A BigCommerce Security Primer

BigCommerce is an eCommerce platform that quite a few large brands use. Let's take a look at how to make sure our BigCommerce store is configured securely.

BigCommerce is an eCommerce platform that quite a few large brands use. Let's take a look at how to make sure our BigCommerce store is configured securely.

Enable Multi-Factor Authentication

MFA is easily the most important thing you can do today to secure your accounts. BigCommerce makes it incredibly easy.

Use Secure Passwords

Secure means a few things, first of all, it's a password you don't use for everything, second, it's a password that is difficult to guess. Using a password manager makes this so much easier. We have a few recommendations - check them out!

What You Don't Have to Worry About

PCI. It's an acronym well known by any security practitioner worth their salt. PCI stands for Payment Card Industry. The PCI mandates that you are held to a strict cyber security bar if you process credit cards. Using BigCommerce removes your requirement to understand what PCI means for you. They handle it. It's that simple and transparent to you, the shop owner.

Back To You

At this point, we hope you've enabled MFA and are using a strong password for your BigCommerce store. But there are other things you can do to make sure your shop and customers stay safe.

Minimum API Permissions - Named Appropriately and review access

When creating API accounts, remember to name the API account appropriately. Having an API account named "productionAcmeReadOnly" will be helpful down that road. An account named "test4" will only frustrate your future self.

Whenever possible, give the API account the minimum required permissions, this way, if the key is leaked, the impact to your store or customer is minimal.

Configure SSL and Possibly HSTS

This is a no-brainer in today's day in age. Not only is securing your store the safest way to perform transactions, but Google will actually rank your site lower if it doesn't have a valid certificate.

HSTS stands for HTTP Strict Transport Security. This is a security feature that tells web browsers to never load your site if it's not secure.

3rd Party Apps

The third-party app ecosystem is a huge value add. It enables entrepreneurs (like you) to create apps and sell them in the BigCommerce Marketplace, it also gives you (the shop owner) increased flexibility over your shop.

There is a caveat though. Third-Party Apps are just that, third party. While BigCommerce does strive to ensure that these apps don't introduce vulnerabilities to your store, they can't possibly provide the coverage necessary for a vast ecosystem of BigCommerce apps.

We don't expect you to perform security audits of Third-Party Apps, but there are a few things you can do to minimize the risk.

  1. Look for apps that have a strong following.
  2. Remove apps you no longer use.


Wherever possible, enforce customers to use a Captcha. Captcha's are a simple yet effective way to slow down attackers and spammers. Google Captcha is a free service that you're probably familiar with. Google makes it dead simple to set up your Captcha account.  

Comment Throttler

If your BigCommerce store allows comments, make sure you enable to Comment Throttler. This setting, along with a Captcha will ensure that your site won't be used to post spam that targets your customers and removes trust oof your store.

Past Customer Comments

Only allow reviews on products from past customers. This will further prevent spam reviews and will increase the integrity of your product reviews.

Session Duration

Session duration is the length of time you want your customers and site administrators to go before they need to sign in again. Best practice tells us this shouldn't go more than a few days.  

Because site admins have so much power over your store, the session duration for these should be much lower. Preferably only a few hours.  

Password Complexity

Strong passwords are one of the most simple ways to increase security. Enforcing customers to use long, easy-to-remember passwords will ensure that your customer's accounts stay secure. In our experience, enforcing long passwords with basic password complexity is a better approach than a shorter but more complex password.


While you might not ever need to use WebDav, being aware of its security implications is essential. WebDav is a way to move files to and from your site. You must remember though, that the WebDav account provides access to your application without MFA. And if the password is leaked, you'll need to contact Big Commerce support to change the password.

Review Security Logs

Reviewing admin activity on your site is one of the best ways to periodically ensure that you don't have a rogue or compromised admin.

Get in touch today!

Contact: hello@adversis.io

Adversis: https://adversis.io

Adversis ACS: https://acs.adversis.io

Have a project in mind? Let’s talk

Get in touch