A Guide to BigCommerce Security

Hackers never sleep. You could go to bed one night and wake up the next day to find your online store hacked. Cybercriminals are always on the prowl, sniffing out weak links and looking for back doors to access business-critical data and sensitive customer information.

The effects can be catastrophic for you, your business, and your customers.

BigCommerce security is non-negotiable when it comes to protecting your online store. In this guide, we take a deep dive into the steps you can take to avoid becoming another statistic in the latest data breaches.

The Importance of BigCommerce Store Security

The continued growth of the eCommerce sector has led to significant improvements in how online transactions are conducted. The downside is that this growth has also caught the attention of bad actors looking to make a quick buck from otherwise legitimate transactions.

A 2020 report on cybercrime indicates that the eCommerce industry is among the most susceptible to cyber-related crimes. These account for a whopping 32.4% of all online attacks, with security breaches projected to become even more severe as time passes. Even more alarming is that a large chunk of all the traffic online stores receive is made up of bad actors sending malicious HTTP requests.

If these statistics are anything to go by, the main takeaway is that cybercrime isn't going anywhere anytime soon. Cyberattacks have resulted in devastating financial losses, damaged business reputations, and a nose dive in the value of market shares.

Here’s another statistic you might find interesting. Roughly 60% of eCommerce businesses that succumb to cyberattacks go out of business within six months.

Scary, isn’t it?

If that’s not a reason to beef up your BigCommerce store security, we don’t know what is. The survival and longevity of your online store depend on it.

See also: Top-Rated BigCommerce Alternatives

Understanding the Risks and Consequences of Inadequate Security

If you’re the sort of person who likes to play out worst-case scenarios in their mind, you might be tempted to ask, “What’s the worst thing that could happen if I don’t adequately secure my online store?

How bad could it be?”

The short answer is: It might cost you much more than you bargained for, financially and legally. Here are some potential risks and effects of inadequate security on your eCommerce business.


1. Loss of Privacy

eCommerce websites handle a ton of sensitive customer data. We're talking – credit card information, banking details, residential addresses, etc. If this information were to be intercepted by an unauthorized third party, it could have far-reaching repercussions on the financial well-being of the unsuspecting victims – your customers.

Common security risks that could potentially result in loss of privacy include the following:

Counterfeit Websites

It is not uncommon for hackers to create fake replicas of legitimate sites. These websites bear uncanny similarities to the original ones, save for a hard-to-spot discrepancy in the domain name.

Customers may unwittingly enter their credit card information when shopping on these (fake) websites, which hackers then steal to perpetrate identity theft and financial fraud. The business risks suffering reputational damage and loss in market share.

Alteration to Site Content

Hackers can hack a website and modify content to divert incoming traffic to a target site (which could be a counterfeit of the original or a competitor). They may also redirect traffic to damage the business's reputation.

Theft of Payment Details and Personal Data

The eCommerce industry is chock-full of cases where major sites have been hacked and sensitive business and customer data stolen or leaked. Sensitive data includes everything from business inventory information to customer credit card details and personally identifiable information.

Damage to Computer Networks

Cybercriminals frequently use worms and viruses to infect a company’s computer network to gain access to sensitive information. Once a hacker gets their hands on this data, they can steal customers' payment information and their identity and even find out where they live or work. By infiltrating a company’s computer networks, cybercriminals can even divert payments to their account, resulting in severe financial losses for the business.

Theft of Business Data

A cyberattack on an eCommerce website can result in the loss of classified business data, including highly coveted intellectual property (IP). Hackers may then use this information to blackmail you into paying them or risk having that information leaked online to the public and your competitors, all to the detriment of your business.

Denial of Service

Another common tactic hackers use to attack online stores is Denial-of-Service (DoS). Here, hackers flood a website with a barrage of requests from numerous untraceable IP addresses, causing it to crash and become unavailable to legitimate shoppers.

The result?

Loss of sales and potential revenue for the business.

2. Malware Infection and Fraud

The strategies and tools hackers and other bad actors use in cyberattacks can have far-reaching financial and reputational consequences for eCommerce businesses. These tools range from malware infections (viruses, warms, etc.) and brute force entries to phishing attacks.

The result?

Financial losses for the business and its customers, irreversible damage to its reputation, and lawsuits filed against the company by customers who’ve suffered losses due to the breach.

3. Illicit Interception of Online Transactions

The very nature of online transactions makes them complex due to all the moving parts and players involved.

Think about it.

When a customer makes a purchase, the item has to be retrieved from the warehouse and dispatched to the customer. The customer is required to provide their payment information, which the third-party payment provider has to verify before validating the transaction.

If a dispute arises, the purchased item will need to be shipped back to the seller, who then has to notify the payment provider to reverse the transaction so the customer can receive a refund on the amount paid.

A security gap can result in hackers intercepting the transaction at any of the touch points we’ve listed above, resulting in the loss of sensitive customer information, business information, financial information, and money.


Is Your BigCommerce Store Secure?

So far, we’ve looked at why BigCommerce security is vital for your online store and the potential risks and consequences you face if you fail to take the necessary precautions to secure your eCommerce website.

With that in mind, the next logical question would be – Is your BigCommerce store secure?

The answer to this will depend on whether you’ve addressed the following issues on store security.

1. Privacy

Privacy, or confidentiality, in cybersecurity refers to preventing activities that may result in customer information being shared with unauthorized third-party entities. Other than the website where customers shop, no other entity should have access to their account details and personal data.

Merchants are, therefore, responsible for, at the very minimum, the following:

  • Setting up a firewall;
  • Installing anti-virus and encryption software;
  • Taking necessary data protection measures to protect customer payment information and personally identifiable data against privacy breaches.

If your online store does not have these basic measures in place, suffice it to say it is not secure.

2. Integrity

Integrity refers to the precautions taken by merchants to make sure any information shared by customers on their websites is not modified in any way, shape, or form. Online store owners must use customers' information as-is without changing any details.

If your eCommerce website cannot guarantee the integrity of consumer data, prospective buyers won’t trust you and, hence, won't want to transact with your business.

3. Authentication

Authentication is a security principle that requires both the buyer and the seller to be real. "Real," in this context, means that both parties should be who they purport to be and have a means of proving their identity when called upon.

As a business owner, you should be able to prove to customers that your business is real, that it deals in genuine merchandise or offers legitimate services, and that it delivers on its promise. Likewise, customers should be able to provide proof of their identity, so the merchant knows who their customer is and they are who they say they are.

If your eCommerce business cannot authenticate users, you expose it to online hackers.

4. Non-Repudiation

Non-repudiation is a legal premise that requires all parties to a transaction to follow through on what they started. The term "repudiation" is synonymous with "denial." Non-repudiation, therefore, provides confirmation that there has been communication between the parties involved and that the parties in question were in receipt of the said communication.

It further means that if a customer goes through the purchase process on your eCommerce website to the point of payment, you (the seller) cannot deny that purchase. Likewise, if you ship out an item to a customer to the point of receipt, they cannot later deny receiving or signing for the package.

Your store is not deemed secure if you have not taken adequate non-repudiation measures to protect your online business.

See also: Shopify Plus vs. BigCommerce Enterprise: Which Is Better?

BigCommerce Security: Best Practices to Protect Your Store

With those basics in mind, it’s time to dive into the best practices you can implement in your store to protect your BigCommerce website against hackers and other bad actors.

1. Adopt Multi-Tier Security

Right off the bat, it would be in the best interest of your business to adopt a multi-tiered approach to website security. Content Delivery Networks (CDNs), for instance, can block malicious incoming traffic and offset Denial-of-Service (Dos) and Distributed-Denial-of-Service (DDoS) attacks on your BigCommerce store.

You can also integrate an extra layer of protection by implementing multi-factor authentication measures such as Two-Factor Authentication (2FA). 2FA requires users to enter a security code sent to their email or phone number upon entering their (correct) login information. The idea is to ward off fraudsters attempting to access your account, even if they somehow got their hands on your username and password.

It is worth noting that multi-factor authentication isn’t necessarily foolproof. There have been cases of hackers accessing user accounts even with 2FA. Instead, it should be implemented with other security practices to minimize the likelihood of your store getting attacked.

2. Implement SSL

Another must-have for your eCommerce website is an SSL certificate. SSL is short for Secure Server Layer. It refers to software that encrypts sensitive user information, such as credit/debit card details and personally identifiable information, to make sure it gets to the intended person. SSL certificates prevent unauthorized third parties from intercepting sensitive information in transit from the sender to the recipient and vice versa.

Why is this important?

For starters, information transmitted from one computer to another doesn’t go directly to the recipient, per se. It will usually go through multiple servers before the intended recipient gets it.

Without SSL-certificate encryption, this information, during transit through the various servers, might be intercepted by a hacker, who then extracts the information being transmitted. You can see how problematic it would be if the information in question consisted of customers’ credit card details, names, birthdates, and other personally identifiable information.

When this data is encrypted with an SSL certificate, it makes the transmitted information unreadable to everyone other than the person for whom it was intended.


3. Install a Solid Firewall

No BigCommerce security strategy would be complete without implementing a robust firewall in your online store. But what is a firewall, anyway?

A firewall is a plugin or software installed on the backend of a website to regulate incoming and outgoing traffic to and from a website. A firewall is designed to provide what is known as "selective permeability" to control the traffic allowed to get through.

A solid firewall should be able to bar traffic from untrusted networks and cyberattacks, including malware, spam, bots, brute force, XSS, SQL injections, CSRF, etc. That way, the traffic flowing to your store comprises only real and legitimate users.

4. Install Anti-Malware

Malicious software, or “malware” for short, is developed to disrupt, damage, or provide unauthorized access to a website or computer network. Anti-malware is exactly what it sounds like – software built to stop malware dead in its tracks.

Anti-malware can only be considered effective if it detects, blocks, and removes malware – hidden otherwise – on your website. When identifying the best anti-malware to install on your eCommerce website, you want to get one that offers continuous, round-the-clock malware scanning and protection. It should also be able to automate the scanning process for hands-free site security, even while you’re sleeping.

Common examples of malware that anti-malware software can effectively eradicate include:

It is worth noting that no two anti-malware apps are created equal. The specific capabilities of each will vary depending on the developer.

5. Ensure PCI-DSS Compliance

PCI stands for Payment Card Industry. DSS stands for Data Security Standard.

PCI-DSS is an agreed-upon set of requirements created by the payment card industry players that define how online payment transactions will be handled. There are 12 requirements designed to protect sensitive user credit card details, debit card numbers, and banking information when buying things from eCommerce businesses.

You must comply with these requirements if your online store handles sensitive data, including personally identifiable information. Failure to do so may result in serious legal repercussions in the form of hefty fines and severe penalties in the event of a security breach.

Review the PCI-DSS requirements to check that your website complies with these regulations to guarantee a safe and secure checkout process for your customers.

6. Audit Site Plugins

If there's one predictable thing about hackers, it is that they always look for site vulnerabilities they can exploit. Here's the kicker – new vulnerabilities are discovered daily. That’s why it is extremely important to deploy site security patches the moment they’re released.

While BigCommerce deploys these updates automatically, which is great, you still need to monitor the plugins running on your store. Any third-party app with security vulnerabilities increases the likelihood of your store getting attacked. As a rule, only install third-party solutions from trustworthy providers and review the ratings to evaluate their credibility.

If there are site plugins you no longer use, uninstall them immediately to seal any potential loopholes hackers might exploit.

7. Run Code Audits

A code audit analyzes your website's source code to catch errors, bugs, and elements that don't meet the required security standards. Running a code audit on your BigCommerce store using Static Application Security Testing (SAST) tools scans your website code and identifies any issues on a graphical display. They allow you to find and fill security gaps, especially in the early stages of development.

The great thing about running code audits using these tools is that they provide a detailed guide to remediate the issues and find security vulnerabilities. 

8. Integrate API Security Testing

When integrating BigCommerce’s API with your company’s backend systems, any existing or emerging defects are likely to have a domino effect on the failure of other systems. Some of these failures can result in security gaps, inevitably resulting in widespread security breaches.

We recommend integrating API security testing into every phase of the software development lifecycle. That way, you can identify any accidental misconfigurations or damage resulting from bug fixes and feature upgrades. You can then rest easy knowing that BigCommerce and your backend systems are functioning optimally and that no security vulnerabilities have been introduced.

9. Implement Strong Password Policies

You would be surprised to learn that most security breaches on eCommerce websites result from weak or stolen login credentials. The password policies you implement for the staff and customers accessing your website should, at the very minimum, be based on the following best practices:

  • Passwords should be a certain minimum length, have a mix of lowercase and uppercase letters, contain numbers, and have at least one symbol.
  • Users should create new and unique passwords for their accounts on BigCommerce and not duplicate passwords they’ve used elsewhere.
  • Educate users on the importance of never disclosing sensitive information such as their birthdate, parents' names, neighborhood they grew up in, etc., as hackers and bad actors can use these to answer security questions.
  • Implement password managers among site users to help them easily remember their login credentials without having to write them down or save them in unprotected documents on their phones or computers.

See also: BigCommerce Pricing & Plans

10. Beware of Social Engineering Tactics

Phishing has been the go-to cyberattack strategy for hackers since time immemorial, perhaps because of how effective it is. To avoid falling victim to such attacks, you need to be able to spot a phishing attempt in the first place. It entails familiarizing yourself with the social engineering tactics hackers use to trick unsuspecting users into giving up sensitive information.

Verify the recipient's identity before completing any online form with personal information and login credentials. Confirm that the URL domain of the site where you're about to enter your information is the official website of the organization in question. Look out for nuances in the domain name. These are designed to fool you into believing it is a legitimate website.

For instance, “bankofamerica.org" vs. “bankofamerica.com”.

Also, never click links or open or download attachments from unknown senders. Only do so if you can verify the sender’s identity.


Final Thoughts

Remember, hackers get smarter by the day. They are employing more sophisticated methods to identify and exploit site security vulnerabilities to gain access to sensitive business and customer information. You must be proactive in securing your BigCommerce store against these threats.

The BigCommerce security measures we've detailed in this guide will go a long way in helping you protect your store against cyberattacks from hackers and other bad actors.

If you want to switch from your existing eCommerce provider to BigCommerce, Cart2Cart can help you do so quickly and efficiently. Our fully automated shopping cart migration tool removes the hassle from the replatforming process with no risk of data loss or downtime.

Ready to make the switch? Sign up for a free demo today to see Cart2Cart in action.


How secure is BigCommerce?

BigCommerce’s native security features are impressive. The platform boasts a host of Tier-1 security certifications, including ISO, PCI GDPR, RH-ISAC, CCPA, FIPS, and SOC. It also supports numerous third-party integrations, ranging from firewalls to anti-malware, to protect your online store from hackers.

How do I protect my BigCommerce store?

Some of the measures you can take to protect your online store against cyberattacks from hackers and other bad actors include:

  • Adopting multi-tier security
  • Implementing SSL
  • Installing a robust firewall
  • Installing strong anti-malware
  • Ensuring PCI-DSS compliance

How do I improve my BigCommerce security?

The steps you can take to improve the security of your eCommerce store include the following:

  • Periodically auditing your site plugins
  • Running code audits
  • Integrating API security testing
  • Implementing strong password policies for staff and customers
  • Spotting phishing attempts

What are the security options for BigCommerce?

The native security settings built into BigCommerce include:

  • Control panel timeout duration
  • Enable storefront reCAPTCHA on password reset requests, account sign-up forms, contact form submissions, product reviews, etc.
  • Failed login attempts lockout.
  • Shopper inactivity logout duration.
  • Shopper password complexity configuration.