape and pillage until you can figure out what is going on. There are different types and common attributes for "door locks":

Passage Set -- this is the default Merchant security. Kind of like a privacy lock on a bathroom. The least (most?) you can do is assign a complicated login name with a painful password. Something like a name of "BezoBallaMenosaPerson" with a password of "k7JKie98#MqqZ" or some other god-help-you-if-you-didn't-cut-n-paste-it-somewhere kind of password.  You can be sure that the more painful it is for you, the better it is.

Deadbolt -- Add an IP filter to your ADMIN.MV file, along with the Passage Set lock. Easy, painless, and effective security for the common man. Here is how to make one. But if you do not have access to the ADMIN.MV file or do not know where it is, then you need to contact someone who does.

Electronic Deadbolt -- Same as a Deadbolt lock, but run through SSL. This may or may not be an option for you depending on how your site is hosted and provisioned. Adds processing overhead to your server and generally runs slower. Your choice.  Deadbolts are great for general site maintenance, and electronic deadbolts when you are working with sensitive information.

Doormat Alarm -- You can also add a mat alarm at the front door which sends you email whenever someone attempts to login to your Admin interface. Here is how to make one. Once again, this depends on your level of access to your site to implement. And if you have a lot of administrative activity on your site, it can get old unless you modify the solution to ignore your own logins; which kind of defeats the purpose... hmmm...

3. Close the windows
    It would not be a 'good thing' to leave your customers' credit card receipts just laying on the front counter of your store. Apply the same logic to your Merchant site: remove ALL sensitive transaction information from your site just as fast as you can. Do not use Merchant to store your transaction history. When you receive an order from your store, it should trigger endorphins which drive you to immediately access your site, batch the order, collect whatever information you wish to archive off-site, and delete that sucker.  Then -- not later, not 'when you remember', not 'when you get a chance'. Right then, right now.  Better to have 10 batches for 10 orders than to leave 9 orders laying there with (potentially) their pants down around their ankles.
    The longer you leave sensitive information on a public web site, the longer your exposure to risk. Imagine that you must send an email to ALL your customers saying:

"We are sorry to report the theft of your credit card information from our web site. You should be very careful where you expose your personal credit information. We were not. Your credit card information is now in the hands of someone named "KeWL_DuDeZ" in Keshwar, Namibia.  Visit us again soon!

-- Your Former Webmaster"

Miva Merchant is not an accounting system and it was not written as a secure repository for important business information. It was not written to teach you the fundamentals of accounting control for your business. Your customers entrust their confidential information to you with each and every transaction. If you store that information on a public web server, you are a fool. It does not matter if its a web server in Fort Knox: transaction information should not be stored in public. 

4. Know your neighbors
    It is very important to know who your host provider actually is, and how you can contact them in an emergency. If your host provider does not have a tangible 24x7 point of contact for security matters then you need to find a new provider ASAP. Hiring a host provider who does not have a formal security policy is like hiring a burglar alarm company who does not own a telephone.
    It is important to know if you are renting your web space from the actual owner of the server or from a re-seller. Re-sellers of wholesale web server space ->can<- be extremely competent people; and they can also be the most incompetent people on the internet. If you cannot establish a 1-hop, single source for access to full root administrative privileges on  the computer that houses your domain, you have a problem. Ask your host provider if they own the computer your domain is physically located on. Ask them who exactly has full root access to your server. If they simply rent the space from someone else, can you be assured they can handle it if your domain gets hacked? I personally know of Merchant sites which are rented from resellers, who also rented from resellers who rent from wholesalers who in-turn rent their server space from a 'real' web host provider.
    Also, snoop around and find out what other domains are on the same server. If you find a site named "wArEz_Is_uZ" just two IP numbers away from your domain on the same server, you have cause for concern. Finding a site called "mud-wrestling lesbian space vixens who like hamsters" on the same server might also give you a clue that there are problems ahead. If you intend to serve your customers as a business professional, expect the same from your host provider.
    Try and find another domain owner who's domain is also on the same server and start a 'buddy warning system' to let each other know of issues or site failures.

5. Change the locks when you move in
    When you first establish an e-com site it is a good thing to 'clean house'. Remove all scripts, CGI programs, remote control programs; anything you do not completely know should be on your site. Remove all sample scripts provided with your domain which you did not personally inspect and/or install yourself. That includes all Miva sample scripts and any other trash "samples" that might have been put on your new domain by your host.  Ask your host exactly what must remain for your site to be functional and delete everything else. Do not ever leave a sample or demo script, program or application on your domain. Treat each as an open door to your site until you know otherwise.
    There is no point to having a 20-pound digital zirconium lock on your front door if someone else has a key to your back door. Sample scripts and demo web applications are often filled with holes you'd never permit if you knew of them. I know one of domain where a simple one line mistake in the 'sample' mail responder caused a duplicate copy of all their transactions to be re-emailed to an unknown 'other' email address.  The store owner knew the file was there but told me they "... didn't know what is was used for so I didn't want to mess with it." They know what it is used for now.

This is just a very rough overview of a few ways to consider security for your Merchant (or any) web site. It is not meant to be conclusive, and implementing every suggestion here will not turn your site into some sort of fortress. I intentionally do not mention anything about file and directory level permissions. There are just way too many ways a server may be configured to reasonably address OS-level topics here.

To learn more about basic internet security, check out places like:

Miva MIVO!        http://www.truxoft.com/miva/security.htm

Anti-Online        http://www.antionline.com/
SANS                 http://www.sans.org/
CERT Center      http://www.cert.org/
SIMON               http://www.simon-net.com/

Free Security Analysis of your site:            http://www.webtrends.net/