How to Do a Security Audit for Your Online Store
Before You Start
Security auditing is not the same as security scanning. Vulnerability scanning uses automated tools to test for specific technical weaknesses. A security audit is a broader, manual review of your entire security posture, including the human and process elements that scanning tools cannot evaluate. Think of scanning as checking whether your locks are pickable, while an audit checks whether anyone left a window open, whether the alarm system is still plugged in, and whether the spare key is still hidden in the same spot.
Schedule your audit for the same week each quarter (for example, the first week of January, April, July, and October) so it becomes a predictable routine rather than something you keep postponing. Block 2 to 4 hours on your calendar with no other commitments. Have the login credentials ready for every system you need to check: your ecommerce platform, hosting control panel, domain registrar, payment processor, email marketing platform, analytics accounts, and any other tools connected to your store. Create a checklist document (a spreadsheet works well) where you record your findings for each audit area, the date checked, and any issues that need remediation.
Step-by-Step Security Audit
This is the highest-priority audit area because unauthorized or unnecessary access is the most frequently discovered issue and the most dangerous. Admin accounts: Log into your ecommerce platform and list every admin and staff account. For each account, verify: the person still needs access, their permission level matches their current role (not accumulated permissions from past tasks), and two-factor authentication is enabled. Remove or disable any account belonging to someone who no longer works with you. Reduce permissions for any account that has more access than their role requires. Hosting and server accounts: Check your hosting control panel for all user accounts. Review SSH keys and FTP credentials. Remove any access no longer needed. Third-party service accounts: Review admin access on your payment processor, email marketing platform, analytics accounts, and any other SaaS tools. Each of these services can access or modify customer data, and forgotten access by a former contractor or employee is a common security gap. API keys and integration tokens: Review API keys for third-party integrations. Revoke any keys that are no longer in use. Rotate keys that have not been changed in the past year. Check that API keys have the minimum necessary permissions (read-only where write access is not required).
Ecommerce platform: Verify you are running the latest stable version of Shopify, WooCommerce, Magento, or whatever platform you use. For WooCommerce, check both the WordPress core version and the WooCommerce plugin version. Plugins and extensions: List every installed plugin. Update any that have updates available. For each plugin, check when it was last updated by the developer, if it has been more than 6 months with no update, research whether the plugin is still maintained or has known security issues. Delete any plugin you are not actively using. Themes: Update your active theme to its latest version. Delete any inactive themes except a default theme as a fallback. PHP version: Check your PHP version in your hosting control panel. If you are running anything below PHP 8.1, upgrade. Older PHP versions have reached end-of-life and no longer receive security patches. Server software: If you manage your own server, check that the operating system, web server (Apache/Nginx), and database server (MySQL/MariaDB) are updated with all security patches. If you use managed hosting, confirm with your provider that they apply security patches automatically.
SSL/TLS: Run the Qualys SSL Labs test (ssllabs.com/ssltest) and verify your grade is still A or A+. Check that your SSL certificate is not approaching expiration. If you use Let's Encrypt, verify auto-renewal is functioning by checking the certificate expiration date in your browser. Firewall: Review your WAF rules and blocked request logs. Verify the firewall is actively filtering traffic (check the dashboard for recent blocked requests, no recent blocks could indicate the firewall is disabled or misconfigured). If you use Cloudflare, verify that SSL mode is set to "Full (Strict)," that security headers are configured, and that your origin server IP is not exposed in DNS records. Security headers: Run the Mozilla Observatory test (observatory.mozilla.org) and compare the score to your previous audit. If any headers have changed or new recommendations have appeared, address them. File integrity monitoring: Verify your monitoring tool is active and has sent at least one alert in the past quarter (even if just for a legitimate plugin update). If you have not received any alerts, the monitoring may have stopped working. Login monitoring: Review failed login attempt logs for patterns suggesting brute force or credential stuffing attacks. Check that account lockout rules are still active. Uptime monitoring: Verify your uptime monitoring service is active and has sent test alerts recently.
Backup testing: This is the most commonly skipped audit step and the one that matters most when you need it. Locate your most recent backup and verify it completed successfully. Check the backup size, if it is significantly smaller than previous backups, it may be incomplete. Perform a test restoration to a staging environment and verify the restored store functions correctly with products, images, orders, and customer data intact. Record the time required for the full restoration process. Backup retention: Verify your retention policy is working, that daily backups are available for at least 30 days and monthly archives exist. Payment integration: Verify your payment processing is still using a hosted payment form (Stripe Elements, PayPal hosted buttons, Shopify checkout) where card data never touches your server. Check that no changes to your checkout have introduced direct card handling. Review your PCI compliance SAQ status and ensure it is current. Fraud tools: Review your fraud prevention rules and their effectiveness. Check your chargeback rate for the quarter. Review any manual review triggers for accuracy, adjusting thresholds that produce too many false positives or miss real fraud.
Run an external vulnerability scan using OWASP ZAP, Detectify, or your preferred scanning tool. Compare results against your previous quarterly scan to identify new vulnerabilities introduced since the last audit. For each finding, record: the vulnerability description, its severity rating, the affected component, the remediation action needed, and the target date for remediation. Critical and high-severity findings should be remediated within the current audit session or within 48 hours. Medium findings should be scheduled for remediation within 30 days. Low and informational findings should be tracked for the next audit cycle. After completing all remediation, run a verification scan to confirm fixes are in place. Save your completed audit checklist with dates, findings, and remediation actions as your audit record. This documentation supports GDPR accountability requirements, PCI compliance evidence, and provides a security improvement timeline you can reference in future audits.
Audit Checklist Summary
Use this condensed checklist for your quarterly audits. Each item should take 5 to 15 minutes to verify.
- All admin accounts reviewed, unnecessary access removed, 2FA verified on every account
- All software updated: platform, plugins, themes, PHP version, server OS
- Unused plugins and themes deleted (not just deactivated)
- SSL Labs grade verified as A or A+, certificate expiration checked
- Firewall active and filtering traffic, rules reviewed
- Security headers verified via Mozilla Observatory
- File integrity monitoring active and alerting
- Failed login logs reviewed for attack patterns
- Backup tested via restoration to staging environment
- Backup retention policy verified (30 days daily, 12 months monthly)
- Payment integration verified as hosted (card data never touches your server)
- PCI compliance SAQ status current
- Fraud prevention rules reviewed and thresholds adjusted
- Chargeback rate checked (must stay below 1%)
- External vulnerability scan completed and findings documented
- Critical and high findings remediated, medium findings scheduled
- Third-party integrations reviewed, unused services removed
- API keys reviewed, unused keys revoked, old keys rotated
- Incident response contact list verified as current
- Audit findings documented with dates and remediation records
When to Hire a Professional Auditor
A self-audit is valuable for quarterly maintenance, but there are situations where professional expertise adds significant value. Consider hiring a professional security auditor or penetration tester when: you are launching a new store and want to verify security before going live, you have experienced a security incident and want an independent assessment of your current posture, your business has grown to a level where a breach would cause significant financial damage (typically $50,000+ monthly revenue), you are required to demonstrate security compliance to a business partner, enterprise customer, or insurance provider, or it has been more than a year since a professional reviewed your security. Professional security audits cost $2,000 to $15,000 depending on scope, and penetration tests (where the auditor actively attempts to breach your store) cost $5,000 to $25,000. For stores processing significant revenue, the cost of professional assessment is small compared to the potential cost of a breach that a self-audit failed to prevent.