Running an ecommerce business is hard enough, even without having to deal with security threats.
Creating a secure environment for your customers is essential, but it’s particularly important at the moment, with money being tight and many choosing to shop online rather than risk in-person retail.
Ecommerce security isn’t just about protecting your customers, of course. A security breach could cost your business money, or risk serious reputational harm. In this guide, we’ll talk you through the main threats to be aware of, and how to keep your ecommerce business secure.
What are the Latest Ecommerce Security Threats?
Online stores are top targets for hackers because they have to manage a lot of sensitive customer information – including addresses, email, phone numbers, and bank information.
However, there are two main types of ecommerce threat – those that try to trick customers, and those which try to steal information and money from stores. Both threats are quite different, and require different types of responses.
Ecommerce phishing sites
These are the sites that try to trick customers into giving away their hard-earned money by pretending to be reputable.
Of course, these sites are nothing new. But, during the pandemic, the rates soared. 84 million Americans were targeted with a phishing scam in the 12 months from October 2019-2020, with the ecommerce industry reporting a 66% increase in phishing attempts over the same period. In 2022, phishing attacks continued to soar, highlighting that it's more important than ever to ensure that your business is protected.
Phishing sites will try and imitate yours, often using the same ecommerce hosting platforms that reputable businesses use. These sites often advertise heavily on Instagram and other social media platforms, before disappearing after only a couple of days. The domain names are always newly registered, and those registrants are normally hidden or anonymized.
E-skimming, sometimes known as Magecart, is a relatively new phenomenon – but its premise is pretty old-hat.
Hackers develop malware designed specifically to infect ecommerce websites. They sit behind the checkout page and collect all the information that customers enter. That could be anything from credit card details to addresses, phone numbers, emails, and passwords.
This malware can be hard to detect, and will hang around for a long time. In November 2021, Sansec Threat Research reported on a malware attack that deployed Linux backdoors by exploiting weaknesses in ecommerce portals specifically.
Worse, the research team only pinpointed the problem after one merchant reached out to them when two other forensic companies couldn't fully uncover the malware plauging his store.
Many small ecommerce businesses choose to use open-source software, and that’s easy to understand. After all, it’s cheap (even free), and can be modified easily to suit their needs.
However, because open-source software is available to everyone, it brings security risks to your company. The number of open source attacks aimed at software supply chains increased a shocking 650% in 2021, according to a Sonatype report. What’s more, the most popular project versions were most vulnerable, with 29% home to “at least one known security vulnerability,” compared to just 6.5% of the less popular projects.
With open-source software issues taking an average of 54 days to be fixed, there is often ample time for hackers to exploit your company’s momentary weakness.
Plugins are often free, which makes them attractive to small ecommerce sites — WordPress, for example, has a host of plugins available which can help boost your site’s SEO performance or offer new features.
However, researchers at Sucuri regularly find bogus WordPress plugins which can cause serious grief for website users. Some redirect users to malicious sites, while others allow hackers to inject files straight into WordPress sites without the owner realizing. These could allow for skimming, or other criminal activities.
Ransomware was one of the most prevalent threats to any business in 2022, let alone ecommerce operations.
The premise is simple – hackers gain access to a business’s computer system or network, and then lock or encrypt files so that the business can’t access them. The attackers then charge a ransom to decrypt the files.
Businesses are attacked by ransomware every 11 seconds, on average, according to a 2021 Cybersecurity Ventures report – which is considerably more frequent than in 2016, when it was every 40 seconds.
While it's certainly lacking in the design department, here's what a ransomware attack might look like on your device:
Use SSL and ensure that you are PCI compliant
An SSL certificate provides authentication for websites and enables an encrypted connection to the internet. It’s an important trust signal for customers, too. Most website builders and ecommerce platforms actually come with an SSL certificate for your site, so you don't have to worry about getting one yourself. Large hosting providers will also help to make sure that your site has an SSL certificate.
PCI compliance, meanwhile, is essential for ecommerce businesses. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that companies process, store, and transmit credit card information in a secure environment. You’ll need to maintain firewalls and antivirus protections, protect passwords, protect cardholder data, encrypt any data you’ll be transmitting, and limit cardholder information to only those people who need to see it.
You’ll also need to restrict physical access to any sensitive cardholder information by keeping it in a secure location, as well as maintaining access logs of the people who look at it, and regularly scanning and testing for security vulnerabilities.
Ensure that you regularly purge customer data
You might be tempted to hold onto customer data indefinitely – what difference does storing details for two days make compared to two years if it all gets stolen?
However, by regularly removing old customer data, you’re limiting your business’s risk should there be a security breach.
Ensure strong passwords
Your weakest link might be your customers. If a customer’s details get leaked by hackers – which happens more often than you’d care to think – then those hackers could use that information to commit widespread fraud. You should ensure that your customers are using strong passwords and changing them regularly.
You should also get your employees to choose strong passwords and change them regularly, to prevent your internal systems from being compromised. You should also look to set up two-factor authentication for customers and employees.
Many ecommerce website builders support password protection for customers as well as employees — Webflow offers per-page password protection, for example. But not all builders will offer what you need. A good password manager can easily help with that. Here's what your average password manager looks like, although many offer browser plug-ins for easy input.
Select a secure ecommerce platform
Using a hosted ecommerce platform is a great way to ensure that your site’s security is top-of-the-line. Providers such as Wix, Shopify, or Squarespace have far greater security resources at their disposal than your business ever would – and by using one of these platforms, you’ll be keeping your site secure.
These platforms aren’t open-source, meaning that there is less chance that you’ll encounter the same security risks that you’d get with WordPress.
Find out more in our Best Ecommerce Website Builders guide
Train your employees to be vigilant
Most security breaches happen as a result of human error – phishing breaches, for example, are almost always attributable to employees clicking a link in an email they didn’t realize was malicious.
Your employees should never give out sensitive information – whether it belongs to a customer or the business – over email or any other form of digital communication. You should always be looking to train and refresh your employees on information security.
Are You Using a Secure Ecommerce Platform?
Using a secure ecommerce platform is the easiest way to ensure your business’s online security. We’ve reviewed a host of ecommerce platforms here at Tech.co, but all of them offer exceptional security, with PCI compliance and SSL security.
What’s more, by choosing a platform such as Wix or Shopify, your online business will be constantly updated to cope with new and emerging threats, whereas open-source platforms might not be updated as regularly.
Password protections are a common security feature on the top ecommerce platforms, while other benefits may be specific to each one. Shopify offers support for customer logins, although Wix does not. At the same time, Wix lets users create a members area of a website, while Shopify does not.
Our score is based on independent assessments of ease of use, features, ecommerce functionality and value for money
Click to check for deals, discounts and tiers of plans
BEST FOR SMALLER STORES
BEST FOR LARGER STORES
$35 per month
$25 per month
However, that’s not to say that using a secure, hosted ecommerce platform will keep you safe forever. You will still need to be diligent in controlling your customer data, and who has access to it.
If you’re currently using an open-source, self-hosted ecommerce platform, we would recommend switching. If you're not sure which platform to switch to, we've compared all the best ecommerce options against each other over here to help you decide.
The security benefits are plentiful, but you’ll also gain access to more advanced analytics and marketing features – particularly automation features – which could save you time and make you a lot more money.
Final Thoughts — Improving Your Ecommerce Security
Improving your ecommerce security is remarkably easy – but perhaps even more remarkable is how many businesses aren’t fully secure.
Choosing a top hosted ecommerce provider will do a lot to improve your ecommerce security at a stroke. However, being diligent and vigilant about the information you keep and what you send out will also stand your business in very good stead.
If you click on, sign up to a service through, or make a purchase through the links on our site, or use our quotes tool to receive custom pricing for your business needs, we may earn a referral fee from the supplier(s) of the technology you’re interested in. This helps Tech.co to provide free information and reviews, and carries no additional cost to you. Most importantly, it doesn’t affect our editorial impartiality. Ratings and rankings on Tech.co cannot be bought. Our reviews are based on objective research analysis. Rare exceptions to this will be marked clearly as a ‘sponsored' table column, or explained by a full advertising disclosure on the page, in place of this one. Click to return to top of page