Got a WooCommerce store? You’re far from alone, the plugin powers millions of online stores, with its users running the gamut from tiny one-person operations to huge corporations.
Yet there’s one thing that all of these users have to contend with: securing their WooCommerce store and keeping it safe. If you don’t, the consequences for your business can be severe. If a hacker attacked your business and there was a data breach, this could end up costing you millions of dollars.
The solution is, apparently, simple: secure your store and make sure that it stays that way. However, what do you actually need to do to do that?
In this guide, we’re going to take a look at the steps that you will need to take to stay safe as a WooCommerce user. Are you ready to find out more about WooCommerce security and make your store more secure? Then read on!
1. Start With a Strong Host
The first thing that you should do to secure your store is to employ a great WooCommerce website hosting company. Good security begins with strong infrastructure, so find a host that takes your security seriously.
A reliable host makes sure that their servers are always using the latest version of PHP, are always updated, and keep logs to track any attacks that have happened. They should use these logs to prevent future attacks by closing off different attack vectors.
They should also make sure that they keep up to date with the latest news regarding WordPress and WooCommerce so that if there is a new vulnerability discovered, they can patch it right away.
They should also have a policy in place so that if one site they host is hacked or infected with malware, they can isolate it to prevent it from spreading to other sites that they host.
You should make sure that the host you choose outlines the security features that they use. Only go with a company that you feel takes your security seriously: it will only affect you if you don’t.
2. Ensure You Use a Strong Login
Now we move on to the responsibilities that lie with you. When you make a login for WooCommerce, you should make sure that you use strong passwords that aren’t easy to crack.
Forget using common passwords like “abc123,” “passw0rd,” or the like. These passwords are very easy for attackers to break and are effectively an open invitation to hackers. You should also not reuse a password that you’ve used before with the same email, as these may be available online.
We would recommend that you use a password generator like KeePass, LastPass, or Bitwarden that can make you strong passwords that make use of special characters, numbers, and a mix of capital and lower-case letters. While these may not be easy to remember, the programs that we’ve mentioned will store it for you, and you can access your passwords with a master password.
For your master password, use an easy-to-remember password that is unique to you and follow the advice that we previously mentioned.
We would also recommend that you change the default username. When you leave it as Admin, you have already given an attacker half of your login. Change it to something unique to you.
You should also edit your author page. When you create a user, your site will generate a URL that ends in /author/[username]. Leaving this exposed means that your username is open to the public, which is poor security.
In your wp_users table, you can change the URL so that it doesn’t show your username as part of the URL.
Limiting Login Attempts
While everyone occasionally forgets their password, repeated attempts to log in could also indicate malicious activity. To solve this problem, you should make sure that you limit login attempts so that if someone enters the wrong password three times, they will not be able to try another time.
After this, the site will instead let them reset their password via email. Unless the attacker also has access to your email, this will stop them in their tracks.
3. Backup Your Site
Let’s say that the worst happens and you experience an attack that takes your website offline. This could spell disaster for your website or it could be a relatively minor problem. This depends on whether you have your website backed up or not.
If you don’t have your site backed up remotely, then fixing your compromised website will be a lot of work and could keep your site offline for days or weeks.
You should make sure that you have automated backups in place so that the entire contents of your site are kept, ready for you to use to restore it.
If you don’t want to tinker with an automated backup plugin, then you can do it manually, but you should make sure that you schedule it every week or month, and store it in a different location than your website. This protects your backups from getting infected if your site’s server does.
4. Disable Pingbacks
While pingbacks and trackbacks can be useful for WordPress blogs and the like, they aren’t a useful feature for WooCommerce stores and they can be actively dangerous. These features allow attackers to carry out low-level denial of service attacks on your site and can also lead to spam.
We would recommend turning these off across your entire WooCommerce site.
5. Install a Security Plugin
While your host should take care of a lot of your security concerns, you should still install a security plugin. These can scan your website for any security vulnerabilities, which you can then fix.
These plugins can also keep track of suspicious activities that may not be attacks in themselves but could indicate that one is being planned. There are lots of different WooCommerce security plugins out there and they aren’t created equal. We would recommend taking a look at reviews before pulling the trigger and installing one.
A Word on Plugin Updates
Before we move on, we should stress the importance of keeping your WooCommerce plugins updated. Updates to the plugins will often be there to fix security issues. If you’re still running older versions of the plugins, you are opening an attack vector that people can use to gain entry to your website and cause damage.
6. Add SSL Certificates to Your WooCommerce Store
SSL certificates make sure that the information that customers send to you through your store is encrypted. When you use a website and you see that little padlock in the address bar, that’s there because the site uses an SSL certificate.
Not only are these essentially compulsory for WooCommerce stores, but they also improve customer confidence. People know that the little padlock means their information is safe, so they will feel a lot more comfortable browsing and buying from your site.
While many hosting solutions offer SSL certificates as part of their packages, not all of them do. If yours does not, we would recommend either switching to another host or getting an SSL certificate yourself.
Once you have one, you should go to your settings and make sure that “force secure checkout” is enabled.
7. Take a Look At What Each User Can Do
If you have multiple users that can access your WooCommerce site, you should take a look at what each user has access to. Insider attacks are a serious threat: disaffected employees can use the tools that you give them to wreak havoc on your business.
Even if you trust your employees explicitly, you should still make sure that accounts have different privileges. This limits the damage that a hacker could do if they were able to break into your website with another account.
To do this, take a look at your site’s user access levels. Think carefully about what each employee actually needs to do and set their privileges accordingly. Keep it strict and make sure that they have enough to do what they need to do without giving them more power that could be abused.
If a user needs access to other powers, ask them to log a request and vet it. Take a look at whether they really need it or if there is another way for them to do it. Similarly, as employees are promoted, you may need to change their account privileges.
8. Keep Logs and Examine Them From Time to Time
Your site should keep logs of what each user does. For instance, if someone logs in and changes the image on a page, there should be a log that says what they did and when they did it.
Keeping logs like these is useful but you’ll need to take a look at them from time to time to get any benefit from them.
Plugins like Jetpack make it easy to keep track of these instances and for you to look at them. Make sure that everyone is acting as they should do and that nothing has been changed that shouldn’t have been.
9. Add a Firewall at the Website Level
While any good host should include a firewall at the server level, it is still wise to add one to your website. This extra layer of protection will make it harder for a hacker to breach your website and should block many common threats before they even make contact with your site.
There are a few different WordPress and WooCommerce firewalls that you can use, so once again we would recommend taking a look at the reviews and choosing one that fits your needs and budget.
10. Consider Using Two-Factor Authentication
While a strong password and unique usernames can help a lot, there’s still the possibility that a hacker has somehow managed to uncover your details and is using them nefariously. To cut down on this risk, you can add two-factor authentication to your site.
If a user logs in from an IP address that your system doesn’t recognize, they will be asked to enter a code. Your site could text a code to them or they could use a small dongle that will generate a code they can type in.
This makes hacking your site a lot harder, as a hacker would need to spoof a cell phone number or otherwise manipulate the system at a deeper level to gain entry.
11. Run Regular Audits on Your Security
The best way to ensure that your security stays tight is to analyze it regularly. Audit your site’s security every so often, and make sure that it’s part of your site maintenance schedule.
Take note of anything that you need to change to improve security, what you think isn’t as secure as it could be, and what is running well. Then take action after the audit and fix these problems before they become larger issues.
Tight Security Is Vital for Your Store
When you’re running a WooCommerce store, you need to make sure that your security is kept tight. The first step to take is finding a great host for your store, and we can help you.
We offer a range of plans that you can use regardless of your business’ size and scope, and we can scale with you too. All of our plans come with great security. Why not take a look at our reviews to see what our customers have to say about us?
If you’d like to request a quote or if you have any questions for us, please don’t hesitate to get in touch with us or request a demo.
Zach has 12+ years of experience with WordPress, from creating and maintaining client sites, to providing support and developing documentation. A knack for problem-solving and providing solutions led Zach to pursue a job with Automattic providing customer support in 2015 working with WooCommerce support, and now Zach has recently joined our team here at Pressable. Outside of work, Zach enjoys spending time with his family, playing and watching sports, and working on projects around the house.