Getting started Tips for web professionals

Small businesses: 9 tips to secure your e-commerce website

A computer floating on a pedestal as though in a museum, in a glass case, surrounded by laser security, representing a highly secure e-commerce site

E-commerce is constantly expanding. Each year, more and more transactiions take place on e-commerce websites, which in turn also attracts attention from data thieves. Cyberattacks are proliferating on e-commerce websites because of the financial transactions that take place there and the customer data available there. That’s why security is a major issue for e-commerce website owners. In this article, learn about the most common threats and the ways that you can counter them and secure your e-commerce website.

What threats do e-commerce websites face?

There are many methods used by hackers to get ahold of user and financial transaction data. It’s important to know the most common cyberattacks in order to protect yourself. Here are the most common threats that your e-commerce website might face.

Distributed Denial of Service attacks (DDoS)

A DDoS attack aims to overwhelm a website by sending an excessive volume of traffic so as to block the website from working and render it unavailable. These attacks may come with a ransom request, but can also be combined with other attacks to meet various other goals.

SQL Injection

A SQL injection attack is used by hackers to collect your customers’ personal data, such as their ID and bank information. The thief inserts their SQL code in an online submission form or another data entry point in order to access the data backend of your website, thereby circumventing your security measures.

XSS Attack

An XSS attack, otherwise known as Cross-site scripting, consists of injecting malicious code in a website in order to redirect users. The hacker can then spy on and take over customer user accounts on a website in order to get ahold of their personal data.

Brute force attack

The goal of a brute force attack is to access the user or admin account of a website by trying to “guess the password.” This attack, relatively old and simple, has evolved over the years and today hackers use tools that automate attacks using data stolen from databases via SQL injection attacks for example (check to see if your password has been compromised).

How to maximally secure your e-commerce website

1. Choose a secure hosting provider

The cyberattacks we previously mentioned can be directed towards your e-commerce website but might also directly target your hosting provider. For this reason, the first step to securing your e-commerce website is the choice of the platform that hosts it. You can choose a proprietary CMS or an open-source one. These two are very different solutions.

In terms of security, a proprietary CMS will usually handle securing your website, while an open-source CMS leaves you free to secure you site yourself. Get the facts before you make a decision, however, we recommend you use an open-source CMS like WordPress, the most widely used CMS in the world.

In any case, we recommend you choose a well known and reputable platform as it will have a larger community of developers working on it.

2. Install an SSL certificate

An SSL certifiate (Secure Socket Layer) is an electronic certificate that enables you to protect your customers’ sensitive data. It ensures that data transferred between a website and its users are encrypted using encrypted algorithms.

A website protected by an SSL certificate is easily identifiable by the small lock icon next to the URL in your browser. This certificate serves to strengthen your website’s security, but it also makes it possible to ensure a certain level of trustworthiness to your customers, especially when it comes to making purchases on your e-commerce website while ensuring the security of their data and transactions.

Since we believe online security is of the utmost importance, every Gandi hosting instance comes with a free SSL certificate for the first year.

With Gandi, Pack Hosting + domain name =

free SSL + 2 email accounts with 3 GB of storage each

3. Use two-factor authentication

Implementing two-factor authentication makes it possible to increase the security of your login when you log in to your admin interface, but also when your customers log in to your website. This is critical for blocking hackers from accessing your admin space as well as your customers’ information and payments.

Also referred to as multi-factor authentication, this form of authentication combines the use of a password with another form of authentication. That way, if a hacker manages to get ahold of your password, they’re still blocked from logging in by this second authentication factor.

Once you enter your password, the second factor can take one of several forms: an app on your mobile device that provides a code that you need to enter to confirm your login, an SMS with a code to enter that you receive at a particular phone number, a digital fingerprint, or face ID.

This step certainly adds an additional step in the purchasing process, but it enables you to secure your transactions and protects your customers. As for two-factor authentication, consider adding a message that assures your customers of the security of their transactions and data. That way you protect your e-commerce website from hackers and reassure your customers at the same time.

The majority of the time, your customers’ banks also implement additional, enhanced authentication when making bank payments.

4. Make regular updates

The same way that hackers are constantly developing new techniques to find security flaws, developers of CMSes, plugins, and other tools constantly improve the security of these tools.

For this reason, platforms, software, plugins, etc. are regularly updated in order to correct bugs and improve security for users. However, these updates are not always automatic. It’s important, then, to regularly verify that all your tools are updated, and, if not, update your CMS, your software, and your plugins in order to ensure they are still secure and are not obsolete.

5. Choose your e-commerce site’s plugins carefully

The majority of CMSes offer the possibility to install your e-commerce site’s plugins to add features. We recommend you verify the reliability of plugins before you install them. To do that, look up the date and the reputation of plugins, their compatibility with your CMS, and how regularly the plugins are updated. This will ensure you can trust the reliability of the plugins that you install in order to mitigate any possible bugs.

6. Install security plugins

Plugins exist on CMSes to optimize different aspects of your e-commerce website’s security. In particular, on WordPress, the Wordfence Security plugin is very efficient and particularly popular with users. In particular, this multi-task secuirty plugin makes it possible to implement two-factor authentication, block spam, analyze your e-commerce site to protect it from malicious code and protect you from brute force attacks.

Analyzing your website in order to identify security flaws that could be exploited by hackers is a critical element of securing your e-commerce website. Security plugins like Wordfence Security make this analysis easier.

7. Create complex passwords

We recommend creating complex passwords to not make it too easy for hackers to compromise them. Here are a few tips for picking a password that’s hard to crack.

  • Aim for length: your password should be as long as possible (12+ characters)
  • Vary the characters: your password should include numbers, special characters, uppercase, and lowercase letters
  • Don’t use obvious passwords: avoid birthdays, first names, last names, addresses, etc., and try to use random words
  • Create a password you’ll be able to remember: your password should be easy to remember and shouldn’t be saved in your phone or in a file on your computer, as this will increase the chances your password will be found
  • Don’t use the same password multiple times: Use different passwords for every website. That way, if your passwords are discovered, the others will still be safe

You can use secure password managers to ensure you have a unique, complex password for each website as well. But you can also use it to store user names as well as passwords in an encrypted file that is itself password protected. That way, you only have one password to remember—the one for the password manager.

Choose a password manager that isn’t online. Even if that’s slightly less practical, it will be more secure. We recommend either KeePass or KeyChain.

8. Be sure to secure your computer

Your computer can also be a source of website compromises. A hacker that manages to infect your personal computer with malicious software will be able to access information stored on it to gain access to your website and take it over too. We recommend protecting the computer on which you connect to your admin interface. For that, there are a few security rules you should be sure to follow when you use your computer.

  • Install a firewall and an anti-virus and update them regularly
  • Update your computer and your web browser when necessary
  • Don’t log in on dangerous websites, and don’t download files that are not secure
  • Don’t connect to public wifi, or use a VPN when you do
  • Don’t click on links in emails, if a vendor tells you to renew a subscription, log in to that provider’s interface to check whether you have to renew it but don’t click on the link in the emails

9. Back up your website

Even though by now you’ve increased the security of your website through various methods, there will always still be some risk that it will be compromised. Total security is never possible. In case all the precautions mentioned above fail and you get hacked, making regular backups will be a life saver. Why, do you ask?

If your e-commerce website has a bug and is compromised, you can quickly bring it back online with backups by restoring the last backup of your site from before the problem without losing data.

In addition, beyond site compromise, backing up your site can also save you from errors you might make. Sometimes even a small mistake can set you back hours of work. You can return to the previous back up and avoid losing all your work.

There are plugins that make it possible to easily back up your website, in particular UpdraftPlus on WordPress. However, we suggest also making several back ups. Keep one on your CMS, but make copies on your computer or on external harddrives.


With the growth of cyberattacks, the security of your e-commerce website should be an absolute priority. Just like a physical store uses security guards, cameras, a gate, etc., it’s essential to provide your e-commerce website with the best security possible to protect from cybercrime. Implement the 9 tips described in this article, and protect your site and your customers from cyberattacks!