Website Vulnerability Scanning for Ecommerce: Find and Fix Security Gaps
Before You Start
Vulnerability scanning is fundamentally different from malware scanning. Malware scanning checks whether your store has already been compromised by detecting malicious code in your files. Vulnerability scanning checks whether your store could be compromised by testing for known weaknesses that an attacker could exploit. Think of malware scanning as detecting a break-in that already happened, and vulnerability scanning as checking whether your locks are strong enough to prevent one.
There are two types of vulnerability scans relevant to ecommerce. External scans test your store from the outside, the same perspective an attacker has. They check your publicly accessible pages, server configuration, SSL setup, security headers, and exposed services for known vulnerabilities. Internal scans test from inside your server, checking your application code, database configuration, file permissions, and server-side software for vulnerabilities that are not visible from outside. Most small ecommerce stores start with external scanning and add internal scanning as their security program matures.
If you need PCI compliance at a level that requires quarterly vulnerability scans (SAQ A-EP or SAQ D), you must use an Approved Scanning Vendor (ASV) certified by the PCI Security Standards Council. Regular vulnerability scanning tools do not satisfy the PCI scanning requirement. The ASV scan must produce a "passing" result with no high-severity vulnerabilities.
Step-by-Step Vulnerability Scanning
Start with two free tools that take minutes to run and provide immediately actionable results. Qualys SSL Labs (ssllabs.com/ssltest) tests your SSL/TLS configuration and grades it from A+ to F. Enter your domain and wait 2 to 3 minutes for the results. An A or A+ rating means your SSL is properly configured. Common issues that reduce your grade include supporting outdated TLS 1.0 or 1.1 protocols, weak cipher suites, missing HSTS headers, and certificate chain errors. Each issue comes with a specific description and fix recommendation. Mozilla Observatory (observatory.mozilla.org) tests your HTTP security headers including Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. These headers protect against cross-site scripting, clickjacking, MIME type attacks, and information leakage. Most ecommerce stores score poorly on their first Observatory test because security headers are rarely configured by default. Each missing header has a specific recommendation with example configuration for Apache and Nginx. Run both tests and record your scores as your baseline.
Free option: Sucuri SiteCheck (sitecheck.sucuri.net) scans your store's public pages for known malware, blacklisting, outdated CMS versions, and basic security issues. It runs in seconds and provides a summary report. This is a surface-level scan that catches obvious problems but does not perform deep vulnerability testing. Free option: OWASP ZAP (zaproxy.org) is a comprehensive, open-source vulnerability scanner maintained by the OWASP Foundation. Download and install it on your computer, enter your store URL, and run an automated scan. ZAP tests for SQL injection, cross-site scripting (XSS), directory traversal, server information disclosure, missing security headers, and dozens of other vulnerabilities. A full ZAP scan can take 30 minutes to several hours depending on your store's size. Run it against a staging copy of your store rather than your live production site, because automated scanning generates high volumes of unusual requests that could trigger your WAF or affect performance. Paid option: Detectify ($85+/month) provides continuous automated scanning with a focus on web application vulnerabilities. It tests over 2,000 vulnerability types and provides detailed remediation instructions. Detectify's advantage over free tools is its regularly updated vulnerability database, lower false-positive rate, and professional reports suitable for compliance documentation.
Scan results typically categorize findings by severity: critical, high, medium, low, and informational. Address them in that order. Critical vulnerabilities are immediately exploitable and can result in full server compromise, data breach, or payment theft. Examples include known remote code execution vulnerabilities in your CMS version, SQL injection flaws that expose your database, and unpatched security holes with published exploits. Fix these within 24 hours. High severity findings are exploitable but may require specific conditions or additional steps. Examples include cross-site scripting flaws, insecure direct object references, and authentication bypass possibilities. Fix these within one week. Medium severity findings include missing security headers, information disclosure (server version numbers, directory listings, error messages revealing system details), and configuration weaknesses that could aid an attacker. Fix these within 30 days. Low and informational findings include best-practice recommendations and minor configuration improvements. Address these during your regular maintenance schedule. Do not get overwhelmed by the volume of findings, which can be extensive on a first scan. Focus on critical and high items first, and work through the rest systematically over time.
After applying fixes for critical and high-severity vulnerabilities, run the same scans again to confirm the vulnerabilities are resolved. Verification scanning is important because fixes sometimes introduce new issues (a configuration change that fixes one problem may break another), some vulnerabilities have multiple manifestations that a single fix does not fully address, and the scan confirms your fix was implemented correctly. Compare the rescan results against the original scan to verify that the specific findings are gone. If the same vulnerability appears in the rescan, your fix was incomplete or incorrectly applied. Document each vulnerability found, the fix applied, and the verification scan confirming resolution. This documentation supports your PCI compliance records and provides a security improvement audit trail.
Vulnerability scanning is not a one-time activity. New vulnerabilities are discovered daily in the software your store runs on, and every update, plugin installation, or configuration change can introduce new weaknesses. Set up this scanning cadence: Monthly automated external scans using your chosen scanning tool, with email alerts for any critical or high findings. After every significant change, including platform updates, new plugin installations, server configuration changes, and payment integration modifications, run a targeted scan to verify the change did not introduce vulnerabilities. Quarterly comprehensive scans that include a full OWASP ZAP analysis or equivalent deep scan, plus a review of your SSL Labs and Mozilla Observatory scores. Annual penetration testing for stores processing high transaction volumes or handling sensitive data. Penetration testing goes beyond automated scanning by having a human security professional attempt to breach your store using the same techniques real attackers use. Penetration tests cost $2,000 to $15,000 depending on scope and typically find vulnerabilities that automated scanners miss.
Vulnerability Scanning Tools Compared
Free tools: Qualys SSL Labs (SSL only), Mozilla Observatory (headers only), Sucuri SiteCheck (surface malware and blacklist), OWASP ZAP (comprehensive web app scanner), and Nmap (network and port scanning). These tools collectively provide a thorough scan at no cost, but require technical knowledge to configure, run, and interpret results.
Mid-range tools ($50 to $200/month): Detectify ($85+/month) provides continuous automated scanning with professional reports. Intruder ($101+/month) focuses on external attack surface monitoring. Pentest-Tools ($85+/month) offers a suite of scanners for web applications, networks, and SSL. These tools are easier to use than free alternatives, produce cleaner reports, and typically have lower false-positive rates.
PCI ASV scanners ($100 to $300/quarter): SecurityMetrics, Trustwave, Qualys PCI, and Comodo HackerGuardian are Approved Scanning Vendors whose scans satisfy the PCI DSS quarterly scanning requirement. If your compliance level requires ASV scans, you must use one of these certified vendors. Their scans focus specifically on PCI-relevant vulnerabilities and produce pass/fail reports formatted for compliance documentation.
Common Vulnerabilities Found in Ecommerce Stores
Outdated software is the most frequently discovered vulnerability, found in over 70% of first-time scans. This includes outdated CMS versions (WordPress, Magento), plugins with known security patches available, PHP versions that have reached end-of-life, and server software (Apache, Nginx, MySQL) with unpatched vulnerabilities. The fix is straightforward: update everything. The challenge is keeping everything updated continuously, which requires either automated updates or a disciplined manual update schedule.
Missing security headers appear on nearly every first scan. Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy, and Permissions-Policy each protect against specific attack types, and most ecommerce platforms and hosting providers do not configure them by default. Adding these headers is a configuration task that takes 15 to 30 minutes and immediately improves your security posture. The secure checkout guide covers Content Security Policy implementation specifically for payment pages.
Information disclosure includes server version numbers exposed in HTTP headers (telling attackers exactly which version of Apache, Nginx, or PHP you run), detailed error messages that reveal database structure or file paths, directory listings that expose your file structure, and publicly accessible admin login pages without rate limiting. Each piece of information helps an attacker plan a more targeted attack. Fix these by configuring your server to suppress version information, implementing custom error pages, disabling directory listings, and protecting admin pages with IP restrictions or additional authentication.
Cross-site scripting (XSS) vulnerabilities allow attackers to inject malicious JavaScript into your store pages, which can steal customer session cookies, redirect users to phishing pages, or modify page content. XSS is commonly found in search functions, product review forms, contact forms, and any input field that reflects user input back to the page without proper sanitization. Modern ecommerce platforms include XSS protection, but custom code, theme modifications, and third-party plugins sometimes introduce new XSS vectors.