SSL Certificate Analysis Open Port Detection Web Application Scanning DNS Security Audit HTTP Header Analysis Misconfiguration Detection Software Fingerprinting Subdomain Enumeration
SSL Certificate Analysis Open Port Detection Web Application Scanning DNS Security Audit HTTP Header Analysis Misconfiguration Detection Software Fingerprinting Subdomain Enumeration

Running an e-commerce site means handling sensitive customer data — names, addresses, and payment details — every single day. A single breach can cost you customer trust, regulatory fines, and significant revenue. This checklist is designed for developers, technical managers, and business owners who want a concrete, actionable roadmap to securing their online store from the ground up.

01

Enable and Enforce HTTPS Everywhere

HTTPS is the absolute baseline for any e-commerce site. It encrypts data in transit, protects customer sessions, and is required by all major payment processors. Every single page — not just checkout — must be served over HTTPS.

  • Obtain and install a valid TLS certificate (Let's Encrypt is free and widely supported).
  • Redirect all HTTP traffic to HTTPS with a 301 permanent redirect at the server level.
  • Enable HTTP Strict Transport Security (HSTS) with a long max-age value (at least 31536000 seconds) to prevent downgrade attacks.
  • Disable outdated protocols: ensure SSLv2, SSLv3, TLS 1.0, and TLS 1.1 are disabled; use TLS 1.2 and TLS 1.3 only.
  • Use strong cipher suites and disable weak ones such as RC4 and 3DES.
  • Verify your certificate covers all subdomains used by your store (consider a wildcard or multi-domain cert).
  • Set up automated certificate renewal to prevent unexpected expiry — Sensagraph continuously monitors certificate validity and expiry dates.
02

Secure Your Payment Processing

Payment data is the most sensitive information your store handles. Mishandling it exposes you to PCI-DSS penalties, chargebacks, and irreparable reputational damage. The safest approach is to never let raw card data touch your servers.

  • Use a PCI-DSS Level 1 compliant payment gateway (e.g., Stripe, Braintree, PayPal) to handle card data off your servers.
  • Never store raw card numbers, CVV codes, or magnetic stripe data in your database or logs.
  • Implement tokenization — store payment tokens provided by your gateway, not actual card details.
  • Use 3D Secure (3DS2) for additional authentication on high-value transactions.
  • Restrict access to payment logs and transaction records to only those who operationally need them.
  • Regularly review your PCI-DSS Self-Assessment Questionnaire (SAQ) to confirm ongoing compliance.
  • Display payment security badges and seals (only from legitimate certification bodies) to build customer trust.
03

Protect Against Injection and Cross-Site Scripting (XSS) Attacks

Injection attacks — including SQL injection and XSS — are among the most common and damaging threats to e-commerce platforms. Attackers use these to steal session cookies, exfiltrate customer data, or take over admin accounts.

  • Use parameterized queries or prepared statements for all database interactions — never concatenate user input into SQL queries.
  • Validate and sanitize all user inputs (search fields, coupon codes, addresses, contact forms) on both client and server side.
  • Encode all output rendered in the browser, especially user-generated content such as reviews and product names.
  • Implement a Content Security Policy (CSP) header to restrict which scripts can execute on your pages.
  • Audit all third-party scripts and plugins loaded on your store — malicious or compromised third-party code is a major vector (Magecart attacks).
  • Use Subresource Integrity (SRI) hashes for externally loaded scripts and stylesheets.
  • Regularly scan your application for XSS and injection vulnerabilities — Sensagraph automatically tests for common injection flaws on every scan.
04

Harden Authentication and Access Control

Weak authentication is one of the most common entry points for attackers. Admin panel takeovers, credential stuffing, and brute-force attacks are frequent against e-commerce platforms. Locking down access is critical.

  • Enforce strong, unique password requirements for all accounts — minimum 12 characters, mixing letters, numbers, and symbols.
  • Enable Multi-Factor Authentication (MFA) for all admin, staff, and high-privilege accounts — make it mandatory, not optional.
  • Move your admin login URL from the default path (e.g., /admin or /wp-admin) to a non-obvious custom URL.
  • Implement account lockout or progressive delays after repeated failed login attempts to block brute-force attacks.
  • Apply the principle of least privilege — each role (store manager, fulfillment, marketing) should only access what they need.
  • Audit and remove inactive admin or staff accounts regularly.
  • Log all admin login events, including IP address, timestamp, and success/failure status.
  • Force re-authentication before sensitive actions such as changing email, password, or payment settings.
05

Keep All Software and Dependencies Updated

Outdated CMS platforms, plugins, themes, and server software are the primary source of exploitable vulnerabilities in e-commerce environments. Attackers actively scan for known, unpatched versions.

  • Enable automatic security updates for your operating system (e.g., unattended-upgrades on Ubuntu).
  • Keep your CMS (WooCommerce, Magento, Shopify apps, etc.) and all plugins/extensions updated to the latest stable version.
  • Remove unused, inactive, or unsupported plugins and themes immediately — they are attack surface even when disabled.
  • Subscribe to security advisories from your CMS vendor, hosting provider, and key plugin developers.
  • Maintain an inventory of all software components and their versions — this makes it faster to respond when a vulnerability is disclosed.
  • Use a dependency management tool (Composer, npm, pip) and run audits (e.g., npm audit, composer audit) regularly.
  • Sensagraph continuously checks your site's exposed software versions against known vulnerability databases.
06

Implement and Verify Security Headers

HTTP security headers are a fast, low-effort way to significantly harden your site against common browser-based attacks. Many e-commerce sites neglect them entirely, leaving obvious doors open.

  • Content-Security-Policy (CSP): Define which sources can load scripts, styles, images, and frames. Start in report-only mode to avoid breaking your site.
  • Strict-Transport-Security (HSTS): Force browsers to always use HTTPS for your domain. Use max-age=31536000; includeSubDomains; preload.
  • X-Frame-Options: Set to DENY or SAMEORIGIN to prevent clickjacking attacks on your checkout pages.
  • X-Content-Type-Options: Set to nosniff to prevent MIME-type sniffing attacks.
  • Referrer-Policy: Use strict-origin-when-cross-origin to limit what URL information is shared with third parties.
  • Permissions-Policy: Disable browser features your site doesn't need (camera, microphone, geolocation).
  • Remove or suppress server version disclosure headers such as X-Powered-By and Server.
  • Sensagraph automatically audits all security headers on every scan and flags missing or misconfigured ones.
07

Protect Against Bots, Fraud, and Abuse

E-commerce sites are prime targets for automated abuse: credential stuffing, card testing, fake account creation, and inventory hoarding. Robust bot and fraud controls protect both your business and your genuine customers.

  • Implement CAPTCHA (e.g., hCaptcha, Google reCAPTCHA v3) on registration, login, and checkout forms to block automated bots.
  • Apply rate limiting on login endpoints, password reset, and checkout APIs to slow down automated attacks.
  • Use a Web Application Firewall (WAF) — either at CDN level (Cloudflare, AWS WAF) or server level — to filter malicious traffic.
  • Monitor for card testing patterns: many low-value transactions in quick succession from the same IP or device.
  • Flag and manually review orders that match high-risk patterns: mismatched billing/shipping addresses, unusual order volumes, or new accounts making high-value purchases.
  • Implement fraud scoring through your payment gateway or a third-party fraud prevention service.
  • Block or challenge traffic from known malicious IP ranges using threat intelligence feeds.
08

Protect Customer Data and Privacy

Beyond payments, your store collects names, addresses, phone numbers, and purchase histories. Protecting this data is both an ethical responsibility and a legal requirement under regulations like GDPR, CCPA, and others.

  • Encrypt sensitive data at rest in your database — especially personally identifiable information (PII) and payment-related fields.
  • Apply the principle of data minimisation — only collect information you genuinely need to process orders.
  • Define and enforce a data retention policy: delete or anonymize customer data you no longer need.
  • Publish a clear, accurate privacy policy that explains what data you collect, why, and how customers can request deletion.
  • Obtain explicit, informed consent before adding customers to marketing lists.
  • Ensure any third-party tools you use (analytics, chat, email marketing) are configured to comply with your privacy obligations.
  • Have a documented data breach response plan: know who to notify, how quickly, and what steps to take to contain a breach.
09

Secure Your Server and Infrastructure

Your underlying server and infrastructure configuration directly impacts the security of your store. Misconfigurations at this level can expose sensitive files, enable unauthorized access, or facilitate data exfiltration.

  • Disable directory listing on your web server to prevent attackers from browsing your file structure.
  • Restrict access to sensitive files and directories (e.g., .env, wp-config.php, /admin) via server configuration rules.
  • Close all unnecessary open ports — only expose ports 80 and 443 publicly; restrict SSH to known IP addresses or VPN.
  • Use SSH key-based authentication and disable password-based SSH login entirely.
  • Isolate your database server from the public internet — it should only be accessible from your application server.
  • Configure regular automated backups of your database and files; store backups in a separate, access-controlled location.
  • Test your backup restoration process at least quarterly to confirm backups are actually usable.
  • Implement server-side logging and ship logs to a centralised, tamper-resistant location.
10

Monitor Continuously and Respond to Threats

Security is not a one-time task — it's an ongoing process. Without continuous monitoring, breaches can go undetected for weeks or months, dramatically increasing the damage. Build visibility and response capability into your operations.

  • Set up real-time alerting for critical events: admin logins from new locations, large data exports, mass account lockouts.
  • Monitor your site's uptime and performance — sudden unexplained drops can indicate a DDoS attack or compromise.
  • Regularly review access logs for unusual patterns: unexpected admin access times, bulk data requests, or unfamiliar IP addresses.
  • Subscribe to vulnerability disclosure notifications for all software you use so you can patch quickly when new CVEs are published.
  • Run automated security scans on a continuous basis — Sensagraph scans your site automatically and alerts you to new vulnerabilities as they emerge.
  • Conduct at least one manual penetration test per year, especially after major site changes or new feature launches.
  • Maintain and regularly test an incident response plan so your team knows exactly what to do if a breach occurs.

Frequently asked questions

Security scanning should be continuous, not periodic. Threats and vulnerabilities emerge daily, and a weekly or monthly scan leaves significant windows of exposure. Use automated scanning tools that check your site constantly and alert you in real time when new issues are detected.

Yes, but the scope of your compliance obligations is significantly reduced. Using a fully hosted payment gateway (where card data never touches your servers) means you likely only need to complete a Self-Assessment Questionnaire (SAQ A or SAQ A-EP), rather than undergoing a full audit. However, you are still responsible for the security of your website, especially ensuring no malicious scripts can intercept payment data (Magecart-style attacks).

A Magecart attack involves injecting malicious JavaScript into an e-commerce site to silently skim payment card details as customers type them. Protection involves: auditing and minimising third-party scripts, implementing a strict Content Security Policy (CSP), using Subresource Integrity (SRI) checks for external scripts, and continuously monitoring for unexpected script changes on your checkout pages.

No. An SSL/TLS certificate encrypts data in transit, which is essential, but it is only one layer of security. You also need to address application-level vulnerabilities (XSS, SQL injection), access control, server hardening, payment security, software updates, and ongoing monitoring. Think of HTTPS as the floor, not the ceiling.

Act quickly: (1) Take the affected site or pages offline or into maintenance mode to prevent further data exposure. (2) Notify your hosting provider and payment processor. (3) Preserve logs — do not delete anything. (4) Identify the attack vector and patch it before going back online. (5) Notify affected customers and, depending on your jurisdiction and the data involved, notify regulators within the legally required timeframe (e.g., 72 hours under GDPR). (6) Conduct a post-incident review to prevent recurrence.

Change the admin URL from the default path to something non-obvious. Enable MFA for all admin accounts without exception. Restrict admin access by IP address if possible. Set up alerting for every admin login. Apply the principle of least privilege so team members only have access to what their role requires. Audit admin accounts regularly and remove any that are inactive or no longer needed.