WooCommerce Security – 27 Steps to a secure WordPress Store in 2020
E-commerce is big. As of today in 2020, it is a 1 trillion Dollar mammoth. And wherever there is so much money involved, there ought to be fraud and theft!
WooCommerce Security is a very big challenge for all storeowners who use WooCommerce to power their online business and this article is exactly why
When customers trust you with their personal information such as email address, credit card details, name address and telephone numbers, it is totally your responsibility to take care of the personal information (especially credit card details and contact details) of your customers.
This personal information can go into more depth depending on the kind of product that you sell.
Just imagine, if one media outlet covers a security breach at your e-commerce website, you are done.
Your sales would drop drastically and on the top of that, you might end up getting sued by your customers.
So if you are a WooCommerce store owner or a developer, stop whatever you are multi-tasking on right now. Close all your browser tabs and keep reading this for the next 5 minutes.
In this article I will talk about 15 different steps in which you can secure WooCommerce in 2016.
1. Software Updates - If you are not updating your WordPress Core and Plugins, you are killing your store daily 🙁
It is 2016 and I cannot stress more on how important data security and information protection is.
WooCommerce and WordPress teams work together with a web security firm called Sucuri to closely monitor bugs and vulnerabilities across both these platforms. Security updates are releases regularly and you must update your WooCommerce installation with these updates.
If the most important aspect of running your business is sales, then installing updates (either for the core and any associated plugins) is the most important technical aspect of running an e-commerce store based on WordPress (like Woocommerce).
You may run into situations where your developer says "We can not update right now as all the custom changes will be deleted". Well, this is the thing - you should fire your developer immediately as he is doing it wrong.
Customizations on WP and WooCommerce should only be done via actions and hooks such that the developer does not mess around with the WordPress core thereby leaving gaping security holes.
If you feel your developer has already followed bad practices like these, then get in touch with us right now so that we can help you with a complete WooCommerce Site security audit.
Here are 4 important updates that you must always be watching for:
- WordPress Updates
- WooCommerce Updates
- Plugin Updates
- Theme updates
Updates are released for a reason - so that your website and ecommerce store is safe from attackers and vulnerabilities. If you ignore them you are putting your business and customers at risk.
2. Are you using a Strong Password - how strong your password really is?
Using a strong password is really important.
Do not use names of your friends or your children as password. It will not take very long for newbie hacker to rip apart your website after he / she cracks your password.
Here is a list of what your password should NOT be:
- A commonly used username or login name
- Your name, name of someone in the family, your friends' name
- a dictionary word - you have no idea how easily and fast dictionary based password crackers can crack your password if you do this
- older passwords or a password that you already use on some other website
- Personal information data such as Date of birth, House number or mobile numbers - these can be easily cracked
You can use a website called Strong Password Generator in order to generate a fairly strong password for WooCommerce - strongpasswordgenerator.com
Pro Tip - Always remember to change your password on a regular basis (say every 1 month). Follow the above rules whenever you set a new password.
3. PCI Compliance
You need to make sure that your website is PCI Compliant. PCI is actually the short for PCI-DSS which stands for Payment Card Industry Data Security Standard.
However if you are using a 3rd party payment gateway solution (such as Stripe or XPayments) and not accepting payments yourself then you need not worry about this.
In other words, if the customer is not actually entering any Credit Card details on your website (but they are sent to a different payment gateway website for this purpose) then you are fine and can skip this.
4. SSL Certificate
The primary goal of a SSL certificate is to keep sensitive information that is sent across the internet encrypted so that only the party for whom the message is intended can access it.
In addition, SSL certificates also provide authentication so that you can be sure that information you send is actually sent to the intended destination and not any criminal's server who might steal your customer data.
Another benefit that you will have from using SSL certificates is SEO.
Google has officially mentioned that having a SSL certificate on your website is on of the 250 factors that help you rank your e-commerce website better on search result pages in various search engines..
How to gain customer trust using SSL Certificates?
When you use a SSL Certificate for your website, most of the web browsers will display trust symbols such as the ones shown below:
As you can see in the image above - such visual cues such as the lock icon, secure information or the green bar go a long way in instilling a confidence among your visitors.
According to a ABC report, 71% customers said they would prefer buying from a website that has these trust symbols than the ones which do not.
They can be assured of their data security and trust you more as a legit provider and will be more likely to buy from you.
I personally recommend buying SSL certificates directly from your webhost but you can also order one from one of the following:
- NameCheap - I personally like them owing to their customer service
- Name.com - they are great as well
5. Opt for a Secure Web Host to host your WooCommerce website
Your woocommerce store's infrastructure is one of the more important aspects of running your store.
If your website is down for say 10 minutes - that is many visitors lost, and it is hard to regain the trust from lost visitors - forget about they being your customers.
Worst, if your web host ends up divulging your data to attackers owing to bad practices. That is why you should never settle for $5 webhosts for hosting WooCommerce.
Note: Ofcourse, there is the well renowned DigitalOcean whose hosting prices start at $5 per month but then with DigitalOcean you are responsible for setting up everything starting from the web-server to the database and finally WooCommerce itself.
If you are not proficient enough with setting up servers then you might end up leaving gaping security holes on your store thereby putting your customers and entire business at risk.
Here is a list of 5 recommended web hosts that are well renowned for their uptime and security - you can use these for hosting WooCommerce.
- Inmotion Hosting (Read our detailed review of Inmotion Hosting)
- Siteground (Read our Siteground review for WooCommerce)
- Bluehost (Read WooCommerce special Bluehost review)
- WPEngine -
For a more comprehensive run down on web hosting, read this article - Best web hosts for WooCommerce in 2016.
You might also like to take advantage of our Free WooCommerce setup service.
Always remember, just how location is the backbone for a physical store, similarly a good webhost is the backbone of an e-commerce website.
And when it comes to getting a webhost for your e-commerce business, never ever compromise on quality and get the cheap ones - always buy the best webhost you can afford at this moment.
6. Buy themes and plugins only from reputed vendors
This is a no-brainer.
Invest your money in a good theme that is made by a reputed vendor. Free themes are alright for testing and getting started.
But when it comes to running your store full time, you must make sure you buy a theme that is thoroughly inspected for security vulnerabilities, developed by a team of professional designer and developer.
BONUS: Click here to download a list of our conversion ready WooCommerce themes.
About 2 years ago, I was helping an e-commerce store owner - Molly with her marketing efforts. I spent about a week fine-tuning her online business, setup Google and Facebook ad campaigns.
On the day we set all the campaigns live, Google marked the website as containing malware and we lost all our hard work on the marketing efforts.
Not only this, Google also flagged the website's organic results listing on the search results page. This cut the website off all the organic traffic it was receiving.
Molly lost her entire business overnight 🙁
When I started investigating the issue, it was pinned down to the free template that had hidden links to a malicious website. Not that Molly's website was hacked. But, the developer had knowingly put those links for monetary benefits.
So what does all this boil down to? Well, it is simple. Go use a legit theme from a reputed developer!
Here is a list of theme developers that I recommend everyone to use:
7. Use 2-Factor Authentication for WooCommerce
As the name suggests, two factor authentication adds one extra step to your website`s login process. This means you or any user will have to go through an additional check before actually gaining access to the WordPress backend or the admin panel.
You can use the Google Authenticator plugin to implement 2-Factor authentication for WooCommerce.
Download this Complete Guide to setting up 2-Factor Authentication for WooCommerce.
However, do remember that you should enable 2FA only for the higher privileged accounts such as your admin accounts (must), & editor accounts - basically all those accounts that have permissions to perform store wide changes on WooCommerce.
You can probably skip enabling 2 Factor Authentication for your customer accounts as this would add a barrier to their login process and at times might be a turn-off for your users depending on the kind of product you sell.
If you think implementing this super important security feature on your website is a hassle then let me do it for your, see more details here.
8. Install a powerful security plugin for WordPress
If you do not have a full time tech-guy for your Woo-Commerce website who will take care of the security issues, then is a must have.
I would recommend using Wordfence.
This plugin is literally the security gatekeeper for your woo-commerce installation. And the best part? It is completely free!
You work hard to take care of your customers making sure they get their orders shipped out in time so that you can keep them happy - taking care of security should be one less hassle that you involve yourself with.
Instead let the experts do it for you. Wordfence (although free) is nothing less than an expert when it comes to protecting your website, and business from the bad guys.
Here is a broad list of the security features that the plugin provides in order to make sure your e-commerce business, powered by WooCommerce, does not fall prey to hackers and information thieves:
- Real-time blocking
- Login security
- Security scanning
- A firewall for WordPress
- Live monitoring features
- Multisite security
The best part about using Wordfence is that it communicates constantly with a global database. Which means, say another WooCommerce website is attacked and the owner of this website blocks the attacker, then your website gets immune to the attack as well.
Obviously there are other security plug-ins as well but WordFence has more than 1 million downloads in the WordPress plugin store and the makers of the plugin actively update it.
9. Put backup systems in place
If an attacker somehow manages to gain access into your WooCommerce admin panel, steals all the customer data and deletes everything from the server - what are you left finally with?
You will have already lost your customers' trust. Even though the theft happened, you will not have access to your customers' contact details and will not be able to get in touch with them anymore - no chance of any clarifications.
As someone who has had his entire business taken down by hackers once, there is no one better than me who understands this pain.
The only way I could have saved my business was by using backups but only if I had set it up in time! You do NOT want to be in my place.
Here are some great backup services that you could use for your WooCommerce website:
If you are confused between the above options and need help with setting each of these services up then read my detailed guide titled The ultimate WooCommerce Backup hunt.
10. Follow WordPress best practices for total security
Let's get it straight one and for all. WooCommerce is based on WordPress.
So, if your harden WordPress and make it secure you have already won more than half the battle.
Here are are 17 quick 1-time fixes that you must do right now with your WordPress installation so that your WooCommerce based online business is relatively free from holes and possible honeypots for attackers: