Ecommerce stores official website

Ecommerce Website Security Strategy for the Holiday Season

As the shopping season approaches again, we would like to give you some helpful tips for running an ecommerce site and how to avoid being the target of an attack. Due to the pandemic, more people are spending their time shopping for gifts online than ever before. Global e-commerce sales are expected to reach $ 4.2 trillion by the end of 2021. However, the increase in online shopping is also accompanied by an increase in online attacks. These attacks can be the most threatening not only for the consumer, but especially for the online business.

Types of e-commerce attacks

The types of attacks faced by websites keep increasing in complexity and frequency. In my previous article, I talked about the types of attacks that occur on websites. This article will take a closer look at the most common attacks targeting online vacation buyers.


A distributed denial of service attack affects a site by sending a large amount of bogus traffic (AKA “botnets”) that overloads server resources, taking the site offline. In order to determine if you are under a DDoS, you will need to identify the traffic spikes and determine whether the sudden spike is organic or not.

It is important to note that some of the traffic generated by the robots could also be of the “right type” from search engines like Google which regularly crawl and index web pages, or from SEO tools. These bots generally have no negative impact on a site. However, traffic spikes don’t always equate to a DDoS attack, as even an influx of traffic from legitimate visitors over a period of time can temporarily take a site offline. In the case of e-commerce for example, if a product launch goes live and there are not enough server resources, or a CDN, to help alleviate the load on the hosting server, this would not be considered a DDoS attack.

The best way to mitigate this attack is to monitor network activity, take the strain off the server by improving server capacity, implement CDN as mentioned earlier, or add firewall protection which will help to identify and block malicious requests. Ideally, it’s best to have both a CDN and a firewall in place, as a CDN on its own won’t be able to distinguish between good and bad requests.


Malicious redirects are scripts that have been injected into a site’s main files, database, theme, plugins, .htaccess, or anywhere really. They will redirect a visitor to a place where they can be scammed or infected with malware causing an online business to lose potential revenue. There are many methods of getting this injected into a site, but we’ll see how to reduce the risk of this later.

SEO spam

Similar to malicious redirects, but not to be confused, it can also divert e-commerce website traffic to be scammed. This is also called “spamdexing” and attempts to manipulate search indexes to include content it shouldn’t.

CC Skimmer

This type of attack, also known as “CC theft” or “skimming”, Can be found in a database, main files, plug-in / extension files and theme files. It is virtually unnoticeable to an online customer as it captures and passes the stolen payment card data to a hacker when the customer enters it. We have seen this impact on a lot of Magento and WooCommerce and other eCommerce site owners.


Degrades can be found mostly in index.php or theme files, and can potentially go hand in hand with ransomware which we’ll cover later. This will keep all traffic away from the site and it is very obvious when it does attack happens because these types of hackers basically want to make a name for themselves. This type of hacking can impact SEO rankings and add a site to a blacklist.


This type of malware is not specifically related to e-commerce, but can be one of the most devastating for a business and has become a hot topic in recent years in infosec circles. This type of attack is associated with the degradation of a site and affects all files on the site, and that is why we recommend having backups of your configured site. During the holiday season, this kind of attack would be even more devastating for an e-commerce site. This not only results in a loss of traffic and revenue on the site, but also means that the storefront is down for business. This forces business owners to pay twice in a short period of time to even get the site back.

Ransomware can also affect entire organizations internally. It has become crucial for businesses to learn about attack prevention best practices. It has even been listed under the FAC as a resource to help businesses reduce their risk of attack.

Build trust with your consumers

Whether you are the consumer or the online business, ensure that sensitive information submitted through a site is protected & encrypted is the key to building trust. PCI compliance is also a requirement for all e-commerce websites. In recent years, SSL has played a central role in a business’s SEO ranking. An SSL certificate will encrypt information submitted to the site, ensuring that it will not be snooped on during transmission.

As someone who has spent countless years shopping online, I’ve become accustomed to the green padlock displayed in the left corner of an address bar, and if an online store doesn’t have one, I stay away. As an added bonus, some site owners may even add a “trust seal” somewhere on their security provider’s website, ensuring that they take their security seriously.

How to prevent an ecommerce attack

Being proactive against attacks should always be at the forefront of an ecommerce site owner’s mind as this will help minimize the loss of traffic and revenue due to security concerns. One of the main causes of infections can be outdated software, so it is essential that your CMS version, plugins, themes, and any other type of extension are updated regularly.

As mentioned earlier, keep up to date backups of the site can also be useful. It is best to have at least 60 days available, so you have plenty of time to “roll back” in the event of a compromise.

Ensuring that all passwords have high password strength and that administrator privileges are as low as possible will also reduce the risk of an attack.

Of course, it is also recommended that your site be rregularly scanned for any malicious content or modification, as well as the hardening of the site with a Website Application Firewall. Having a watch and a firewall in place will not only prevent malicious requests from going through, but will also detect anything that shouldn’t be on the site in the first place.


As more and more businesses decide to put their inventory online, it becomes more and more important for business owners to understand the risks and responsibilities that come with it. Stolen Ecommerce Data is in demand, and there will always be bad actors who want to take advantage of this kind of opportunity. Understanding both the types of attacks you may face as a site owner and how to be proactive in preventing them will go a long way in helping your business’s online reputation and overall consumer confidence.

If you are concerned that you are currently affected by an infection or attack, please do not hesitate to contact our team for clean for you.