December 15, 2021
 ecommerce site security audit

Brick and mortar stores have security cameras, alarms, anti-theft devices, and even guards. When you’re in the ecommerce space, there’s another layer of protection you need to think about: ecommerce site security.

Customers are expected to give a significant amount of their data to you so they can make purchases — names, addresses, credit card numbers, and sometimes passwords. With all this sensitive data, it is important to learn how to protect your online store, and it’s not just about your customers' information.

In this article, we’ll ask you ten questions that you’ll want to answer if you’re interested in keeping your online store protected. Keep reading to learn how to secure your ecommerce website.

What’s The Worst That Can Happen?

Ecommerce security measures need to be in place for a variety of reasons. Whether it’s staying in compliance or dealing with hackers, there’s a lot to keep in your sights. Especially with the growing shift to ecommerce following the pandemic, retail is a primary target for cyber attacks.

Data breaches can entail stealing information, password guessing, phishing, or even malware infections. Experiencing a breach not only costs you time, money, and reputation, but it chips away at consumer trust as well.

Another common ecommerce security issue is a ransomware attack. Malicious actors can effectively stop your store’s ability to run unless you shell out a hefty sum. Due to the potential revenue that could be lost, especially during a holiday rush, many businesses wind up paying.

It can be a nightmare to deal with, but this could all be avoided by following ecommerce security best practices.

10 Considerations for Ecommerce Site Security

There are plenty of things you can do to lock your site down like Fort Knox. Going through these ten questions will help you safeguard your site and get you on the way to being an expert on ecommerce site security.

First Looks Need Second Glances

1. How Often Do You Look at Your Home Page?

It seems like a no-brainer, but when was the last time you looked at your home page? We generally log into the backend unless we’re looking for something specific. That oversight can lead to missing red flags. There are three major ones: small changes, pop-ups, and redirects.

Small Changes

Small changes like changing a logo or text to display a hacker’s calling card is surprisingly common. Some hackers want to plant their flag and gain notoriety.


Pop-ups advertising products you don’t sell are another warning sign. You can certainly add pop-ups to your site to upsell your own products, but keeping an eye on them to make sure they’re actually yours is always a good idea. Don’t forget to disable your ad-blockers when you’re checking: you can easily miss a malicious pop-up!


Unexpected redirects to other sites that are likely malicious are another reason to take warning. You want traffic to stay on your site and increase your chances of converting visitors. Leading customers away not only affects you, it can put their information at risk and damage your reputation in their eyes.

Being diligent about checking takes time now, but saves a headache later.

Securing Your Customer Base

2. How Much Customer Data Do You Really Need?

Breaches happen even to the best of us. What is really at risk when that happens? Your customer data gets exposed. Storing data like names, addresses, or passwords is unnecessary when you use payment gateways like Stripe.

Keeping that data on file, however, is more than enough to create fraudulent loans in the event of a breach. What’s more, using a payment gateway like Stripe helps you become PCI DSS compliant.

An easy way to mitigate risks if it ever happens at all is not collecting more data than you need. Keep as little data as possible to ensure your customers aren’t at risk. You can’t compromise data you never had in the first place.

3. How Secure are Your Customers’ Accounts?

You can do everything right … and still have customer accounts compromised. Remember the 1995 movie Hackers? Their computer security officer points out that someone didn’t bother reading their carefully-prepared memo on commonly used passwords. Turns out, over 20 years later that’s still actually true.

A common way customer accounts get hacked is through brute force attacks, where a hacker will use easily-available password crackers (yes, you can Google these) and keep guessing until they get the right one.

Nobody likes complicated passwords with special characters they’ll never remember, but it’s certainly safer, especially when your hard-earned money is at risk. Two-factor authentication is another big help, but surprise, surprise: that requires getting people to take the time to do it.

Granted, it’s the user that ultimately opts to be lazy about password security. And if you as a store owner do not enforce it, they won’t have to do it. Look at what happened with Ring security. Even if it was user error, the court of public opinion blames Amazon and not bad password hygiene.

Getting your customers to use strong passwords is the responsibility of the store owner — and not doing it can cost customers a lot of money. It can also cost you reputation points because upset customers can take to social media to talk about their poor experiences.

The Technical Meat and Potatoes

4. Are You On the Right Platform?

The most well-known ecommerce platforms are Shopify, Magento, and WordPress/WooCommerce. One of the reasons they are so popular is that they are very secure solutions.

Related reading: 10 Reasons to Choose WooCommerce >>

You’ll want to build your store on a platform that manages to stay ahead of the game. Regular updates that address security vulnerabilities are a must-have in the platform you choose. Has your top choice had data breaches? Is it known for vulnerabilities left open? Make sure to look into this before committing.

There are other considerations involved too beyond just ecommerce site security, but that’s another conversation.

Looking for one of the most secure ecommerce platforms? Nexcess answers the call.

5. Are You Using the Right Host?

We know hosts aren’t all made the same. Price isn’t the only factor you should be worried about. Some hosting options can affect ecommerce site security. Making the right choice for your store is crucial.

Related reading: Top 10 Questions to Ask a Cloud Hosting Provider >>

When you utilize shared hosting, you’re paying less but potentially risking more. If user accounts aren’t properly separated — and one becomes compromised — that puts everyone on that server at risk. Ensuring your host regularly applies security patches and follows critical security protocols helps you prevent a headache later.

You’ll also want to ask, how do they monitor their networks? What is their protocol for notifying customers about security breaches? Do they provide automatic backups?

Physical security of data centers and where their servers operate is just as important as ecommerce site security. Ask about their plans for servers in case of power outages.

You can certainly opt for cheaper hosting where you handle all of these things yourself. You could also opt for managed hosting services that handle updates and backups while providing you with hosting support, suggestions, and top notch security.

6. Is Your Store’s Software Up to Date?

Updates and patches are released pretty frequently, and with good reason. Exploitative vulnerabilities that can leave you open to attack are coming out faster and faster — leaving you with the task of making sure you’re protected. When you don’t, you open your site up to hackers walking by the all you can eat buffet of access to data.

What needs to be updated? Content management systems, themes, plugins, extensions — and of course your server. Beyond just keeping your ecommerce site secure and protected against vulnerabilities, it can also prevent your site from losing functionality.

A great way to keep tabs on everything is utilizing a hosting provider that provides automatic updates. It’s an easy solution that ensures your site is always at the ready.

Security isn’t a one-and-done deal — all your efforts add up. You can’t rely solely on automated updating to keep you secure, but it does help a lot. However, even the most-secure sites can fall victim to a cyber attack. That’s why there are ten points in this security audit, not just one.

Making A Great Connection

7. Is Your Host PCI DSS Compliant?

If you accept credit card payments — which virtually all online stores do — you have to adhere to the standards set by the payment card industry. An overview of compliance can be found here, but there are over 300 security requirements involved.

PCI DSS Compliance can mean the difference between a sale and a bounce. You can also be fined for noncompliance — and the costs often are the responsibility of the merchants. Being a compliant host saves you money and ensures your customers are using a secure payment gateway.

Here are some basics that you’ll need to include:

  • You need a secure network, which means installing a firewall.
  • Ensure you change your passwords — vendor defaults are not secure.
  • Encrypt the transmission of data.
  • Ensure vulnerability management by updating antivirus programs and versions regularly.
  • Institute strict access control measures and restrict access to cardholder data.
  • Utilize unique IDs for everyone with access to data to monitor usage.
  • Regularly monitor and test networks.

PCI compliance is one of the most important ways to protect your online store because if you want to make sales, your customers need to feel secure typing in their payment information. Ensuring you meet all of the various requirements is a great reason to utilize managed hosting: it's one less thing for you to spend time and energy on.

8. Are You Using SSL Encryption?

Let’s be clear. A whopping 85% of consumers will avoid an unsecure website. If you’re like us, you notice that little lock in browsers like Chrome that confirm the site you’re browsing is secure and has a valid certificate. What certificate are they talking about? It’s your Secure Sockets Layer certificate.

Why does that make a difference? Because if you’re going to give up data in this century, you don’t want to become the victim of identity theft, find your debit cards have been hot carded, or any number of issues surrounding your personal data being used without your consent.

What’s more, it’s actually harder to find unsecure websites. Google, for one, penalizes unsecure sites and that means they rank lower in the SERPs. Combine being harder to find in the first place with customers noticing your site is insecure and that can translate to fewer conversions.

9. Are You Using a CDN?

If you’re new to the ecommerce space, you might be wondering why this is on the list. Isn’t a CDN what you use to get images and content to load faster? Well, yes. But it also can add security functionality to your site.

CDN providers usually provide additional security features such as malware scanning, blocking spam bots, and more. While a CDN doesn’t outright prevent a DDoS attack, it can certainly help mitigate one. Think of it as a security guard — one of its features is that it monitors and identifies unusual traffic. Once it identifies IP addresses they recognize as malicious, it will block requests.

Another bonus? These processes aren’t hosted on your server — they’re hosted through the CDN server, meaning your site speed doesn’t tank while it’s happening.

There are both free and paid CDNs available. Many hosts also provide access to theirs. Make sure you’re using one that updates and patches often — there’s no sense in doing all the work just to use a CDN with lackluster security.

10. Do You Protect Your Connection in Public Spaces?

A lot of the good work you are doing to protect your online store can be undone with one rookie mistake: using an unsecure connection. In this day and age, you can work from anywhere. Free Wi-Fi is the norm in brick and mortar spaces. People like the freedom of getting out of the office (even the home office) and getting their favorite cup of coffee or in a quiet library.

You may be tempted to just log on and take advantage of the free access, but don’t forget — free isn’t always better. If you’re using an encrypted connection, through a VPN, you can access the net without worrying about who has access to your data.

Finding a secure VPN is easy with a little research, and there are plenty of hosts that offer them as well.

Nexcess Makes Ecommerce Site Security Easy

When it comes to ecommerce site security, you’ve got a lot to think about. Unless you’re a huge business with the ability to pay a team to keep a watchful eye, chances are you’re going to be doing a lot of this monitoring yourself.

You absolutely can handle all of this — but if you’re looking to focus your time on more important things like selling and updating the content that drives people to your site, there’s a better option.

Nexcess Fully Managed WooCommerce Hosting “locks up” for you with automatic updates and backups, an ultrafast CDN, and maintaining compliance and certificates. We make it fast, easy, and secure so you can do what you do best: sell.


Nexcess, the premium hosting provider for WordPress, WooCommerce, and Magento, is optimized for your hosting needs. Nexcess provides a managed hosting infrastructure, curated tools, and a team of experts that make it easy to build, manage, and grow your business online. Serving SMBs and the designers, developers, and agencies who create for them, Nexcess has provided fully managed, high-performance cloud solutions for more than 22 years.

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.