Solving Online Store Challenges: Starting Up, Shipping, Taxes & Security

Here are some excerpts from our podcast to help you with your online store challenges.

Challenges Store Owners Face with Getting Traffic

Patrick Rauland, eCommerce Consultant

I think the hardest thing is not the technology, the technology is not the hardest part of eCommerce. I think the hardest thing is to get traction: to get traffic, which is traction. That means … It is hard enough. If you have an email signup form on your website, you know how hard it is to get people to sign up for that. Let alone to get someone to trust you enough to purchase something from you. I think planning on how to get people to your site, and through your funnel, through the checkout, is the most important thing you can kind of do now.

Just a couple weeks ago I was talking to a store owner here in Denver, and they sell leather purses, and bags, and they tried SEO, and content marketing. Things that other people are like, “Oh, this is the best. You have to try this.” They kept experimenting, and they found out that what works really well for them is micro influencers, meaning like people posting pictures on Instagram, Twitter, and Facebook, does more for their site then all the SEO and all the content marketing they do. They’ve now focused on, they’ve made it as easy as possible for people to take pictures of their leather bags and post it on Twitter, and that just works better for them.

I just want to, I want to emphasize that you don’t know what’s going to work for your brand, so you have to be willing to experiment. You have to go, “Hm, I think SEO and content marketing are going to be good,” and for most eCommerce sites they are. But, really what sells a leather bag? Probably the picture. They kept experimenting, and they eventually found what got them traction.

Challenges Stores Owners Face with the Shipping Process

Robert Gilbreath, ShipStation

I could probably give you one principle that I think folks need to be concerned with and it’s a good problem to have but, it’s the problem of how do I scale and grow my operations. So, yes, we want a lot of sales, but what’s going to happen if we get a lot of them and something that my team put into practice with the last retailer was this idea of almost doing a practice drill. It’s almost a fire drill of ‘what if’?

And the director of fulfillment there at that company would literally time the different steps of the fulfillment process. So he knew down to the seconds how long something took. So he knew, for example, how many people needed to hire for a season, depending on how many sales he had.

And so with that same idea, you don’t have to be a multimillion- dollar retailer to practice, right? Even if you only shipped three things a week, you should be able to know how long it takes you to ship one thing and then you don’t have to worry if the best thing happens, which that scaling that happens when your sales go up.

I really think of people optimizing their shipping as sort of this admin flow. And like accounting and taxes, it’s it’s hard, but you can figure it out. There are tools out there to help you and then you don’t have to worry about it anymore. So if you’re a little bit of a road bump figuring those things out and then people can get back to their businesses.

Challenges Store Owners Face with Keeping Up With Tax Laws

Jake Estes, Avalara

It’s a huge burden. There are some states that send out updates that say, “Hey, we’re going to start charging XYZ rate for these products.” Sometimes they’ll, if you subscribe to their website, they’ll notify of rate changes, to general rate changes, but they’re governments, so they’re not always as tech savvy and as tech forward as a lot of businesses, so that’s sort of an archaic way to do business as well.

I would recommend completely automating. Here at Avalara, the power of our engine, is that we have a content team of tax attorneys and former CPA’s and state and local tax specialists, who are monitoring all of these legislative changes so you don’t have to. If it takes us, a team of a hundred people to do it, how the heck are you going to do it as a five-person business, where you’re focusing on a ton of different things and everyone’s wearing twelve different hats? It’s very burdensome.

Challenges Store Owners Face with Security

Dre Armeda, Sucuri

It’s a very broad question. I don’t think the landscape will ever completely change. What I mean by that is certainly it’s evolving, and there’s new attacks, or a higher amount of specific types of attacks, but we still got same issues from before: outdated software, poor credentials, and all that fun stuff that lead to a myriad of attacks. What we’re seeing a lot of are things like reflective attacks. That term reflective isn’t really official. We’re thinking through how to best describe that, but in essence we’re talking about attacks that compromise websites without really compromising them.

What I mean by that, and to put it into perspective, think about the ability to hack a website by hacking a website’s DNS, for instance. Control the DNS, control the user sees. It’s very different than what we were seeing with, “Hey, look all of a sudden you’ve got, you know, the result spam SEO, because someone’s, eh, uh, injected this cruddy code through a known vulnerability.”

A little bit different. They’re changing their entire user experience from that DNS level. Or think about the ability to attack an ad network that many websites use, and using that to penetrate a website’s defenses. You’ve probably heard it. Over the years [there’s this mountain of advertising. Still exists. That’s a tactic that’s been around for a long time. It’s continuing to grow. They’re attacking through less obvious opportunity.

I think we’re also seeing this shift in which attackers move from only targeting a website owner’s audience to targeting the website owner and their infrastructure. As we talk about security in general over the next four weeks, we’ll start to realize this trend of, “wow! Like, it’s not just the application layer.” We need to really think about the entire stack. What are those components? I’m sure we’ll get into that a bit more.

More and more we’re seeing server level scripts added to web servers, and pushing them into these botnets, or IRC bots, and other nefarious actions are happening there that allow abuse to the web server resources. I think that that is where they’re harnessing some really strong opportunities for bigger picture attacks. They opt sometimes for not even injecting a payload. They’re just wanting to use those resources on the server, and that’s super crazy, really.

I’m not sure if you read them, but we’ve put out some quarterly reports where we talk about some of these trends, in fact, and they’re over at our blog at We’ve put out a couple this year. The most recent one here over the last couple weeks. It’s got a lot of really strong information around these trends. Not just in WordPress, but the webscape in general. Super interesting content there.

I think another area that we’re seeing a lot of, it’s an interesting trend that’s continued to rise, is on the SCO spam side. Currently 38% of the infected websites we work with are being infected by it. That’s a pretty big number, man. They’re taking over this stuff, and this is been something that’s been going on for four, five, six years at least since we’ve been in business.

If you think back to the day of, jeez, what was that photo-manipulation script … TimThumb, attacks that were happening there. They were server-side. They were able to penetrate through this script, and they were arbitrarily executing PHP. Though that, they were able to do all sorts of fun stuff. Some of the outcome of that was SCO spam. They’re injecting all this cruddy code into the code base that you have on your server. Next thing you know, you’re serving adds for viva Viagra.

That hasn’t changed. It’s just growing. It’s a trend that I think we’re going to see on the rise. I think what’s interesting about these attacks, is that unlike any other malware distribution, they are not always detected. That’s really challenging when you start to get in to those conditional approaches that these attackers are taking, we’re like, hey, geographically connected distribution of this.

If you’re in, let’s say, South America, whatever, and you’re coming to see the site. We might serve that spam every two or three requests. It might be that only through Google, when you’re actually searching the SERPs, and you get your search engine results, you’re coming in, and we’re going to serve you the ads that way. It’s really targeted, it’s very specific, so it’s really, really interesting.