top of page

Ecommerce security checklist: how to protect your site from cyber threats


ecommerce site security checklist

If you’re like most merchants who start an online store, you’re probably not questioning the security of your site—until it actually becomes a problem.


But the truth is, every business big and small is vulnerable to security threats.


Small businesses are especially attractive targets to cybercriminals because they often lack the infrastructure to combat attacks. Not to mention that online retail was a top target for cyber attacks in 2021 amid supply chain crises.


To help you avoid becoming another statistic, we’ll discuss top ways to protect your online store from attackers who lurk in the darkest corners of the internet.



What is eCommerce security?


Ecommerce website security involves shielding your site from cybercriminals who may try to steal your website content, data, or your customers’ personal data for their own use. Cyber attacks can take on various forms and are becoming increasingly sophisticated. It's common for people to build an eCommerce website without taking that into account. That’s why it’s paramount to use the right website builder and follow the right security measures from the get-go.



Black text on a light blue background that says "Launch your online store" with a clickable link button that says "Get Started"


The disastrous effects of poor site security


The average cost of a data breach is $4.2 million, according to IBM, with the global cost of cybercrime peaking at $6 trillion last year alone. This takes into account lost sales, customer turnover, and website downtime caused by data breaches.


It’s worth noting that a cyberattack can also have a detrimental effect on your SEO performance by changing the content that search engines see. For example, hackers can stuff your website with irrelevant keywords and load your site with links. Hacked pages that have been injected with HTML, PHP, and Javascript redirects can potentially get you blacklisted on Google—severely stunting your organic growth.


Customers who are exposed to any security issues may additionally air their grievances on review sites, damaging your brand’s reputation. Needless to say that it’s essential to have a clear grasp on your site’s vulnerabilities.


Hackers may hone in on your site for a variety of reasons:


  • To redirect your website visitors to another commercial site

  • To hurt and take over your organic rankings (i.e., SEO spam)

  • To steal your customers' information such as credit card details

  • To install malware on your visitors' devices

  • To hurt your brand’s reputation by vandalizing your website with offensive, political, or other content that serves the hacker's agenda

  • To hijack cookies and Session IDs to gain access to restricted areas

  • To insert malicious code that allows the attacker to control your website remotely (e.g., backdoors)

  • To use your website to send spam emails

  • To launch a distributed denial of service (DDoS) attack



Top security threats to your online store


Let’s take a deeper look at the cybersecurity risk that eCommerce sites face.



Search query language (SQL) injections


One of the most common attacks is known as SQL injection. This is where a hacker inserts malicious code into an input field on a webpage to gain access to the underlying database. Once inside, they can extract sensitive data including customer credit card details, passwords, and other sensitive information. There were 6.2 billion attempted SQL injections between January 2020 and June 2021.



Distributed denial of service (DDoS) attacks


A DDoS attack occurs when a hacker attempts to overload a server with traffic. The goal is to take your website offline or otherwise interrupt your website’s functionality. To do this, a bot sends large volumes of fake traffic to a website to try to overload the server and cause a site crash. This is obviously very damaging for an online store since it prevents customers from browsing, viewing, or purchasing from your website. There were more than 5.4 million DDoS attacks reported during the first half of 2021.



Ransomware


Ransomware is a type of malware (e.g., malicious software designed to cause damage) which encrypts a website's files. Once encrypted, the initiator of the attack demands a ransom from the website owner to decrypt them. Until the ransom is paid, the website or system is unusable. Ransomware attacks can be costly and time-consuming to fix because they involve paying the hacker the “ransom” to restore your data. In 2021, the world saw a 105% surge in ransomware attacks—with JBS USA, the world’s largest meat suppliers, having paid $11 million in Bitcoin for a ransom.



Cross-site scripting (XSS)


Cross-site scripting involves injecting malicious javascript code into a trusted site, like your online store. When an unsuspecting customer visits your page, the attacker uses XSS to send a malicious script. This script will allow the attacker to view your customer’s cookies, credentials (with which they could steal bank information or credit card data), or rewrite an HTML page.



Credential reuse


When a hacker uses stolen credentials (usually from another website) to gain access to your website, it is known as credential reuse. This type of attack exploits the tendency for people to reuse the same password on multiple websites and online services. An attacker may obtain a user’s credentials in a few different ways (e.g., phishing, data breaches, credential stuffing bots, password spraying, etc.). Once hackers have the user’s login information, they can use it to log into other popular websites and thus do more damage.



Ecommerce payment fraud


There are several ways attackers initiate eCommerce payment fraud. In one instance, the fraudster may use illegally obtained credit card numbers to make a purchase on your site. In another instance, the fraudster may take over a customer’s account by purchasing stolen passwords, implementing phishing schemes, or using other unscrupulous means. Once in the account, the hacker may change account details and purchase products. To mitigate these threats, it’s important to take steps to keep your website and your customers’ data as safe as possible.



Website security checklist: 7 steps to protect your eCommerce site


Maintaining good website security is an ongoing process—one that involves working closely with your website builder. Here are seven steps you can take to secure your online store..



01. Choose your eCommerce platform wisely


Your website builder is your number one ally when it comes to website security. Not only do the best eCommerce solutions offer a solid infrastructure but they’re also backed by dedicated security experts.


For example, Wix eCommerce offers enterprise-grade security—fully managed for you 24/7. During the development process, our team incorporates procedures like threat modelling, code review, and penetration tests all aimed at preventing cyber attacks.


Any Wix app partners undergo ongoing security assessments. And Wix itself achieves the highest level of privacy and security compliance, allowing you to accept secure online payments and maintain a highly-vetted network of vendors.



secure online payment module


Wix is equipped to squash any threats that arise ASAP. This is made possible through Wix’s Security Operations Center, machine learning, and other programs that are designed to detect vulnerabilities early on.


In addition to this, Wix has a dedicated Incident Response team that’s specially trained to respond to cyber threats and ensure that your business remains up and running through any situation. Through careful selection of your eCommerce platform, you can inherit a solution that’s built with security in mind.


All this, and the eCommerce website cost is affordable, too.


02. Use HTTPS


Secure Sockets Layer (SSL) is a type of encryption that helps to protect data as it's transmitted over the internet. In other words, when a user enters his or her payment information into your checkout page (as an example), an SSL-certified site will encrypt the data as it’s being passed between browsers, making it more difficult for hackers to intercept information.


Websites that are SSL-certified are displayed as “https” in the URL. This signals to your buyers that the information they enter onto your website is being processed securely. All Wix sites are served over HTTPS by default, giving you and your customers peace of mind.



03. Promote strong passwords


It’s not uncommon for site visitors to reuse usernames and passwords, or to simply get lazy with their passwords. If you offer loyalty programs or subscriptions that require members to create an account on your site, make sure to stress the importance of a strong password.


Require customers to create complex passwords. Provide examples and specific criteria for a strong password (e.g., require a mix of letters, numbers, and symbols—and discourage easy-to-guess words like "password").


Within your own team, make sure to create unique, complex passwords for any accounts connected to your online store. This includes your hosting account, domain registrar, and payment processors. Turn on 2-step verification from your Wix account for optimal security.



04. Do not hoard user data


While it may be tempting to collect information on your users just in case you might need it, you should only collect data that’s needed to complete a transaction. This reduces the amount of sensitive data that you have on hand in the event of a security breach.


Moreover, you should never store a customer’s credit card data on your servers, with the exception of recurring payments. Storing credit card numbers is a big liability and there is a lot of red tape to be aware of, as detailed by the Payment Card Industry Data Security Standard.


Note: all Wix sites are compliant with the highest PCI standards (PCI DSS Level 1) by default.



05. Closely control admin rights


As your business grows, your team will inevitably grow as well.


As more and more people get involved on your site, award admin rights to your account sparingly. Avoid giving admin access to team members who may not really need it lest you leave your site more vulnerable to attacks.



three examples of website roles and permissions


Consider writing a security policy for site admins to follow. This should outline things like how to create a strong username, how to choose a strong password, and how to detect phishing attempts.


Cybercriminals are getting more sophisticated every day, exploiting any vulnerability they can find, including human anxiety. In 2020, Microsoft reported that cybercriminals were using COVID-19-themed phishing to trick people into giving up their personal information and credentials. Guard your team against these types of attacks via thorough, regular training.



06. Create website backups


If a security breach occurs, you’ll want to make sure that your site is backed up so that you can restore all of your data and site settings in their pure, untainted forms.


Many website builders like Wix eCommerce will automatically create backups of your site. If you’re not sure whether your site is backed up, check with your website builder or site developer.



07. Practice good plugin hygiene


As a best practice, we recommend regularly auditing your third-party apps and plugins. Check that you’re still using them and trust them with your store’s data. Do not let plugins stack up unnecessarily, and limit the number of parties that can access your site’s and customers’ data.



Create a secure space with Wix eCommerce


With eCommerce sales expected to reach a record-breaking $1 trillion this year, it's no surprise that cybercriminals are increasingly targeting online stores.


Be proactive and take these simple steps to secure your site. And don’t forget—once you lose your customers' trust, it can be difficult to get it back. A recent study by Economist magazine estimates that a company loses 30% of its value when it loses customer trust. Conversely, an increase in trust leads to an increase in value.


If you're looking for a platform where you can create a secure online store, look no further than Wix eCommerce. Get all the tools and security you need to start selling today.




Allison Lee

Editor, Wix eCommerce


Allison is the editor for the Wix eCommerce blog, with several years of experience reporting on eCommerce news, strategies, and founder stories.


Wix eCommerce Expand your eCommerce reach
bottom of page