E-commerce Security: How to Protect Your Online Store

E-commerce security means protecting three things: the flow of money through payments, the personal and card data of your customers, and the platform itself against unauthorised access. In practice you achieve this through a combination of correct configuration (HTTPS, a secure payment gateway, regular updates), access control (strong accounts, two-factor authentication) and continuous monitoring that detects an attack early. No single measure is enough on its own, because security is layered.

For many businesses in Bosnia and Herzegovina and the wider region, online sales have become the main or only revenue channel. That is precisely why a web shop is an attractive target: an attacker who compromises it can steal card data, redirect payments, inject malicious code or simply take the store down during its busiest period. This guide explains, step by step, how to raise your e-commerce security to a level that protects both your customers and your business.

Why a web shop is especially vulnerable

Unlike a classic brochure website, a web shop processes transactions, stores user accounts and often relies on dozens of add-ons (plugins) and integrations. Each of those components is a potential entry point. The most common problems we see in online stores across the region are:

• Outdated platforms and add-ons. WooCommerce, Magento, PrestaShop and their plugins receive security patches regularly. Stores that fail to apply them remain exposed to publicly known vulnerabilities for months.
• Weak and shared credentials. Administrator accounts without two-factor authentication, reused passwords and access shared with external agencies without any control.
• Insecure payment processing. Card data that passes through or is stored on the server itself instead of being handled by a certified payment gateway.
• Vulnerabilities in the code. SQL injection, cross-site scripting (XSS) and insecure API routes through which an attacker reads or alters data in the database.
• Lack of monitoring. An attack is often discovered only when customers report fraud or when Google blocks the site, by which point the damage is already done.

The three layers of protection every web shop needs

In practical terms, we divide security into three layers that complement one another. A weakness in any one of them compromises the whole.

1. Protecting the platform and infrastructure

The foundation is that everything runs over an encrypted connection and up-to-date software. Specifically:

• HTTPS across the entire site, not just the checkout page. A valid TLS certificate and redirection from HTTP to HTTPS are mandatory, as are modern security HTTP headers (HSTS, Content-Security-Policy).
• Regular updates: the platform core, the theme and all add-ons. Remove add-ons you do not use, because even an inactive plugin can be an entry point.
• A Web Application Firewall (WAF), which filters known attack patterns before they reach the application and mitigates automated attacks.
• Backups: automated, separated from the production server and regularly tested by restoring them. A backup you have never tried to restore is not a backup you can rely on.
• Hardened hosting: minimal service exposure, restricted file permissions and a separate environment for testing changes.

2. Protecting payments and customer data

This is where the stakes are highest, because money and personal data are on the line. The basic rule: your web shop should never store card data itself. Leave that to a certified payment gateway that is compliant with the PCI DSS standard. This moves the most sensitive part out of your system, leaving you with less liability and a smaller attack surface.

In addition, it pays to:

• Use trusted gateways and 3-D Secure authentication for card payments to reduce fraud and chargebacks.
• Encrypt sensitive data in the database and restrict who can access it.
• Align the processing of personal data with the GDPR and local data protection regulations: a clear privacy policy, consent and minimisation of data collection.
• Do not leave test data, debug output or export files containing customer data in publicly accessible locations.

3. Access control and the human factor

A large share of incidents does not begin with sophisticated hacking, but with a stolen or guessed password. Therefore:

• Two-factor authentication (2FA) is mandatory for all administrator and editor accounts.
• The principle of least privilege: every employee and external agency receives only the rights they genuinely need, nothing more.
• Managing external access: disable the accounts of former collaborators and agencies immediately when the engagement ends.
• Phishing awareness: fake emails impersonating your hosting provider, bank or supplier remain one of the most successful ways in.

Comparison: basic hygiene versus mature protection

The following table shows the difference between the minimum every web shop should have and the level we recommend for stores with serious traffic.

Area	Basic hygiene (minimum)	Mature protection (recommended)
Encryption	HTTPS across the entire site	HTTPS, security headers and regular review of the TLS configuration
Payments	External payment gateway	PCI DSS compliant gateway, 3-D Secure and fraud monitoring
Access	Strong passwords	2FA, least privilege, external access management
Updates	Manual, occasional	A planned patching process and removal of unused add-ons
Monitoring	No monitoring	WAF and continuous SOC monitoring with alerting
Verification	None	Periodic penetration testing of the web shop

Business logic attacks, an often overlooked risk

Many store owners think that e-commerce security is solely a matter of viruses and server hacking. Equally dangerous, and harder to spot, is the abuse of the store's own business logic, that is, functions that work exactly as programmed but that an attacker turns against you. Typical examples:

• Price and quantity manipulation: altering values in the request so that a product is paid for at a lower price, or ordering a negative quantity to obtain an artificial discount.
• Abuse of coupons and gift vouchers: redeeming the same code multiple times, stacking discounts that should not be combined, or guessing valid codes with an automated tool.
• Account takeover: weaknesses in password recovery, login or session management that give an attacker access to other customers' orders and addresses.
• Testing stolen cards (carding): automated micro-payments through your gateway to check which stolen cards are still active, which leaves you with costs and chargebacks.

These vulnerabilities are not detected by antivirus software or routine scanning, because the application is formally working correctly. They are uncovered through manual, expert testing that looks at the store through an attacker's eyes.

Protection against bots and denial-of-service attacks

A web shop is also exposed to automated traffic that does not look for a vulnerability in the code, but exploits sheer volume instead. Bots fill carts to lock up stock, scrape competitors' prices, crack passwords through thousands of login attempts (credential stuffing) or flood the store with requests until it goes down, which is a classic DDoS. The result is lost sales precisely when traffic matters most to you.

Practical countermeasures include limiting the number of login attempts (rate limiting), CAPTCHA on sensitive forms, blocking suspicious IP ranges and a DDoS protection service at the network or CDN level. A Web Application Firewall helps further here, because it recognises and filters known patterns of automated attacks before they put a load on your own server.

Third parties are part of your attack surface

A modern web shop rarely stands alone, because it is connected to suppliers, fulfilment systems, analytics tools and marketing scripts. Every external script loaded on the checkout page can, if its source is compromised, steal the data being entered (so-called supply chain attacks and web skimming). For this reason, keep an inventory of all external scripts, load them only where they are necessary, use Content-Security-Policy to limit what is allowed to execute, and regularly review whether you really need all those add-ons and integrations. Fewer connected systems means a smaller attack surface.

How to find the holes before an attacker does

Configuration and good practices reduce risk, but they do not prove that the store is genuinely secure. The only reliable way to verify that is for someone to attempt a break-in, in a controlled manner and with your permission. This is where a penetration test helps: an expert simulates an attacker and searches for vulnerabilities in payment, login, the cart, the API and the admin interface, then delivers a report with concrete findings and priorities for remediation.

For a web shop, tests that target the order logic (e.g. price or quantity manipulation), session management and authorisation are particularly important, that is, the flaws that are not visible to the naked eye but that an attacker can easily exploit. If you want to assess where your store is vulnerable, start with our penetration testing questionnaire and a review of all NeoBit services.

What to do when an attack does succeed

No defence is perfect, so part of security is also readiness for an incident. A web shop that processes payments should have at least a basic response plan:

• Early detection: continuous monitoring (SOC / MDR) that recognises suspicious activity in real time instead of leaving you to wait days for it.
• Defined roles: who isolates the system, who notifies the bank and payment processor, who communicates with customers.
• Recovery procedure: restoring from clean backups and verifying that the attacker no longer has access.
• Notification: if personal data has been affected, regulations require notifying the authorities and, where necessary, the customers themselves within a set deadline.

For businesses in Mostar and the rest of the region that do not have their own security team, this is most often handled through external monitoring and incident response support. If you would like to discuss what your web shop needs, get in touch.

A practical checklist for the web shop owner

Work through this checklist today. Most items do not require a large budget, just consistency:

• The entire site runs over HTTPS and redirects from HTTP.
• The platform, theme and all add-ons are up to date; unused add-ons have been removed.
• Payments go through a certified gateway, and card data is not stored locally.
• 2FA is enabled for all administrator accounts.
• Automated backups exist and you have tested a restore at least once.
• A WAF or a similar traffic-filtering layer is active.
• A basic plan exists for what to do if the store is compromised.
• You plan a periodic independent review (penetration test).

E-commerce security is not a one-off project but a process. Platforms change, add-ons are updated, attackers change tactics, so the combination of correct configuration, continuous monitoring and periodic independent review is the best protection for your online sales.

Frequently asked questions

Is having an SSL certificate enough to make a web shop secure?

No. An SSL/TLS certificate (HTTPS) encrypts the traffic between the customer and the store and is essential, but it protects only the data in transit. It does not defend against vulnerabilities in the code, outdated add-ons, weak passwords or attacks on the order logic. HTTPS is the foundation, not complete protection.

Is a web shop allowed to store customers' card data itself?

It is strongly discouraged. Storing card data carries strict PCI DSS obligations and significant liability. The practical solution is to leave payment processing to a certified payment gateway, so that the most sensitive data is never retained in your system in the first place.

How often should a web shop be penetration tested?

The recommendation is at least once a year, and additionally after every major change: a new platform, a checkout redesign, the integration of a new gateway or significant code changes. This way you verify security on the actual, current version of the store.

What should I do if I suspect my web shop has been hacked?

Limit the damage: change administrator passwords, enable 2FA, take the store offline temporarily if needed and contact your payment processor. Then engage incident response experts who will determine the scope, remove the attacker's access and safely restore the store from clean backups. For urgent support, contact the NeoBit team.

Related guides: Cyber security in Bosnia and Herzegovina - the complete guide · Employee security: the weakest link in cyber defence · How to choose a cyber security company - 7 criteria for 2026