diff --git a/internal/ingress/controller/store/backend_ssl.go b/internal/ingress/controller/store/backend_ssl.go
index 57ce68cf5..786049c17 100644
--- a/internal/ingress/controller/store/backend_ssl.go
+++ b/internal/ingress/controller/store/backend_ssl.go
@@ -36,8 +36,8 @@ import (
 // syncSecret synchronizes the content of a TLS Secret (certificate(s), secret
 // key) with the filesystem. The resulting files can be used by NGINX.
 func (s k8sStore) syncSecret(key string) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
+	s.syncSecretMu.Lock()
+	defer s.syncSecretMu.Unlock()
 
 	klog.V(3).Infof("Syncing Secret %q", key)
 
diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index c2ecf4a46..af79fe062 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -211,8 +211,11 @@ type k8sStore struct {
 	// updateCh
 	updateCh *channels.RingChannel
 
-	// mu protects against simultaneous invocations of syncSecret
-	mu *sync.Mutex
+	// syncSecretMu protects against simultaneous invocations of syncSecret
+	syncSecretMu *sync.Mutex
+
+	// backendConfigMu protects against simultaneous read/write of backendConfig
+	backendConfigMu *sync.RWMutex
 
 	defaultSSLCertificate string
 
@@ -239,7 +242,8 @@ func New(checkOCSP bool,
 		filesystem:                   fs,
 		updateCh:                     updateCh,
 		backendConfig:                ngx_config.NewDefault(),
-		mu:                           &sync.Mutex{},
+		syncSecretMu:                 &sync.Mutex{},
+		backendConfigMu:              &sync.RWMutex{},
 		secretIngressMap:             NewObjectRefMap(),
 		defaultSSLCertificate:        defaultSSLCertificate,
 		isDynamicCertificatesEnabled: isDynamicCertificatesEnabled,
@@ -798,15 +802,21 @@ func (s k8sStore) writeSSLSessionTicketKey(cmap *corev1.ConfigMap, fileName stri
 }
 
 // GetDefaultBackend returns the default backend
-func (s k8sStore) GetDefaultBackend() defaults.Backend {
-	return s.backendConfig.Backend
+func (s *k8sStore) GetDefaultBackend() defaults.Backend {
+	return s.GetBackendConfiguration().Backend
 }
 
-func (s k8sStore) GetBackendConfiguration() ngx_config.Configuration {
+func (s *k8sStore) GetBackendConfiguration() ngx_config.Configuration {
+	s.backendConfigMu.RLock()
+	defer s.backendConfigMu.RUnlock()
+
 	return s.backendConfig
 }
 
 func (s *k8sStore) setConfig(cmap *corev1.ConfigMap) {
+	s.backendConfigMu.Lock()
+	defer s.backendConfigMu.Unlock()
+
 	s.backendConfig = ngx_template.ReadConfig(cmap.Data)
 	s.writeSSLSessionTicketKey(cmap, "/etc/nginx/tickets.key")
 }
diff --git a/internal/ingress/controller/store/store_test.go b/internal/ingress/controller/store/store_test.go
index 457ee54c1..7530f66a4 100644
--- a/internal/ingress/controller/store/store_test.go
+++ b/internal/ingress/controller/store/store_test.go
@@ -865,7 +865,8 @@ func newStore(t *testing.T) *k8sStore {
 		sslStore:         NewSSLCertTracker(),
 		filesystem:       fs,
 		updateCh:         channels.NewRingChannel(10),
-		mu:               new(sync.Mutex),
+		syncSecretMu:     new(sync.Mutex),
+		backendConfigMu:  new(sync.RWMutex),
 		secretIngressMap: NewObjectRefMap(),
 		pod:              pod,
 	}