Site Security for eCommerce in 10 steps

Posted by
Nate McGuire in Development category

How to boost your e-commerce site security with these 10 steps.

As an owner of an e-commerce store, you have to juggle hundreds of priorities between customer support, shipping, inventory, payments, refunds, and more. So, it’s no surprise that website security might not make it to the top of the list until there’s an issue.

As e-commerce sales continue to scale worldwide and a larger percentage of your sales and customer touch points happen online, we see security risks and store vulnerability scaling as well. When we work with large DTC brands or fast-growing e-commerce startups, we keep these 10 things in mind to stay secure and to avoid any surprises.

1. Daily Backups On Your Website

It might be a simple thing to do — and it is — but believe us, don’t underestimate it. It’s important to have them scheduled in advance (by you or your hosting company) and make sure it’s been done properly. If you’ve chosen to take backups yourself, ensure you set a routine for it, with backup scripts running daily on your systems. Ideally these backups are redundant, and if possible, air gapped. 

Important to remember though, this is for business data, not customer credit card data. Don’t store payment info! This simple yet critical action will make sure nothing slips through the cracks. If and when your site goes down, you know you can restore it from backup to get back to selling quickly.

2. Make Sure You Use HTTPS

As you might know, HTTPS is the standard for e-commerce stores, and SSL certificates add an extra security layer to your website and safeguard your customers by keeping the data safe at all times. The ‘S’ of HTTPS stands for ‘Secure’—it means when the data moves between your users and your web server, the data is kept encrypted and secure. This encryption prevents a third person from intercepting the data.

It’s so well-known that many shoppers will actually avoid buying from your store if they don’t see the HTTPS in your URL. The other advantage of making the shift from HTTP to HTTPS will give you a boost in your Google rankings.

3. Protection against XSS attacks

You won’t believe how many sites fall prey to Cross-Site Scripting attacks. Commonly referred to as XSS attacks, these malicious attacks can hugely compromise the security of your e-commerce store and even execute identity theft.

A few lines of Javascript code added by the attacker make the code flow into the browser of the user via cookies. This gives the attacker access to cookie information of the user. Input validation and output escaping are the two solutions of the threat, depending upon the exact nature of the threat.

This is a little bit technical, so if you are not a developer, you can get in touch with an e-commerce security expert to help you out.

4. Securing Payment Gateways

Letting a third party such as PayPal, Stripe, or handle the payment transactions and storage of Credit Card data away from your website is a much better option than storing the credit card information of your clients on your database directly.

5. Git / SFTP instead of FTP

It used to be that the normal way to upload files from your computer to the webserver is the File Transfer Protocol (FTP), but these transfers are prone to attacks and lapses. That’s why it makes sense to use encryption, or a secured version called SFTP — again, the S!

SFTP not only protects your file from being compromised but also protects your login credentials while the upload is happening. In addition to SFTP, most hosting providers now support git push deployments which are even more secure.

6. Audit Users And Permissions

It is important to change the credentials once an outside vendor or an employee is no longer associated with any given task on the back-end of your website. If you forget to change the access levels, you might keep the store open to unintentional vulnerabilities. Every company has had employees come and go, and likely password that everyone knows and uses. Don’t do that! It’s bad! Change your passwords regularly.

7. Audit 3rd Party Tools And Vendor Access

We know it’s a strategic and often more economic option to use third-party extensions and themes for your e-commerce store. But keep in mind that it’s safe to use only officially supported versions. For instance, Shopify, the extremely popular e-commerce platform, maintains an official Shopify app store that has thousands of themes and extensions you can trust.

Themes and extensions that are widely available — often for free — may carry hidden, back-door passages through which hackers will slip in and destroy your e-commerce store. So please pick carefully, and have a developer review any mission-critical plugins before use.

8. Outside Security Review

Ironically, your customers are often the first to tell you about a malware attack when they spot the big, red warning flashing in their browser. You never know what damage has already been done or how many hundreds of thousands of dollars you might have lost because the malware warning scared away potential customers.

It’s best to use the services of experienced and competent e-commerce development and security experts who can provide penetration testing and malware scanning detection services. They have your back and you can focus on growing your business without worrying about such threats.

9. VPN And Firewall For Code Deployment Access

A web application firewall is essentially your major line of defense against cyberattacks. It is the shield that stays between your website and visitors with nefarious intentions.

Apart from protecting your e-commerce store against malicious SQL injections and intrusions, a web application firewall can also fight DDOS attacks.

10. Evaluate migration to a platform like Shopify or up to date open-source framework

We know business owners in the e-commerce retail industry approach the idea of website migration with some trepidation, largely due to a fear of the unknown. But, as an experienced Shopify Plus agency, we know e-commerce in and out. One of the biggest risks we see is out of date systems wreaking havoc on a business when all they had to do is update the software.

One of the big advantages of a hosted solution is the reliability it provides, by taking care of your servers’ maintenance and also providing you with SSL certificates that encrypt all data using a secure connection. 

At Mayven, we can help with:

  • Security audits
  • eCommerce Migrations
  • Shopify, WordPress, and custom sites

Whether you’re working on migrating to Shopify, want to get off of Magento, or just need an experienced team to evaluate your ecommerce site, we can help. Ssend us a message at or give us a call on (415) 360-9215 and we’ll make sure everything is secure for you and your customers.

Headquartered in San Francisco, our team of 50+ are fully distributed across 17 countries.