How can I secure my shopping website from hackers?

Having a shopping website and I want to secure from hackers, how can and what have to do?

Keep your shopping cart software up to date
Subscribe to any security alert notifications available from your cart software vendor
Use reputable high quality hosting, ideally a dedicated server or VPS
Ensure your PC is kept secure and has up to date anti viral software
Add extra security e.g. .htaccess the admin directory

I reccomend going with a hosted e-commerece solution. That way the company takes full responsibilty and security is on them. It will cost $$$ but, you will be feeling worried-free the moment your site goes live. Why do the hard work when someone, experienced, will take care of the work for you.

What software are you running your shop in?

In which platform your are running this ?

  1. Install Firewall (APF or CSF Firewall with BFD)
  2. ModSecurity (Web application firewall)
  3. ModEvasive (Prevent DDOS attacks)
  4. Harden SSH server
  5. Fix Open DNS Recursion
  6. Install RKhunter
  7. Install ClamAV (Antivirus)
  8. XInet Servers Hardening (Disable Telnet/Finger or unwanted services)
  9. Securing PHP
  10. PortsEntry (tool to detect portscans)
  11. Harden host.conf (against IP spoofing)
  12. Check User Uploaded files
  13. Secure /tmp Folders (noexec, nosuid)

If you have done above stuffs in a Linux server then you are almost there, but always the application vulnerabilities results in hack, so make sure that you update the software regular.


Mike (EastCoast) has the correct answer (USP’s host using your weak passwords will not help, CW’s question about cart is irrelevant as every cart can easily be affected and PA’s list is too generic and does not deal with the question asked) but Mike failed to STOMP on the issue of using STRONG passwords - without which you may as well not even use passwords at all.



Hire experienced staff to handle your shopping cart. Make sure those professionals only who have worked in the same domain previously.

Good list and good advice but…

  1. ModEvasive will not prevent DDOS attacks. It is only semi-effective for url DDoS (which is not commonly used for serious attacks) and even for url DDoS it will provide you with many “false-positives”.
    Full DDoS protection can only come from “front-gate” solutions that will provide absorption and filtering (i.e. Cloud CDN + WAF like Incapsula or, for more high-end site, Akamai).

Everything you have on server level cannot be 100% effective since it can only deal with traffic that have reached the server.
Remember, DDoS traffic reaches server = DDoS succeed.

  1. ModSecurity can be nice and personally I think it`s a great OS project.
    That being said, this is not a “plug and play” solution and is not fit for serious security threats. Default setting will leave you extremely vulnerable (it is OS and the default is there for all to see).
    Also, constant upgrade is needed and if you are already indeed of DDoS protection , Cloud CDN+WAF can be a 1-in-2 solution.

For more information read this: