Does AttackEdge scan our Shopify or WooCommerce admin?

No. AttackEdge is an external scanner. We only check what your store exposes on the public internet (the storefront, DNS, TLS, email authentication, and any subdomains). We do not connect to your Shopify admin, your WooCommerce database, or your hosting console. Your admin credentials are never asked for and never stored.

Will it interfere with our checkout or our customers?

No. We do not place test orders, brute-force forms, or send payloads. The scanner is passive: it requests public pages and reads what is already visible. Customer browsing, checkout, and payment processing are unaffected.

Can I get a report for our PCI assessor or payment partner?

Yes. AttackEdge produces a dated PDF report with the methodology, the findings, and the evidence log on every paid plan. Many payment partners and assessors accept it as evidence of recurring external vulnerability scanning, which is one of the items they ask about. It is evidence, not a PCI ASV scan, and we are not an accredited PCI scanning vendor.

What about our mobile app?

AttackEdge does not test mobile apps. We scan websites, DNS, TLS, and email authentication only. If you ship an iOS or Android app, you need a separate mobile security review for that surface.

We have five brand domains under one parent company. Does that fit?

Probably the SMB plan. Five storefronts plus their typical subdomains (shop, blog, admin, staging, CDN, mail) usually land near fifteen sites scanned monthly, which is the SMB shape at 50 scan units. Add the root domains as workspace assets and let the scanner discover the rest. If your monthly scan volume runs past SMB, the next step is MSP / Agency pricing. Email partners@attackedge.io.

Will this catch a Magecart card skimmer on our checkout?

Sometimes. We compare third-party scripts loaded on your public pages against known-malicious indicators and flag suspicious patterns. If the skimmer uses a known infrastructure or obfuscation pattern, we catch it. If it is novel or hidden behind conditional loading, we may not. AttackEdge is not a substitute for a code review of your theme and apps. The pragmatic answer: it catches the loud cases and gives you a fighting chance against the broad-based campaigns. Treat it as one layer, not the only layer.

For ecommerce stores

Security checks for Shopify, WooCommerce, and small online stores.

Recurring external security monitoring on the public surface of your store. Card-skimmer indicators, theme and CSP issues, abandoned subdomains, and email authentication gaps. Plain-English findings, written for your web developer or theme developer. No exploitation, no test orders, no replacement for a code review.

Run a free check View sample report

Why ecommerce in particular

Where the risk concentrates for an online store.

Four pressure points specific to selling online: the checkout, the theme, the subdomains, and the sending domain.

Card-skimmer attacks on the checkout

Magecart-style attacks inject malicious JavaScript into the checkout page and silently exfiltrate card details. Small Shopify and WooCommerce stores get hit because attackers compromise a third-party theme, app, or supply-chain script. We look for known indicators of skimmer activity on your public pages.

Theme and storefront input issues

Custom Shopify themes, WooCommerce templates, and BigCommerce stencil edits often ship with reflected-XSS bugs in product reviews, search, or customer-input fields. The attacker uses them to steal session cookies or pivot into the admin. We flag the conditions that make these attacks possible.

Abandoned subdomains leaking customer data

Old staging stores (staging.shop.example.com), retired campaign sites, or test storefronts that still resolve in DNS are a real risk. Some still hold real customer email lists or order data. We continuously discover subdomains and flag what should not still be live.

Email spoofing on order confirmations

Without SPF, DKIM, and DMARC on the sending domain, order confirmations from your store land in spam, and worse, scammers spoof "your order from acme.com.au" with a fake tracking link. Both kill trust. Email authentication is one of the cheapest fixes and the easiest to verify externally.

What we check

The checks that matter for an online store.

We focus on the public surface of your store: the storefront, the checkout page, the domain, email authentication, TLS, and any subdomains or staging copies that still resolve.

What we checkWhy it mattersWho fixes it

Card-skimmer and known-malicious script indicatorsWe compare third-party scripts loaded on your public pages against known-malicious indicators (Magecart families, exfiltration domains, suspicious obfuscation). It is not a substitute for a code review of your theme, but it catches the loud cases.Your web developer or theme developer. Most fixes are removing a compromised app or pinning a script source.

Content Security Policy and payment-form headersA correctly configured Content Security Policy stops a large category of injection attacks against the checkout page. Most small Shopify and WooCommerce stores ship without one, or with a permissive policy. We flag what is missing and what is too loose.Your web developer or hosting provider. CSP usually ships in the theme or the platform configuration.

Subdomain hygiene and abandoned storesOld shop1.example.com, staging.shop.example.com, or beta.example.com that still resolves is the kind of thing that ends up in a breach roll-up. We discover subdomains and flag the ones that look abandoned or vulnerable.Your web developer or whoever manages DNS. Often a fast clean-up.

TLS certificate health and expiryA store with an expired certificate at peak shopping hours loses trust and revenue immediately. We monitor expiry, weak ciphers, and chain issues across every domain in your store.Your hosting provider or the platform (Shopify and most managed platforms handle this; we flag if something has slipped).

Email authentication on the sending domain (SPF, DKIM, DMARC)Order confirmations, shipping notifications, and abandoned-cart emails all need email authentication, or they land in spam and get spoofed. Most ecommerce stores have at least one gap. We check the records and flag what is missing.You or whoever manages your DNS records (often the same person who set up the store).

Web application exposures and exposed admin pathsPublic access to /wp-admin, /admin, /.env, /backup zip files, or development endpoints is the kind of finding that ends up in a public breach roll-up. We find them passively and report them with the URL and the evidence.Your web developer or hosting provider. Usually a hosting or deployment fix.

See full methodology

What we do not do

Where the line sits.

Honesty about scope is part of the product.

No exploitation, ever

AttackEdge observes the public surface of your store. We do not exploit, brute-force, place test orders, or interfere with the checkout. Nothing we do affects your customers, your orders, or your payment processor.

No admin or app access

AttackEdge never asks for Shopify, WooCommerce, or hosting credentials, never reads your orders or customer database, and does not test iOS or Android apps. We only check what your store exposes on the public internet.

Not a substitute for code review

A custom Shopify theme or a WooCommerce plugin can have logic bugs we cannot see from outside. If you ship custom code on the checkout, you still need a code review. AttackEdge runs alongside, not instead.

Not a manual penetration test

Automated external scanning is not the same as a human-led pen test. If a payment partner or large customer requires a pen test, you still need one. AttackEdge runs in between, weekly or monthly.

What you get

Plain-English report, same shape every cycle.

Owner summary first, then prioritised findings, then technical detail and remediation steps a developer can action.

View sample report See full methodology

Plan that fits

Most ecommerce stores pick SMB.

SMB Monitor at A$99 per month (A$990 per year, two months free) gives you 50 scan units a month, enough to cover the shop, blog, admin and CDN subdomains each month, with headroom for retests and ad-hoc checks. PDF reports on every scan. The Snapshot at A$149 is a one-off baseline if you only need a single PDF before a peak shopping period or a payment-partner audit.

View subscriptions View Snapshot Run a free check

Common questions

From other online stores.

Does AttackEdge scan our Shopify or WooCommerce admin?
No. AttackEdge is an external scanner. We only check what your store exposes on the public internet (the storefront, DNS, TLS, email authentication, and any subdomains). We do not connect to your Shopify admin, your WooCommerce database, or your hosting console. Your admin credentials are never asked for and never stored.
Will it interfere with our checkout or our customers?
No. We do not place test orders, brute-force forms, or send payloads. The scanner is passive: it requests public pages and reads what is already visible. Customer browsing, checkout, and payment processing are unaffected.
Can I get a report for our PCI assessor or payment partner?
Yes. AttackEdge produces a dated PDF report with the methodology, the findings, and the evidence log on every paid plan. Many payment partners and assessors accept it as evidence of recurring external vulnerability scanning, which is one of the items they ask about. It is evidence, not a PCI ASV scan, and we are not an accredited PCI scanning vendor.
What about our mobile app?
AttackEdge does not test mobile apps. We scan websites, DNS, TLS, and email authentication only. If you ship an iOS or Android app, you need a separate mobile security review for that surface.
We have five brand domains under one parent company. Does that fit?
Probably the SMB plan. Five storefronts plus their typical subdomains (shop, blog, admin, staging, CDN, mail) usually land near fifteen sites scanned monthly, which is the SMB shape at 50 scan units. Add the root domains as workspace assets and let the scanner discover the rest. If your monthly scan volume runs past SMB, the next step is MSP / Agency pricing. Email partners@attackedge.io.
Will this catch a Magecart card skimmer on our checkout?
Sometimes. We compare third-party scripts loaded on your public pages against known-malicious indicators and flag suspicious patterns. If the skimmer uses a known infrastructure or obfuscation pattern, we catch it. If it is novel or hidden behind conditional loading, we may not. AttackEdge is not a substitute for a code review of your theme and apps. The pragmatic answer: it catches the loud cases and gives you a fighting chance against the broad-based campaigns. Treat it as one layer, not the only layer.

See what attackers see

Ready to see what your store looks like from the outside?

The free check covers the headline issues on your domain in about a minute. A paid plan adds the full methodology, the evidence log, and recurring scans you can show a payment partner or a PCI assessor.

Start a scan Run a free check

Hosted in Sydney · Passive scanning only · From A$99 per month