Secure ownership and administrative access
Use business-controlled accounts for domain, DNS, hosting, payment providers and store administration. Restrict administrator access to people who need it and remove access when responsibilities change.
Strong unique passwords, multi-factor authentication and secure recovery methods reduce the impact of credential theft.
Use HTTPS correctly across the store
The full customer journey should use HTTPS, including product pages, login, cart, checkout and account areas. Redirect insecure requests and monitor certificate renewal.
HTTPS protects transport between the customer and website, but it does not by itself make application code, plugins or accounts secure.
Protect the payment workflow
Use the official integration method provided by the selected payment provider and verify payment status server-side. Validate signatures or webhooks where applicable and prevent duplicate processing.
Do not store sensitive card details unless the business has the required architecture, controls and compliance capability. Most businesses should rely on approved provider-hosted or tokenised payment flows.
Control software and third-party extensions
Install only necessary, maintained extensions from reliable sources. Remove unused plugins, themes and accounts because inactive components can still increase attack surface.
Test updates with backups and review third-party permissions, scripts and data collection.
Protect customer data and forms
Collect only information required for the order or support process, validate input and restrict database access. Avoid exposing customer information in URLs, logs or public files.
Use spam protection and rate controls where appropriate, but ensure forms remain usable for legitimate customers.
Prepare backups, logging and incident response
Maintain recoverable backups outside the production server and record important security events. Define who will respond if the site is changed, customer data may be exposed or payments behave unexpectedly.
An incident plan should include containment, evidence preservation, recovery, provider communication and professional advice where required.
Review security continuously
Security is not a one-time launch task. Monitor unusual logins, file changes, failed payments, resource spikes, malware alerts and unexpected redirects.
Periodic professional testing may be appropriate for higher-risk systems. No checklist can guarantee complete protection.
Practical checklist
- Business-owned domain, hosting and payment accounts
- Multi-factor authentication enabled where supported
- HTTPS enforced across all public and account pages
- Server-side payment verification implemented
- Unused plugins, themes and users removed
- Updates applied through a tested process
- Customer data access restricted and reviewed
- Off-server backups and restore tests maintained
- Security monitoring and incident contacts documented
Common questions
No. HTTPS protects data in transit, but account security, application code, updates, server controls and monitoring are also required.
Most businesses should use payment-provider flows that avoid direct storage of sensitive card data. Requirements should be assessed with appropriate compliance and security expertise.
No single plugin provides complete protection. Security requires layered controls, updates, access management, backups, monitoring and safe development.
No. It is general technical planning information. Businesses should obtain professional legal, privacy, security and compliance advice for their circumstances.