Security is incredibly important for all websites, but arguably even more so for ecommerce stores. After all, you’re collecting customer information like names, addresses, and payment info.
And while security measures are built into WordPress and WooCommerce, there are a few basic things store owners should do to keep their customers, team, and data safe in the event of worst-case scenarios.
In this guide to WooCommerce security, we’ll tackle the steps you should take to protect your store and your customers, in no particular order. We’ll also look at one of the best WooCommerce security plugins to take care of most of the hard work. Let’s dive in!
Why you should secure your WooCommerce store
It’s probably no surprise that you should protect your WooCommerce store.
But let’s take a look at a few reasons that security should be a top priority:
1. Protect your hard work
You’ve put a lot of work into your site’s design, functionality, and content. The last thing you want is to lose that work to a security breach. If your WooCommerce website isn’t properly protected and backed up, you could be looking at a lot of lost time, money, and peace of mind to recover after a hack.
2. Keep customer information safe
When you run an ecommerce business, you’re capturing customer data like addresses, names, phone numbers, and credit card numbers. Your buyers are relying on you to safeguard that information and keep it from falling into the wrong hands.
3. Avoid legal and financial problems
If your customers’ information is compromised, you could potentially face real legal and financial problems that, at the very least, could be stressful and time-consuming to resolve.
4. Maintain your brand reputation
If your website goes down or is otherwise compromised, it could breach the trust you’ve built with customers and followers.
5. Protect search engine rankings
Your website can take a fall in the rankings after a hack, especially if you’re not able to recover quickly. After all, search engines don’t want to send users to a compromised site!
In summary, WooCommerce security is important to protect both you and your customers. This isn’t the place for shortcuts!
How to secure your WooCommerce store
Now that we’ve discussed why security is so important, let’s take a look at some WooCommerce security tips that you can implement today.
1. Choose a secure hosting provider
Your host stores your website content, WordPress core files, and database, which allows them to be viewed by people all over the world. It’s essentially the foundation of site security — your host should have measures in place to protect your files and database from hackers and malware.
Ideally, you should find a host that understands WordPress and WooCommerce security well and clearly states what they do to prioritize your store’s safety.
Look for features like:
- SSL certificates, which protect customer data such as addresses and phone numbers
- Backups, so that if anything does go wrong, you can restore your site in full
- Attack monitoring and prevention, so that you’ll know instantly if malware is found in your files or database
- A server firewall, which prevents hackers from accessing your files
- 24/7 access to support, just in case you need it
- Up-to-date server software, like PHP and MYSQL
- The ability to isolate malicious files, so that a virus or malware can’t move to other sites or folders on the same server
The hosts you evaluate should have a page about security on their site, so you should be able to confirm whether or not your host offers these features. If you have to dig deeper or send emails to get answers, it might be a sign to steer clear.
You should also take the time to read reviews from existing customers. Look for feedback specific to security issues — good or bad. This is often one of the best indications of a quality host.
Want more information? This list of hosting providers for WooCommerce is a great place to start.
2. Require strong passwords for user accounts
While safety might start with your host, it’s up to you to follow through. So, be sure to choose secure passwords for any and all accounts associated with your WooCommerce store — including accounts on your WordPress site, hosting tool, and domain name provider.
This means:
- Using unique passwords for each of your accounts, especially WordPress admin accounts.
- Creating a password with a mixture of capital letters, lowercase letters, numbers, and symbols.
- Avoiding words, anniversaries, birthdays, or other phrases that could be easily guessed.
- Prioritizing length — the longer and more complex the password, the harder it is to crack.
Worried about whether or not your passwords are truly secure?
Fear not: WordPress has a built-in secure password generator that makes it easy to create complex, hard-to-guess combinations.
But remembering difficult passwords may be tricky. One great solution is a password manager like 1Password. These tools safely store your passwords and auto-fill them securely on your favorite sites.
Also, make sure that you extend your password requirements to any and all users that have access to your WordPress website, especially for administrators. You can use a plugin like Password Policy Manager to set password rules, like requiring secure passwords and having users reset theirs every so often.
3. Enable two-factor authentication (2FA)
If someone gains access to your email or another account, they might be able to gather enough information to reset your password and log in.
Two-factor authentication, most commonly abbreviated as 2FA, is a fantastic way to safeguard your online accounts against unwanted intruders. 2FA relies on a second step — typically your smartphone — to validate logins and verify that you are the owner.
You should ideally enable 2FA for each admin account. Under normal circumstances, an individual who successfully gains access to your email account could potentially find the login information for your WooCommerce store and other accounts.
But with 2FA, they won’t have the ability to physically validate the logins via your mobile device.
It’s true that adding this second step also adds a little more time to your login process. But it’s absolutely worth the peace of mind knowing that your sensitive data is safe.
You can implement two-factor authentication for free with Jetpack, and even choose to make it a requirement for all users on your website.
4. Block brute force attacks
Brute force attacks occur when hackers use bots to guess thousands of username/password combinations until they finally come up with the right one. Not only can this allow hackers to access your site, it can also negatively impact your load time due to the increase in store traffic. Preventing brute force attacks at the start can be incredibly effective for maintaining your site’s security.
Jetpack’s free brute force attack protection feature is a great way to stop them in their tracks. It automatically blocks malicious IP addresses before they even reach your site, so you don’t have to worry about them.
You can also view all of the malicious attacks that the tool has blocked — an average of 5,193 per site!
You can also use a WordPress plugin to limit login attempts on your site. Since most legitimate users won’t need more than a few tries to log in, this can be another effective protection against brute force attacks. For example, you might decide to block someone who tries and fails to login three times within a certain time period.
5. Regularly scan for malware
Malware is software developed with a malicious purpose, and it’s one of the most common forms of hacking. It can accomplish a variety of tasks, including redirecting site visitors to suspicious websites and skimming customers’ credit card information.
If a hacker does manage to gain access to your site or server and inject malware, you’ll want to know right away. Taking care of this as quickly as possible reduces the likelihood of you or your customers suffering harm, and helps you get back up and running quickly.
But you can’t manually monitor your site for malware at all times! That’s where a malware scanning solution like Jetpack Scan comes in. It’s like having someone guard your site 24/7, regularly searching for malware and vulnerabilities.
It sends you an instant alert if malware is found on your site so you can troubleshoot and fix the majority of known threats with one click.
6. Prevent comment and contact form spam
Spam can appear in a variety of ways on your WordPress site, from blog post comments to product reviews and even contact form submissions.
And it’s more than just an annoyance for visitors — bad actors can use spam to send customers to malicious websites, use your website to manipulate their search engine rankings (while tanking yours), and use your contact forms to trick your site visitors.
Your first step to preventing spam is in your WordPress settings. In your WordPress dashboard, go to Settings → Discussion.
Here, you can make changes like:
- Requiring authors to log in before submitting a comment
- Enabling a notification via email each time someone leaves a comment
- Setting manual approval for each and every comment left on your site
- Automatically marking comments as spam based on certain criteria, like number of links and certain words
You can also edit your settings for product reviews by going to WooCommerce → Settings → Products in your WordPress dashboard. For example, you can only allow verified product owners to leave reviews.
But your best defense against spam is with a plugin like Akismet. It prevents you from having to manually review each and every comment and form submission you have on your site by automatically getting rid of spam.
Akismet’s spam filter is 99.9% accurate, and doesn’t use annoying and challenging solutions like CAPTCHAs, keeping site visitors happy and engaged.
7. Use an activity log
With a WordPress activity log like Jetpack, you can keep an eye on everything that happens on your site — from updated pages and new products to user logins — along with who performed each action and when.
How can this help you?
It allows you to identify anything suspicious that might have occurred, like a security tool being deleted, a published page that you had nothing to do with, or a user login that you weren’t aware of. It also enables you to hold other site users accountable for the actions they take on your WooCommerce website.
8. Update your site software
The process of updating WordPress, WooCommerce, and your plugins or extensions is absolutely critical. Updates are released for a reason, and they often make your site more secure. By ignoring them, you could be putting yourself — and your customers — at risk.
In fact, 52% of all WordPress vulnerabilities are caused by out-of-date plugins. And this problem is very easy to solve!
The best way to approach this? Set aside a regular time to review your updates, make a backup, and deploy those updates to your site. If you don’t want to worry about it, you can also turn on the auto-update feature within WordPress.
9. Use a web application firewall
A web application firewall (WAF) acts like a 24/7 guard at the door of your website. It reviews each visitor behind the scenes, and decides to allow or disallow them based on certain rules.
Jetpack Firewall is one great tool that you can use. While it starts with a database full of known threats, it also adapts in real time based on what’s happening on your site. It automatically adjusts rules when it senses a threat, so your site is always protected.
You can also manually block IP addresses if you know of a specific threat, and allowlist certain ones so that administrators are never locked out.
10. Check and adjust your FTP settings
FTP (file transfer protocol) is used to transfer files between two devices. Through your hosting provider, you can create FTP accounts, which allow you to connect from your computer to your website server.
You can use these to make changes to your website files, or share access to your site with a contractor or team member without giving them your hosting login information.
But if a malicious actor accesses those accounts, they would be able to make any number of changes to your site.
Limiting the permissions on these accounts can reduce or even completely eliminate the potential for damage.
Ensure that only your FTP account can access the following folders:
- The root directory
- wp-admin
- wp-includes
- wp-content
For more details on locking down your FTP, check out this section of the WordPress Codex. Your host should also be able to help you take these precautions.
11. Regularly back up your WooCommerce store
If your site is ever hacked, a backup is the fastest and best way to get a clean version up and running again. But not just any backup plugin will do the job.
You want one that saves your site frequently (ideally in real time), stores multiple copies, and keeps those copies completely separate from your server, in case that’s compromised too.
And, of course, you’ll also need a way to restore a backup quickly, even if your site is inaccessible.
Jetpack VaultPress Backup is an excellent solution that checks all of those boxes. Here are some reasons it’s the best WooCommerce backup plugin:
- It takes real-time backups, which occur every time an action (purchased product, updated page, etc.) occurs on your site.
- You never have to worry about losing order information. Whether you restore a backup from five minutes ago or five days ago, all of your order information is saved up to the minute.
- You can restore with just one click. Don’t worry about a time-consuming, difficult restore process. Simply find the date and time you want to restore to and click a button, even if your website is completely down.
- It enables you to use an activity log to restore a backup. Filter through your site activity for a specific action that occurred, and restore to a point immediately before it took place.
- It saves redundant copies of your website on the same, secure servers that WordPress.com uses.
- You can restore your website from nearly anywhere with the Jetpack Mobile app.
12. Get an SSL certificate
A secure socket layer (SSL) certificate encrypts the information transmitted by customers on your ecommerce website, such as contact form submissions and credit card information. Not only is it absolutely necessary for the security of your ecommerce store, it’s also an important factor for SEO.
There are several ways to get an SSL certificate, but most hosts include them with their plans. If, for some reason, yours doesn’t, you can always use the free, open-certificate provider, Let’s Encrypt, to get one at no cost.
Learn more about SSL certificates.
13. Review your user permissions
While requiring strong passwords and two-factor authentication are excellent ways to secure user accounts, there’s one more step you should take: reviewing user permissions. By default, both WordPress and WooCommerce include a number of user roles that each come with set permissions.
For example, the Admin role is the most powerful, and includes full access to every element of your website. A Shop Manager, however, just has the capabilities needed to manage your online store, without the ability to edit files and code. You can review all of the user roles here.
Take the time to go through each user and make sure they have the minimum permissions necessary to do their job. If you don’t work with someone anymore, consider removing their account entirely.
Note: When deleting a user account, you’ll get the option to remove their content or attribute it to another user. Make sure to attribute it to another account, or it will be permanently deleted from your site!
What’s the best WooCommerce security plugin?
A high-quality WooCommerce security plugin is the absolute best way to get started with securing your site. And Jetpack Security — which also has an official WooCommerce extension — is an excellent solution for stores of any size. It was built specifically for WordPress, by the team behind WordPress.com.
While we’ve talked about some of its functionality, here’s a list of the security features that make it one of the WooCommerce security plugins:
- Real-time backups: Your site is saved in real time, so that you always have the latest version of your files, orders, and more. You can restore a backup even if your website is completely down from a desktop or the mobile app.
- Malware scanning: Benefit from automated scanning for malware and vulnerabilities that put your site at risk. You can also use this tool to fix the majority of known threats with just one click.
- Downtime monitoring: Know immediately if your site goes down — a common indication of a hack — so you can get it back up and running quickly.
- Anti-spam tools: Implement spam protection for comment and contact forms.
- An activity log: Keep track of every action taken on your site, and learn who performed each one and when it took place.
- A website firewall: Protect your website from bad actors and unsavory traffic.
- Brute force attack protection: Prevent brute force attacks that can compromise your website and customer information.
- Two-factor authentication: Add an extra layer of security on your login page by requiring a one-time code in addition to a password.
You’ll also benefit from world-class support from true WordPress experts. Learn more about Jetpack Security.
Want just some of these security features? You can install many of them as individual plugins, and some, like brute force attack protection, are completely free. See package options.
FAQs about WooCommerce security
Still have questions? Let’s answer some common ones.
Can a WooCommerce website be hacked?
Just like any website, it’s possible for WooCommerce stores to be compromised. However, WordPress and WooCommerce developers constantly work on improving the software and keeping WooCommerce secure.
If you use trusted tools (like hosts, themes, and plugins) and implement the best WooCommerce security tips discussed in this article, your site should be in excellent shape.
Which SSL certificate is the best for WooCommerce websites?
There are several different types of SSL certificates, including:
Domain-validated (DV)
This simply requires that you prove ownership of your domain name for validation. DV certificates are the most affordable and most common types of SSL certificates.
Organization-validated (OV)
OV certificates ask you to provide further information about your organization. This makes it a more expensive but more credible option.
Extended-validated (EV)
This requires even further information and documentation to prove your identity. It’s the most expensive and credible type of certificate.
Wildcard certificates
These allow you to protect an unlimited number of subdomains under a single domain.
The best one for your online business really depends on your specific needs. A DV certificate is an excellent starting point and will be sufficient for the majority of stores. However, as you grow, you may want to upgrade to an OV or EV certificate to further protect your data and bolster your reputation as a brand.
What should I do if my WooCommerce site is hacked?
If your online store has been hacked, take a deep breath and take the following steps:
1. Determine what happened.
If at all possible, try to figure out how the hack occurred. If you’re using an activity log, this can make the process much easier. Your host or developer may also be able to provide guidance and information.
2. Scan and repair your site.
Use a WordPress security plugin like Jetpack Scan to check your website for malware. If possible, use the one-click fixes available with Jetpack to remove and repair the problem. You can also manually remove malware or hire a developer to help.
3. Restore a backup.
If you’re not able to remove the malware or simply aren’t sure if your website is completely clean, restore a backup. If you’re using Jetpack VaultPress Backup, you can recover all of your order and customer information, even if you’re restoring a backup from a few days ago. And you can do so if your site is inaccessible.
4. Reset all passwords.
Once your website is clean, reset all of your passwords. This includes your WordPress user accounts, cpanel, hosting provider, FTP, database, and any other accounts associated with your site. If there are any suspicious users, remove them immediately.
5. Resubmit your site to Google.
If your WooCommerce site was blocklisted by Google, resubmit your website once you’re certain that it’s clean. Learn more about Google blocklisting.
6. Implement additional security measures.
Now, follow the WooCommerce security tips in this article to secure your site even further and prevent future hacks.
If you’re not comfortable handling this yourself, you can hire a trusted WooExpert to clean and restore your online store in full.
Want more information? Learn how to recognize a hack and how to fix it in this article from Jetpack.
Make WooCommerce security a priority
It’s easy to lose sight of security in all the hustle and bustle of launching or managing your store, but it’s not something you should take lightly. Keeping your customers’ data safe should be a top priority from the very beginning.
By following these simple steps, you’ll create the groundwork for a safe, trustworthy online business that’s well-protected in the rare event of an attack.
Original article written by Kathryn Marr >