Backups and Security for Online Stores: The Essential Checklist

An e-commerce store that handles customer data and processes payments has security obligations that go beyond what most website owners think about. A breach doesn’t just cause downtime—it exposes customer financial data, triggers regulatory consequences, and can permanently damage the trust that takes years to build. A store without reliable backups is one catastrophic failure away from losing everything. Yet many online stores operate without a coherent security posture or a tested backup strategy. This checklist-driven guide covers every layer of e-commerce security and backup you need to have in place.

Understanding Your Security Surface

Before working through the checklist, it’s worth understanding what you’re actually defending against. E-commerce stores face several distinct threat categories:

Payment data theft: Attackers who inject malicious code (skimmers) into checkout pages to capture card data as customers type it. This is called a Magecart attack, and it’s responsible for some of the most damaging breaches in e-commerce history.

Credential-based attacks: Brute force and credential stuffing attacks against admin accounts, customer accounts, and hosting control panels using leaked username/password combinations.

Plugin and theme vulnerabilities: Unpatched security flaws in WordPress plugins, WooCommerce extensions, or Shopify apps that allow attackers to gain unauthorized access.

SQL injection and code injection: Attacks through form inputs that manipulate database queries or inject executable code.

Data exposure through misconfiguration: Sensitive files, database credentials, or customer data accidentally made publicly accessible through misconfigured servers or permissions.

Sucuri’s annual hacked website report consistently identifies outdated software and weak credentials as the leading causes of compromise. The good news: most successful attacks exploit known, preventable vulnerabilities.

Part 1: SSL and Transport Security

Checklist Items

• HTTPS across the entire site: Every page—not just checkout—must be served over HTTPS. Check that HTTP requests automatically redirect to HTTPS. Mixed content warnings (HTTPS pages loading HTTP resources) must be resolved.

• SSL certificate validity: Your SSL certificate must be valid and not expiring soon. Use SSL Labs’ SSL Test to check certificate configuration, expiry date, and protocol support.

• Certificate auto-renewal: Configure automated renewal (Let’s Encrypt auto-renews; hosting providers often handle this). An expired SSL certificate causes browsers to show security warnings to customers and kills conversions immediately.

• HSTS header: The Strict Transport Security header tells browsers to always use HTTPS for your domain, even before a redirect. Configure it with a long max-age value after you’ve confirmed HTTPS works everywhere.

Hosted platforms (Shopify, BigCommerce) handle SSL automatically. For self-hosted WooCommerce, SSL is your responsibility. Let’s Encrypt provides free SSL certificates that most hosting providers can configure automatically.

Part 2: Access Control and Authentication

Checklist Items

• Strong, unique admin passwords: Every admin account should use a strong, randomly generated password unique to that service. Use a password manager.

• Two-factor authentication on admin accounts: Enable 2FA for all admin users on your e-commerce platform, hosting control panel, domain registrar, and email accounts. A stolen password is meaningless if 2FA is required.

• Principle of least privilege: Every user account should have only the minimum permissions required for their role. A content editor doesn’t need payment settings access. A developer working on theme code doesn’t need customer data access.

• Regular access audit: Review all admin and user accounts quarterly. Remove accounts for former employees, contractors, or agencies who no longer need access. This is one of the most commonly neglected security tasks.

• Login attempt limiting: Implement rate limiting on login pages to block brute force attacks. WooCommerce sites need a plugin like Limit Login Attempts Reloaded or the equivalent in a security plugin. Shopify handles this at the platform level.

• Secure admin URL (WooCommerce): The default WordPress admin URL (/wp-admin) is well-known and heavily targeted. Changing it reduces automated attack volume, though this is security through obscurity and should complement, not replace, the above measures.

Part 3: Platform and Software Security

Checklist Items

• Core platform kept current: WordPress, WooCommerce, and all plugins should be updated promptly after new releases. Security patches especially should be applied immediately. Subscribe to the WooCommerce Security Advisories and your plugin vendors’ security notifications.

• Plugin and theme audit: Every installed plugin and theme expands your attack surface. Remove any plugin that’s not actively being used. Remove inactive themes entirely—they can still contain exploitable code even when not active.

• Plugin source vetting: Only install plugins from reputable sources (the official WordPress.org repository, established commercial vendors). Free plugins from unknown sources may contain malicious code. Check update frequency and active installation count before trusting a plugin.

• File integrity monitoring: Tools like Sucuri or Wordfence can monitor your files for unauthorized changes. An unexpected change to a checkout template file is a strong indicator of a Magecart-style injection.

• Web Application Firewall (WAF): A WAF filters malicious traffic before it reaches your server. Cloudflare’s WAF and Sucuri’s WAF are common choices for WooCommerce stores. They block known attack patterns, SQL injection attempts, and malicious bots.

Part 4: PCI DSS Compliance

If you accept credit cards, PCI DSS compliance is a legal obligation, not optional. The PCI Security Standards Council’s documentation covers the full requirements, but at the practical level for most e-commerce stores:

Checklist Items

• Use a PCI-compliant payment processor: Stripe, PayPal, Square, and Shopify Payments are PCI-certified at the provider level. Using them reduces your compliance burden substantially.

• Do not store raw card data: Card numbers, CVVs, and PINs must never be stored on your servers. Using a compliant payment processor via redirect or tokenization ensures this automatically.

• Annual SAQ completion: Self-Assessment Questionnaires (SAQs) document your compliance posture. The appropriate SAQ level depends on how you process payments. Most stores using a redirect-based payment processor qualify for the simpler SAQ A.

• Regular vulnerability scanning: PCI requires quarterly vulnerability scans by an Approved Scanning Vendor (ASV) for merchants above certain transaction volumes.

Shopify handles PCI compliance for the checkout and payment components of your store as a Level 1 PCI Service Provider. Shopify’s PCI compliance documentation explains what they cover and what responsibilities remain with store owners.

Part 5: Backup Strategy

Security protects against breaches. Backups protect against everything else: server failures, accidental deletion, botched updates, ransomware, and natural disasters. The two are complementary, not interchangeable.

The 3-2-1 Backup Rule

The 3-2-1 rule is the industry standard backup framework:

• 3 copies of your data (the live site plus two backups)
• 2 different storage media (e.g., your hosting server and a cloud storage service)
• 1 copy offsite (stored separately from your primary hosting environment)

A backup stored only on the same server as your live site is not a real backup—if the server fails or is compromised, both are lost together.

Checklist Items

• Daily automated backups: Both database (order data, customer data, products) and files (theme, plugins, media) must be backed up. For WooCommerce, plugins like UpdraftPlus can automate this to external storage (S3, Google Drive, Dropbox).

• Backup retention policy: Keep at least 30 days of daily backups. This ensures you can recover to a point before a problem that wasn’t noticed immediately.

• Offsite backup storage: Store backups in a location separate from your hosting. Amazon S3, Google Cloud Storage, or Backblaze B2 are cost-effective options.

• Backup encryption: Backups contain customer data and should be encrypted in storage. UpdraftPlus supports encrypted remote backups.

• Tested restore process: A backup you’ve never tested is not a reliable backup. Test restoration quarterly. Restore to a staging environment and verify that the store works correctly from the restored backup. This is the step almost everyone skips—until they need to recover from an incident and find their restore process is broken.

• Pre-update backups: Before any significant update (major platform version, core plugin update), take a manual backup. This provides a clean restore point if the update causes problems.

Shopify-Specific Backup Considerations

Shopify hosts your store data and maintains their own infrastructure backups, but this does not protect you against accidental deletion, app-induced data corruption, or your own errors. Rewind is the most widely used third-party backup solution for Shopify—it backs up products, orders, themes, and store settings to external storage with point-in-time restore capability.

Part 6: Monitoring and Incident Response

Checklist Items

• Security monitoring: Active monitoring for malware, unauthorized file changes, and suspicious login activity. Sucuri and Wordfence for WooCommerce both provide this. Shopify monitors the platform; store owners need to monitor at the app and account level.

• Uptime monitoring: Automated alerts if your store goes offline. Pingdom, Better Uptime, and UptimeRobot offer free tiers sufficient for basic alerting.

• Order and conversion anomaly alerting: A sudden drop in orders can indicate a checkout problem. Set up custom alerts in Google Analytics 4 or your analytics platform.

• Incident response plan: Know what you’ll do if you’re breached. Who do you call? How do you notify customers? Who handles the forensic investigation? Having answers before an incident happens makes response faster and less chaotic. NIST’s guide to cybersecurity incident response provides a framework even for smaller organizations.

• Customer breach notification compliance: Depending on your location and customer base, data breach notification laws may require you to notify affected customers within a specific timeframe. Know which laws apply to you (GDPR in Europe, CCPA in California, state breach notification laws in the US).

Making Security Sustainable

Security is not a one-time setup. Threats evolve, software changes, staff turns over, and configurations drift. The checklist above should be reviewed and executed on a schedule—not treated as a launch task and forgotten.

The stores that maintain strong security postures do so because they’ve built security into their operational routines: updates applied on schedule, access reviewed regularly, monitoring alerts responded to promptly, and backups tested before they’re needed.

Building and maintaining a robust security and backup posture requires ongoing technical attention that most store owners can’t manage alongside running their business. CodingGeek’s e-commerce maintenance services include security monitoring, backup management, and proactive vulnerability management for Shopify and WooCommerce stores. Get in touch to find out what’s currently at risk in your store.