Guide for Securing WooCommerce Websites
WooCommerce is one of the most popular, free, and flexible eCommerce solutions to build online stores. With more than 48 million downloads, it powers over 28% of all eCommerce sites.
This vast popularity has also made WooCommerce one of the prime targets for hackers and other cyber fraudsters. If you are running a WooCommerce store or planning on building one, you may want to know the things that you can do in your store to keep it secure.
Although WooCommerce and WordPress come with built-in security features, practicing some basic security measures would add an extra layer of security to your WooCommerce store.
This article lists some of the important and most effective security tips that you can apply on your website to provide your WooCommerce customers with a safe and secure shopping environment at your store.
Let’s find out what they are and how they work.
Choose a Reliable Hosting Provider
Choosing a reliable and secure hosting provider is the first step to ensuring the security of your WooCommerce store. Security should be one of the important things that you should look for in your hosting provider.
You can make use of the below checklist to understand how your potential host handles the security of the websites hosted by it.
Network monitoring – By constant monitoring, it will be able to keep an eye out for suspicious traffic or incidents and prevent the attack early on.
Antivirus and malware scanning
Secure FTP – Make sure your hosting provider supports SFTP, the secure version of FTP.
Use Strong Passwords
Accounts having weak passwords are often victim to brute force attacks. This makes it important to choose a strong password for all the accounts associated with your WooCommerce store.
Stronger passwords are a combination of capital letters, lowercase letters, numbers, and symbols. Such complex and lengthy passwords will make it hard for hackers to crack them.
If you don’t wish to spend time creating secure passwords, WordPress has a built-in feature “Better Passwords” that generates a strong password for its users. You can also make use of the chrome secure password generator to create and manage your passwords for you.
Avoid Using “Admin” as Your User Name
Most websites follow the user name password combination to log in to websites. And many WooCommerce owners use Admin or their Store name as the user name for their account. This makes your website vulnerable to attacks as they target admin accounts having complete authority over your site.
Hence, it’s best to not use “admin” as your admin user name. You can change your WordPress admin name by navigating to User > Add New on your WordPress dashboard.
Enter all the required details and choose a unique username. Now, create a new account and select ‘Administrator’ from the available WordPress user roles.
Click the Add New User button.
Now you need to log out of your wp-admin and log in with the newly created account. You may delete the previous ‘admin’ user account.
Enable Two-factor Authentication (2FA)
Implementing two-factor authentication is another big step towards securing your WooCommerce store.
Once you enable this feature in your WooCommerce store, whoever attempts to log in to the WordPress dashboard will need to provide their credentials as well as a secure password that is generated in real-time. This could be a one-time password sent to a mobile number or email Id.
This mechanism prevents unauthorized individuals from accessing your website even if they have the password. The only down-side of this procedure is that it takes longer for you to log in to your store.
Add SSL (Secure Socket Layer) Certificate
Most websites URL’s contain HTTPS as its prefix. But there are some websites URL’s having HTTP as their prefix or showing not secure on the address bar, what does that imply?
These websites are considered to be not secure as they don’t have an SSL certificate installed in it. When you add SSL to your website its URL prefix changes from HTTP to HTTPS ie; the secure version.
SSL is important to ensure the secure transmission of data between the user’s browser and your WooCommerce store. Most hosts offer a free SSL with their package or you can purchase one and add it to your website using a WordPress plugin.
Running your WooCommerce store without an SSL certificate could affect your business in multiple ways. First of all, people would not trust your website with their payment information to make transactions and Google will not rank your website for top-results both of which will heavily affect your traffic and ultimately sales.
Limit Login Attempts
This is an important prevention mechanism against brute force attacks, which is one of the most common methods used by hackers to break into your website.
This sort of attack will have a huge chance of success if carried out by bots since bots are capable of trying thousands of combinations in just a second. Even those strong passwords you created may not stand such attacks.
Hence the best way to avoid such attacks is by limiting the failed login attempts on your website’s login page. As WordPress’s default setting allows its users to login as many times as they want, you will have to look for some other ways to enable this for your WooCommerce store.
You can either use a web application firewall or a WordPress plugin to configure limited login attempts for your website.
Keep Your Site Updated
WordPress and WooCommerce roll out frequent updates to solve the security issues in the previous versions and for adding new features. As WooCommerce is built on WordPress, a given WooCommerce site is overall exactly as secure as the WordPress installation itself. This points to the need to update your WordPress version when a new update is released.
If you are currently running on WordPress 4.3.x and 4.4 version is out, its not compulsory to update to the new version. Whereas if a 4.4.2 is released, you have to update to this version asap since the last digit “2” indicates that it’s a security update.
Before starting with the update process, it’s recommended to create a backup of your website’s data, should something go wrong with the update. It also a best practice to test major updates on a staging site first.
Thus, all in all, keeping your WooCommerce store properly updated will help you a long way in keeping it secure.
Perform Regular WooCommerce Backups
Unlike regular websites, losing your WooCommerce store’s data can have disastrous effects as it contains your customer data, order data, etc., that have a huge impact on your website’s revenue.
Thus it’s necessary to keep a backup of your store to avoid the risk of losing all your precious WooCommerce data. You can create website backups in 3 different ways; manual backup, automatic backup via plugins, and back up by your host.
You can choose whichever way you feel comfortable to create backups. If you plan to use a plugin, UpdraftPlus would be a great choice as it offers you several storage locations and allows scheduled backups with its free version itself.
Enable Web Application Firewall
Running a Web Application Firewall helps protect your site against any malicious traffic before it even reaches your website. There are two types of firewall; DNS level website firewall and an application-level firewall. You can add a firewall to your website using one of the WordPress plugins.
Wordfence plugin is a great option for adding a firewall to your website. A recent attack campaign aimed at harvesting database credentials from 1.3 million sites by downloading their configuration files was effectively blocked by websites running on either free or premium versions of Wordfence.
A firewall is a must for your website if you wish to protect your WooCommerce store from any sort of attack targeted at it.
Choose your Plugins and Themes Wisely
Undetected plugin and theme vulnerabilities could pave way for attackers to break into your website and cause damage. Thus you should make it a point to choose only the plugins and themes that are regularly updated. Since free versions may not be updated as frequently as their premium versions, it’s best to go for premium versions to ensure updates and support.
But, if that’s not possible make sure that all the plugins and themes on your websites are frequently updated and to deactivate and delete any plugins that have been removed from the WordPress plugin repository as soon as possible.
Use a Secure Database Password and Change Database Prefix
As mentioned above, attacks targeted at your website database are also increasing which points at the need to secure your MySQL database password and username. If you think your website’s database has a weak password than swap it for a stronger one.
Database prefix also needs to be changed as WordPress uses wp_ as the prefix for all tables in your WordPress database by default, which makes it vulnerable to attacks (as it’s easier for hackers to guess the table name).
Use a Security Plugin
If you are unable to manually handle all the security requirements of your store, you can add a security plugin to your site and let it handle all the tasks of keeping your site secure. Most security plugins come with some of the important features such as web application firewall, malware scanner, site security activity auditing, limited login attempts, and blacklist monitoring, etc.
Here are some of the most popular security plugins for your WordPress-WooCommerce website.
Wordfence
Sucuri
All in one WP Security
iThemes Security
All these plugins come with both free and premium versions. Based on your requirements and plugin features you can choose either their free or premium version.
Practice the Principle of Least Privilege
The principle of least privilege is the idea that any user should have only the bare minimum privileges necessary to perform its function. This eliminates the misuse of user privileges and reduces the damage should an attack occur.
It is also a best practice to log out of a system if you do not need to use it and to stop yourself from clicking links in emails, chats, etc., while you are logged in to your account associated with your store.
Disable Pingbacks and Trackbacks
Pingbacks and trackbacks are methods for alerting blogs that you have linked to them. But it’s better to disable them in your WooCommerce stores as it may cause your website to receive a huge amount of spam.
You can easily disable this in your website by deselecting the feature by navigating to Settings > Discussions from your WordPress dashboard.
Use Secure Payment Gateways
Payment gateways are an integral part of WooCommerce stores. It’s very important to add the most secure payment gateways in your store to ensure the security of both your and your customers’ data. Stripe, PayPal, Authorize.net, etc., are great options for secure payment gateways.
Summary
The article has listed 15 important and most effective ways you can try in your WooCommerce store to keep it secure. Here is a quick look at each of them.
- Choose a Reliable Hosting Provider
- Use strong passwords
- Avoid using admin as your user name
- Enable two-factor authentication
- Add SSL (Secure Socket Layer) Certificate
- Limit Login Attempts
- Keep your website updated
- Perform regular backups
- Enable web application firewall
- Choose plugins and themes wisely
- Use a secure database password and change the database prefix
- Use security plugins
- Practice Principle of Least Privilege
- Disable Pingbacks and Trackbacks
- Use Secure Payment Gateways
If you have any better suggestions for securing WooCommerce stores please share them in the comment section and help ensure better security for all WooCommerce stores.