Onze Blog

Three Characteristics of a Secure Webshop

Posted by author-avatar
0

What we most often see going wrong, and how to prevent incidents!

Every webshop will, sooner or later, face digital risks. Here at Forus-P, we carry out advanced scans on web applications and based on our practical experience, many webshops still face risks such as malware, data breaches, and account takeovers.

The question is no longer “are we secure?”, but rather “can we clearly show that our most critical risks are under control?’. In this blog, we share the most common points of attention and practical tips to make webshops more secure and better protect visitors.

1. Technical foundation is demonstrably in order

Many vulnerabilities fall within the OWASP Top 10 categories, globally recognised as the most critical security risks in web applications.

Most common issues in webshops

  • Outdated webshop software or plugins: updates are available but not installed
  • Outdated server or PHP versions: underlying software no longer receives security updates
  • Cross-Site Scripting (XSS): insufficiently filtered input allows malicious code to run in visitors’ browsers
  • Unsafe or unnecessary services/configurations: such as XML-RPC or other unused interfaces accessible externally
  • Missing security headers: for example, headers that protect against clickjacking or script abuse

Real-world impact

  • Malware on product pages
  • SEO spam and redirect attacks
  • Session hijacking of customer accounts
  • Takeover of administrator accounts
  • Data breaches via known exploits

A secure webshop should demonstrate that this technical foundation is regularly checked and maintained.

2. Testing and improving

Providing clear evidence that you’ve taken steps to prevent cyberattacks and limit damage builds trust with customers. And if something does go wrong, fines may be reduced or even avoided.

Difference between scan and penetration test

Not every test is the same. In practice, we see that webshops often need both, depending on their complexity and risk profile.

Web application scan
Using a DAST (Dynamic Application Security Testing) scanner, we check for OWASP Top 10 vulnerabilities. Each scan is manually prepared, automatically executed, and then manually reviewed. This makes periodic scans well suited to quickly and consistently identify common risks.

Penetration test
Carried out by an ethical hacker who actively challenges your systems, combining advanced tools, hands-on techniques, and human insight to uncover vulnerabilities that automated scans often miss. For example: 

  • Errors in access rights or roles
  • Privilege escalation
  • Abuse of login mechanisms
  • Manipulable discount or pricing logic
  • Account or data abuse scenarios

When is a pentest advisable?

A penetration test is particularly recommended in higher-risk situations, for example when:

  • Before launching a new application
  • When there is significant custom development or complex functionality
  • When integrating with external systems or APIs
  • When storing external data or personal data
  • When multiple roles with different permissions exist
  • With high transaction volumes
  • After previous incidents

Must-have checks for every webshop

Regardless of size, there are a number of basic measures that every webshop should have in place.

  • Regular web application scans (at least 6 per year)
  • Strong patching and update procedures
  • Multi-factor authentication (MFA) on all accounts
  • Proper account permissions (only necessary access, no redundant accounts)
  • Monitoring suspicious login attempts and unusual activity
  • Backup testing

Tip: Use a cyber checklist or request a review to understand your current position. This helps quickly identify what’s already in place and where improvements are needed, allowing you to reduce risks structurally and set priorities.

3. Resilience against phishing and social engineering

Many security incidents don’t start with code, but with human behaviour. That makes social engineering one of the biggest risks. Examples include:

  • Fake emails from suppliers or delivery services
  • Fraudulent payment requests
  • Fake support tickets
  • Reuse of stolen login credentials
  • Deepfake phone or video calls

Preventive measures

Effective protection requires a combination of people, technology, and processes. A single isolated measure is usually not enough.

  • Awareness training for employees 
  • Phishing simulations to test and improve behaviour
  • Clear internal procedures for sensitive actions 
  • MFA on accounts, but watch out for MFA fatigue. Too many prompts can lead to accidental approvals. Combine MFA with awareness training so employees understand its importance
  • SPF, DKIM, and DMARC on email to prevent domain spoofing
  • Assign someone responsible for incidents and ensure everyone knows who to contact
  • A concise incident response plan

Practical tips

  • Test logical role separation: ensure new features or plugins don’t accidentally gain excessive permissions
  • Monitor dependencies: use tools that provide immediate alerts for vulnerabilities in third-party libraries
  • Detect unusual transactions: set up automatic detection for abnormal order volumes or payment changes
  • Verify external integrations: regularly test supplier and API integrations for security

Four actions you can take tomorrow

  1. Check that all accounts use MFA and discuss this with your team to prevent fatigue
  2. Ensure employees only have necessary permissions and remove accounts of former staff
  3. Look into awareness training or phishing simulations for employees
  4. Use internet.nl to check whether SPF, DKIM, and DMARC are correctly configured and test your website for hosting-level improvements
4. Myths and facts about secure webshops

Myth: “We’re too small to be of interest to hackers.”
Fact: Hackers often exploit this. Smaller webshops typically have weaker security and can serve as an entry point to larger suppliers or partners.

Myth: “Our platform is secure, so we are too.”
Fact: Beyond the platform itself, plugins, additional functionalities, updates, and employees also matter. Technical controls, clear processes, and well-trained staff are essential.

Myth: “A scan report showing no issues means we’re secure.”
Fact: Security lies in follow-up and process, not a single report. A scan is just a snapshot. Regular scanning and consistent issue resolution are key.

Myth: “We don’t need to whitelist the scanner. If our security blocks it, we’re safe.”
Fact: For a reliable scan, the scanner needs access (whitelisting) to test the application itself. Bot protection may block automated scans but does not stop manual attacks. Think of it like a garden gate: even if someone can jump over it, the doors and windows of the house still need to be secure.

Conclusion

Security is an ongoing process, not a checkbox. With a solid technical foundation, regular scans, penetration testing, attention to employees and processes, and up-to-date measures such as MFA awareness and smart preventive practices, you reduce the biggest risks and build trust with customers and partners.

Back to list
Older The Hidden Risks of Third-Party Connections

Geef een reactie

Je e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *