WooCommerce is a popular eCommerce plugin for WordPress, powering over 28% of all online stores. As a publicly accessible software, WordPress can be customized and modified to build a unique WooCommerce website. On the other hand, just as all websites on the internet, WordPress websites are also vulnerable to hackers. And it doesn’t really have to do with the WordPress core website, rather, due to avoidable security issues.
In this post, we take you through the top WooCommerce security tips to prevent your eCommerce store from being compromised by malicious users. You can go about planning and implementing them in different ways, but there’s an easy and effective solution to optimize your site’s security, which we also discuss here.
9-Point Checklist to Strengthen Your WooCommerce Security
Here’s a look at the ways in which you can increase your WooCommerce security. Some of these security measures you can easily implement on your own, others will require intervention from WordPress experts.
1. Keep your plugins up-to-date
Updating your plugins and themes is essential – here’s why:
- Hackers can exploit vulnerabilities in plugins and themes, and start attacking your website through those plugins/themes. They may succeed in accessing business and customer data to sell on the dark web, transfer funds or perpetrate fraud, among other illegal acts.
- Outdated plugins are responsible for 91% of security breaches, making updates necessary. Moreover, thousands of websites are hacked daily. If hackers have their way with your store, they may pass on malicious code to unsuspecting users to your site. Or they may launch a DDoS attack to slow down or shut down your website, causing downtime, which has been sent to cost an average of $5,600 a minute.
- Plugin and theme updates come with bug fixes and performance improvements. The latest versions fix issues identified in previous software versions, and may even add new features. Maintaining plugins/themes keeps them usable and secure.
To update WordPress themes or plugins, visit the ‘Updates’ tab in your WordPress Admin. We recommend that you first update the themes/plugins on a staging site – a clone of your live website – to test the changes before applying them to your live site. This is because updating a plugin can sometimes cause ‘fatal errors’ due to the plugin code being incompatible with the code used in core WP files.
If you have a technical background, you can more easily set up your staging site. If not, a professional can set it up for you, helping ensure that updates are fine to install. You can look after your WooCommerce security and also avoid any consequences arising from update issues.
2. Choose a dedicated WooCommerce hosting provider
Do you need special hosting for WooCommerce? Well, given how the average WooCommerce site is database-intensive and has to accommodate high traffic, a dedicated WooCommerce hosting company is a better fit than a regular hosting service. From the point of WooCommerce security, such a provider can be expected to provide specialized support covering all necessary areas on your site.
Here are some of the security features to review when you’re looking for a hosting provider:
- SSL certificates to enable an encrypted connection and block hackers from seeing names, addresses, passwords, credit card numbers, and other sensitive data.
- Automated backups to get your site back up and running in the event of an attack.
- Attack monitoring to detect and mitigate attacks in real-time.
- 24/7 support from knowledgeable WooCommerce hosting experts on call to help you with security concerns.
- A built-in staging environment to safely test plugins and changes to your store before you push them live.
On performance, you may want to focus on the uptime guarantee promised by the provider. If you have a large WooCommerce site with many products and attract substantial traffic daily, nothing less than a 99.9% uptime guarantee will do.
3. Set up a firewall using a WordPress security plugin
Even if your hosting provider supplies you with a firewall, setting one up at the website level will add another layer of security, preventing unauthorized access to your computer network. You can use a plugin to set up a firewall, and add more customization if you have advanced technical knowledge. WordFence is a trusted firewall for WordPress. It is a complete WordPress security plugin, offering a suite of functions, such as:
- A web application firewall (WAF) that identifies and blocks malicious traffic
- Protection against brute force attacks which block users after a defined amount of incorrect login attempts
- Malware scanning to identify malicious software that hackers might have installed on your site
- Enables login security such as reCAPTCHA and two-factor authentication
Many of the most important WordFence features are available with the free version. Upgrading to the premium version costs $99 per year, and comes with advanced features like real-time IP blocking and firewall rules that protect sites from new threats and malware as soon as the WordFence team detects them.
It is possible to manually implement the features that all-in-one security plugins like WordFence offer. Some are quite easy to do but have special requirements. For example, if you want to set up your own firewall, you need full access to your server, which is not possible unless you use a dedicated server. In addition, you’ll need to work in the command-line interface, which is simple and pleasurable only if you have web development skills.
4. Make your login page more secure
Your website’s admin area is under threat of brute force attacks, which attempt to gain access to your WP-admin by trying various combinations of usernames and passwords. Brute force attacks or the use of stolen credentials account for over 80% of breaches within hacking. There are some WooCommerce security actions you can take to increase the security of the admin login page for your store:
Change your username from ‘admin’ to something else
A common trick for hackers is to exploit the default WordPress admin username, which is ‘admin’, to try and log into your account. Early versions of WordPress defaulted to the ‘admin’ username, so it’s possible that store owners are in the habit of using it. Changing ‘admin’ to another name is necessary to reduce the risk of Wp-admin attacks, and there’s nothing to it! Here are the steps:
- Go to > add new user
- Create a new user with your desired username, and give it the ‘administrator’ role
- Log out of the previous ‘admin’ account and log into the new account
- Go back to the list of users and delete the old ‘admin’ account
Enable two-factor authentication (2FA)
Two-factor authentication requires two methods to verify your identity. It acts as the second line of defense for restricting access to your WordPress admin account. You can enable it with an authenticator app, which adds 2FA to the accounts you want to protect.
Authenticator apps generate a one-time code that you can use to confirm that it is you who is logging in to your WP admin account. You’ll first need to set up an authenticator device on your smartphone or tablet. During this process, the app will generate a secret key that you save to your phone by scanning a QR code or manually typing the code if your phone doesn’t have a camera. With this, the app’s server and your phone have a copy of the secret key. Thereafter, every time you enter your username and password to log in, the app sends an access code – usually a six-digital number – that you type to sign in to your admin account.
Here’s an example of how to set up 2FA using WordFence:
- Download an authenticator app such as Google Authenticator to your smartphone or tablet
- Install and activate WordFence
- Go to the ‘login security’ page in WordFence
- Open your authenticator app and scan the QR code that shows in WordFence
- Click ‘download’ in the recovery code section – this gives you a set of codes that you can use in the event that you lose access to your authenticator app
- Enter the 6-digit code from your authenticator app
- Click ‘activate’
5. Require strong passwords for store accounts
WooCommerce offers you the flexibility to create a store that suits your business model. This includes providing different access levels within teams. Securing the store accounts of all your team members is a simple way to harden WooCommerce security.
While employees understand that their passwords should be strong, they still tend to use weak passwords that can be hacked in less than a second. A strong password policy can reiterate the necessity to create complex passwords. Rather than having only some roles like store manager or administrator create secure passwords, enforcing a password complexity policy for all users is the safer option.
One way to achieve this is by using the iThemes Security plugin to force store accounts to set strong passwords for themselves. Here’s how you can go about it:
- Install and activate the plugin
- On the setup page, choose ‘eCommerce’ as the type of website
- Select ‘Self’ as the user
- When the plugin asks ‘do you want to secure your user accounts with a password policy?’, set the toggle to ‘yes’
6. Create unique passwords for all third-party eCommerce platforms
An often overlooked aspect of WooCommerce security is the vulnerability of the different accounts that you use for services connected to your WooCommerce store to password hacks. Using the same password for all the services you have connected to your WooCommerce store makes a hacker’s job easy. Here’s what you should consider doing instead:
- Set distinct passwords across all your payment gateways like Stripe and PayPal, your hosting, and any other third-party services that you use for your WooCommerce store. Even if one of your passwords is exposed, your other accounts will be safe.
- Make sure that the passwords are sufficiently distinct from one another. Reusing passwords by simply changing or adding a digit or character is ineffective.
7. Maintain regular backups of your store
Although backups won’t protect your site against hackers, they ensure that you have access to your valuable data if your site gets compromised. Having backup copies of your data can help get your site back online after a cyberattack or other events, such as a hardware failure or crash due to a traffic spike. Daily backups ensure that your customer, order and product information can be restored when unforeseen events strike, and that business continuity is maintained to avoid losing customers and revenue.
A handy solution is to use a real-time WordPress backup plugin like BlogVault. Real-time backup offers the ability to restore data to any point in time, and is especially useful if you have a large database that faces the constant threat of security-related issues.
8. Secure your database
Your WordPress database stores all the information on your website, making it an attractive target. WordPress uses MySQL as its database management system. The PHP code in your WordPress site contains SQL commands to communicate with the database. One of the ways SQL can be hacked is when the hacker uses a piece of SQL code to manipulate a database and gain access to valuable information. This type of attack is an SQL injection and common among database-driven websites.
Fortunately, there are ways to secure your WordPress database – here are two to help you get started:
Change the default table prefix
The default table prefix for WooCommerce stores is wp_. Leaving this setting at the default opens up your store to SQL injections. You can change this setting in PhpMyAdmin when you set up your store, or use a plugin like DB Prefix. Be sure to back up your WP database before making any changes to table prefixes. And if you have quite a bit of WordPress maintenance and security updates planned, you could direct website visitors to a maintenance page or a temporary page.
Secure your wp-config file
The wp-config.php file is the most important file in your WooCommerce store as it contains all your store’s database information – including admin passwords. By moving this file up from its default position in the root subdirectory to a higher subdirectory, it becomes more difficult for potential hackers to locate it.
Note: Codeable is not affiliated with any of the (plugins) recommendations mentioned in the post.
9. Hire a vetted WordPress security professional
The number one most effective action you can take to keep your WooCommerce store secure is to hire a WordPress security professional. From installing a basic SSL certificate all the way through to implementing firewalls to protect against brute force attacks on larger eCommerce sites, hiring a security professional frees you up to focus on other parts of your store, such as managing orders and keeping track of inventory.
How to find a WooCommerce security expert
You have many options, including DIY, hiring an agency or finding a freelancer on the numerous marketplaces on the web. Agencies that provide WordPress security experts generally pack different services in a package, so if you choose this option watch out for any services that you may not need.
On freelancer marketplaces, you can pay extra to have a selection of vetted WP developers or you’ll have to assess them yourself. On these sites, you pick the best bids, and there’s no assurance that a freelancer will bid on projects in which they feel competent, simply because the site doesn’t make this requirement explicit.
The better option is to find a security expert on Codeable:
- Codeable is a freelancer platform specialized in WordPress.
- It matches your project to vetted WordPress/WooCommerce professionals who have worked on security projects similar to your own. This removes the guesswork and helps ensure that you have the right individual for the job.
- What sets Codeable apart from generic freelance marketplaces is that you’ll only work with experts who are able to execute your project successfully. You can enjoy peace of mind knowing that you have access to WooCommerce security professionals who have consented to the project after thinking carefully about it.
- Codeable is a great option for smaller projects or one-off tasks like security audits. It works out cheaper than hiring an agency and saves you significant time for strategic activities.
- The hiring process is easy and there is no obligation for you to hire if you change your mind about your WooCommerce security and maintenance plans.
Secure Your WooCommerce Store Against Emerging Threats
Having a Woocommerce security plan in place enables you to respond effectively to existing and new cybersecurity threats. Managing WordPress- and eCommerce-specific security issues proactively is imperative to carry out business disruption-free, avoid financial losses due to hacking, and maintain customers’ trust.
WordPress security experts from Codeable can help you manage your security risk.
Submit your project and mitigate your security concerns promptly. Codeable is cost-friendly and offers a money-back guarantee, so you can test it out with a small task and then determine whether you’d like to use it for a bigger security project.