The more e-commerce goes mainstream, the more security challenges emerge. Here are nine steps to take to protect your e-commerce store from bad actors.

Kaartik Iyer, chief solution architect and CEO, Infigic

Kaartik Iyer, chief solution architect and CEO, Infigic

E-commerce worldwide sales have grown from 1.3 trillion dollars in 2014 to 2.8 trillion dollars in 2018—representing a 115% increase. On the other hand, system vulnerabilities and the associated risks have been swiftly increasing too.

No matter what level of security, in-house or outsourced, you have for your e-commerce store, it never hurts to know the basics of e-commerce store security.

Here’s a 9-point checklist to keep your e-commerce store secure and give your customers a pleasant, peace-of-mind experience:

1. Take Daily Backups

It’s not okay to assume that something as basic as daily backup is being taken care of—you will need to fix clear responsibilities and schedules for this. Hosting companies offer different plans to give you more choice, and one of the choices will be who’s going to ensure daily backup, your or the hosting company.


If you’ve chosen to take backups yourself, ensure you set a routine for it. Best practices require you to set your systems to run daily backup scripts.

These backups can also be linked to your Dropbox account or Google drive, so there is a 3 Tier-backup layer for your e-commerce store. This simple yet critical action will make sure nothing slips through the cracks.

2. Enable HTTPs

Today, an increasing number of websites are opting for HTTPS ; for e-commerce stores, of course, it’s a standard. SSL certificates add a security layer to your website and safeguard your customers by keeping the data safe at all the times. The ‘S’ of HTTPS stands for ‘Secure’—it means when the data moves between your users and your web server, the data is kept encrypted and secure. This encryption prevents a third person from intercepting the data.

It’s so well-known that many shoppers will actually avoid buying from your store if they don’t see the HTTPS in your URL. The other advantage of making the shift from HTTP to HTTPS will give you a boost in your Google rankings

3. Protection against XSS attacks

It’s interesting that although Cross-Site Scripting attacks are not highly advanced, a lot of sites fall prey to it. Commonly referred to as XSS attacks, these malicious attacks can hugely compromise the security of your e-commerce store and even execute identity theft.


A few of lines of Javascript code added by the attacker makes the code flow into the browser of the user via cookies. This gives the attacker access to cookie information of the user. Input validation and output escaping are the two solutions of the threat, depending upon the exact nature of the threat.

This is a little bit technical, so if you are not a developer, you can get in touch with an e-commerce security expert to help you out.

4. Ensure you don’t have default settings

Your own default settings in your Magento or Woocommerce e-commerce store can actually create serious vulnerabilities. The problem can happen when you are using a specific software along with the e-commerce coding. One of the most common ways lapses happen is when you let some files be writeable by any user. Another common reason your site could be at risk is when you have the username “admin”—it make it way too easy and predictable for hackers to get into your system

5. Use SFTP instead of FTP

The traditional way to upload files from your computer to the web server is to use the File Transfer Protocol (FTP). The transfer from your computer to the web server is prone to attacks and lapses. That’s why it makes sense to use encryption, or a secured version called SFTP.

SFTP not only protects your file from being compromised but also protects your login credentials while the upload is happening. Here’s a video that explains more about SFTP.


6. Remove outdated permissions

Often you need to give outside vendors access to the back-end of your website for some tinkering, repairs or add-ons, or an employee is working on some key areas of your web server and has the administrative access rights. Even after the outside vendors finish their work or your employee moves to another department or leaves the organization, you forget to change the access levels. That keeps the store open to unintentional vulnerabilities.

This is more a slip than a fault. You need to change the credentials once an outside vendor or an employee is no longer associated with the task.

7. Trusted third-party extensions and themes

A number of times, it proves economical to use third-party extensions and themes for your e-commerce store. It’s safe to use only the officially supported versions. For instance, Magento , the extremely popular open-source e commerce system, maintains an official Magento Marketplace that has thousands of themes and extensions you can trust.

Themes and extensions that are widely available—often for free—may carry hidden, back-door passages through which hackers will slip in and destroy your e-commerce store.

8. Malware Protection

Ironically, your customers are often the first to tell you about a malware attack when they spot the big, red warning flashing in their browser. You never know what damage has already been done or how many hundreds and thousands of dollars of sale you might have lost because the malware warning scared away potential customers.


It’s best to use services of experienced and competent in e-commerce development and security experts who can provide malware scanning detection services. They have your back and you can focus on growing your business without worrying about such threats.

9. Web application firewall

A web application firewall is essentially your major line of defense against cyberattacks. It is the shield that stays between your website and and visitors with nefarious intentions.

Apart from protecting your e-commerce store against malicious SQL injections and intrusions, a web application firewall can also fight DDOS attacks.

Infigic, based in India, is a mobile app and web development company focusing on e-commerce development and security.