15 Best WooCommerce Security Tips To Keep Your Online Store Safe
Did you know that 29% of your website traffic has malicious intentions?
It is undeniable that markets have largely moved online. There are over 12 million e-commerce stores on the internet, and around 1 million of them make over $1000 per month. But with the increased volumes of e-commerce, WooCommerce security issues have also increased.
Customers still shy away from big online purchases due to the fear of data theft and credit card scams. So website security has to be a priority for anyone running an online business. Any security threats can severely hamper the business and result in data loss, customer complaints, and revenue loss.
Given that over 3 million e-commerce websites are on WooCommerce, it is important to ensure compliance with WooCommerce security guidelines. But how do you do that?
TL;DR: Secure your WooCommerce website in minutes with MalCare. Protect your data and your customers’ data without having to jump through hoops, so you can focus on other important aspects of your business.
Is WooCommerce Secure?
WooCommerce is built to offer a convenient and secure platform for e-commerce websites. Therefore, WooCommerce is secure by itself.
However, it does not protect you against external security threats such as hacks or brute force attacks. In order to secure the WooCommerce site from these threats, you must thoroughly secure your website with additional measures.
Here are 15 WooCommerce security tips to keep your online store safe. We have divided our security tips into categories to help you tick them off your to-dos easily, but the first one applies across categories.
WooCommerce Security Plugins
Security can be a daunting prospect and take up a ton of time. There are of course people who spend large chunks of their time blocking IP addresses, or whitelisting legitimate visitors from their firewall.
But, in our opinion, it is best to have a security layer and then tweak and fine-tune after the majority of the threats are taken away.
1. Install a Security Plugin
This is probably the most critical step you can take in order to secure your WooCommerce store. Installing a security plugin will scan your website at regular intervals and alert you of any security threats.
A security plugin compatible with WooCommerce, such as MalCare, will allow you to frequently scan your store, clean it up within minutes, and proactively block brute force attacks and other threats.
As WooCommerce deals with highly sensitive data, you simply cannot take the risk of using an unreliable plugin. To protect your WooCommerce site, you need a firewall to proactively defend your site against hackers.
As hackers are evolving their techniques with every passing moment, you also need a scanner that can detect disguised and hidden malware.
2. Get an SSL Certificate
An SSL certificate is a certificate that verifies the identity and safety of a particular website. Securing your website with SSL allows you to make sure that any data you transmit is encrypted while in transit.
Having an SSL certificate is vital for most websites, and is especially important for any website that requires users to input sensitive information like bank account details or passwords.
When you secure your website using SSL, a small padlock will appear next to the URL. This padlock confirms that your site is real, and any fakes can be immediately spotted since they will not have the padlock. Also, the URL changes from HTTP to HTTPS.
It is very easy to set up SSL on your website. Your hosting provider will often bundle it with your website if you are using a reputable one. Alternatively, use Really Simple SSL to set it up in minutes.
For a WooCommerce site, once you get an SSL certificate, go to WooCommerce > Settings > Advanced. Here, you can enable ‘Force Secure Checkout’.
This will further protect your e-commerce site and make your transactions more secure.
Quite apart from the security aspect, Google has steadily pushed for websites to move towards HTTPS, so much so that it will now penalize websites that are not secured with SSL.
You will see a “Site not secure” warning in the SERPs if your website doesn’t have SSL installed. Needless to say, this will have an impact on your online store.
WooCommerce Login Page Security
The login page is a bit like a target and is often bombarded by brute force attack bots. Bots are parasites of the worst kind, because not only are they trying to gain unauthorized access to your website, but they are also using up your site resources while doing so.
The upshot of this indiscriminate resource usage is that legitimate users will start finding it difficult to access your site. All in all, it is a dismal picture.
1. Enable Two-Factor Authentication
Another way to secure your WooCommerce login page is to implement 2-factor authentication.
Enabling this ensures that anyone attempting to log in to the WordPress dashboard will need to provide their credentials as well as a secure password that is generated in real-time. This could be a one-time password sent to a mobile number or a code generated on apps like Google Authenticator.
This eliminates any chances of hackers guessing combinations or taking advantage of weak passwords.
2. Change Your Default Username ‘Admin’
One of the easiest and quickest ways to increase WooCommerce security is to change your username and password away from the default. You can do this by adding a new user, logging in as that user, and deleting your old account.
To change your WordPress admin name, go to User > Add New.
Enter all the necessary details and make sure to use a unique username.
Now, create a new account and select ‘Administrator’ from the available WordPress user roles.
Once done, you need to log out of your wp-admin and sign back in with the new account. Now you can delete the previous ‘admin’ user account. Doing this will transfer all your previously created posts to the new account.
Alternatively, you can use plug-ins like Admin Renamer or Username Changer to replace your username.
3. Limit Login Attempts
Brute force attacks are a very common method of gaining access to your site. A brute force attack tests every single possible combination of words and numbers and uses that to find the password.
With newer technologies like AI and machine learning, hackers can break weak passwords in a matter of minutes. So while this can be defended against by changing your username and setting a strong password, it is not foolproof.
Therefore, the simplest solution is to limit login attempts from particular IP addresses. If, for example, one IP address tries to log in multiple times, you can set a limit for how many attempts that particular address is allowed.
A strong security solution like MalCare will take care of this for you. MalCare’s firewall automatically blocks brute force attacks against your website and secures it against malicious bots and attackers.
4. Implement geoblocking
Many bots originate from certain countries. Since you are managing your website, you know where you expect legitimate traffic to come from.
If your website logs start showing a spike in hits from a different country, chances are those are bots. Of course, you could have been running ad campaigns as well, so use this tip carefully.
It is possible to block entire countries from accessing your website. MalCare has a geoblocking feature, even though we don’t recommend using it too much. It is possible to block out good bots through careless use, like Googlebot for instance.
WooCommerce User Management
There are a few steps you should take to secure your website from the admin dashboard as well. The tips in this section are actually non-negotiable, from a security perspective. We recommend you implement all of them.
1. Require Strong Passwords for User Accounts
Store accounts can be complex. If there are multiple authors attached to your website, they are often granted admin access (even though it is not recommended).
But if everyone has access to your admin panel, this can make your store significantly more vulnerable. After all, the more people know a password, the less secure it is.
There are two solutions to this. The first is to simply keep access to yourself, which is often infeasible. The second option is to make sure that everyone uses strong passwords.
The easiest way to do this is via an extension, called Force Strong Passwords. This extension ensures that anybody registering must create a strong password, usually using a mixture of uppercase and lowercase letters, numbers, and symbols.
Due to the extension, standard words will not be allowed as passwords, making the passwords extremely hard to crack. This precautionary measure is worth installing, especially if you have a collaborative store.
2. Implement a User Management Policy
Somewhat related to our previous point, there are times when multiple administrators are required to manage your WooCommerce store. Having said that, it is always good practice to periodically review users, to see if any need to be removed.
Additionally, you should always adopt a least privilege policy. What is the least amount of control a person should have on your website to perform their work? That’s the level of control they should have, and nothing more.
3. Use an Activity Log
Again, when you have multiple users making changes to your website, you want to stay on top of those changes. An activity log is a very powerful tool to accomplish this. With detailed logs, you can see exactly who did what and when on your website.
Often, hackers try to get admin accounts to wreak havoc. So if an admin account is behaving strangely (in the logs) then that is an early sign that something may be amiss.
WordPress does not let you edit or access its files directly. To do this, you need to use an FTP client like File Manager. You can find several FTP clients in the plugins repository of WordPress.
1. Protect wp-config.php File
One of the most important files in your entire system, the wp-config.php file contains a large amount of sensitive information about your site.
It contains things like your WordPress security keys as well as your database connection details. If anyone were to get their hands on the file, they could do incalculable damage to your website.
The first step to protecting your wp-config.php file is to deny access to everyone except you. Alternatively, you can create a new config.php file and remove the sensitive data from your main wp-config.php file.
All you need to do is add a pointer that points to the sensitive data, so the sensitive data remains inaccessible but your website can function normally.
2. Prevent Editing of Certain Files
The file editor on your site is a major vulnerability. Since it allows users to run PHP code on your site, it makes hacking extremely easy. While the file editor is extremely useful, allowing you to edit the theme and plug-in files directly from the admin area, a vulnerability this major should not be left open.
Even if hackers are not a problem, access to the file editor should still be restricted because not every admin knows how to use it properly, and consequently, may break the site while trying to make changes.
Disabling file editing is extremely easy. File Manager should allow you to access all your files. Search for your wp-config.php file and open it. It should download the PHP file to your computer.
Open the file in a text editor like notepad and add the following line of code to the file, right before the line ‘That’s all, stop editing! Happy publishing’ :
define( ‘DISALLOW_FILE_EDIT’, true );
define( ‘DISALLOW_FILE_MODS’, true );
Now save the changes and upload the file back onto your website. File manager allows you to upload files as well. That’s it, your theme and plugin editors should be disabled.
3. Restrict Content Records
Unscrupulous people often use content scrapers to grab all the posts on blogs. Additionally, allowing free access to content records means that every single page on your site is accessible, even the sensitive ones.
To avoid security risks arising out of this, do the following.
When creating a new folder, make sure to add an index.html file. This will control user access, making sure that users can only find content that they are authorized to. Otherwise, anyone will be able to access your folder content simply by typing in the URL, without needing a password.
You can also make sure that your content records stay protected by using a plugin like Restrict Content and keep all your sensitive data safe.
Themes and Plugins
Since themes and plugins are extensions to your website, you have limited control over them. While using extensions from trusted sources helps, they may have vulnerabilities that can be exploited by attackers. So follow these rules to ensure that your themes and plugins are secured, as is your website.
1. Back-Up Your Website
Most security tips are only preventative, and not precautionary. Therefore, backups may not be what you expect when looking to strengthen your WooCommerce security.
Although, think about it. If your website is down, you stand to lose not just time and new orders, but customer data, previously placed orders, and a significant amount of revenue.
This is why backups are important. In case of hacks or downtime, you still maintain a repository of sensitive customer information and minimize your losses.
Even if your website is secure from external threats, certain theme or plugin updates can cause your site to act erratically and result in downtime. When your site is broken, fixing it can take hours. But if you have proper backups, you can easily restore the last safe backup and get your site up and running in no time.
As WooCommerce websites get frequent orders and requests, a real-time WooCommerce backup solution is best suited for them. Additionally, these backups must be stored in an encrypted format so that if any data were to fall into the hands of hackers, it would still be unreadable to them.
2. Keep Your Website Updated
Updates are how any technology improves. Developers use updates to improve functionality, speed, performance, and safety. Any bugs or vulnerabilities in your website are removed through frequent updates.
WooCommerce is also frequently updated for this purpose. Updating your website at frequent intervals secures it from prediscovered vulnerabilities which are easy access points for hackers.
Updating all elements of your websites including themes, and plugins will save you a lot of headaches in the long run. If you are a MalCare customer, you can update your website elements with a single click from the dashboard. However, if you wish to do so manually, there is a simple way.
Just go to Plugins> Installed Plugins>Update Available
From here, you can update whichever plugins you wish to update. Similarly, for themes, go to Appearance> Themes, and you can update whichever themes you have.
3. Never Use Nulled Themes and Plugins
We’ve seen this time and again; and we get it: it is tempting to use a free version of a premium plugin. But this comes with so many hazards, it is just not worth the small gains.
First of all, nulled themes and plugins are premium products with broken licenses. They often are used as lures for the unsuspecting, and contain backdoors. A website admin installs a nulled plugin, and the hacker has a red carpet entry into their website.
Secondly, nulled plugins and themes don’t get updates from developers. That means if a vulnerability is discovered in a version, and the developer releases a security patch, the nulled plugin doesn’t get it.
Therefore, the vulnerability continues to exist, and because the developers have released a patch, the vulnerability is now common knowledge. Thus begins hacker open season.
Finally, it is just not right. Developers are entitled to the gains from their work. Support developers and build the WordPress ecosystem.
Things not to do to secure WooCommerce
There is plenty of very bad advice floating around the Internet for WooCommerce security. Here are a bunch of things that you definitely shouldn’t do, because they aren’t worth the effort:
- Change your database prefix
- Hide your login URL
- Password protect core files
- Remove WordPress version number
In terms of security enhancements, these measures barely move the needle. However, they can cause havoc with the user experience.
Final Thoughts on WooCommerce Security
Now that stores are open 24*7, they need to be looked after 24*7 too. So any downtime can be disastrous, and the need for security is amplified by that much.
What more, an e-commerce business deals with sensitive and confidential company information. You cannot afford to let this information fall into the wrong hands.
But more importantly, your e-commerce website also deals with personally identifiable information (PII) which is customer-specific data. If leaked, it is not just bad for the brand reputation but you could also face legal penalties, lawsuits, and high costs in recovering from the data breach.
The stakes are too high to have any lapses in the security. So proactive and preventative measures are really important for WooCommerce websites.
To deploy a complete security ecosystem on your WooCommerce site, install the MalCare security plugin, and rest assured that our website security is well taken care of.
Is WooCommerce safe?
WooCommerce is a platform built for e-commerce sites. The platform provides a secure infrastructure for online businesses. However, there are various external factors to be considered when contemplating complete security. If you invest in a holistic security solution, WooCommerce can be a safe and secure experience for you.
Can WooCommerce be hacked?
Certain vulnerabilities within Woocommerce can be taken advantage of by hackers and attackers. WooCommerce comes out with frequent updates to stay on top of its vulnerabilities and with a robust firewall, you can keep out most of the pesky attackers and malware.
Do you need SSL for WooCommerce?
An SSL certificate will help you encrypt your site and secure your data to ensure that your website and store remain safe. It is highly recommended to get an SSL certificate for your WooCommerce website to strengthen its security.
How to secure WooCommerce site?
There are several ways to secure your Woocommerce site that include choosing a strong password, updating your website, backing up your website, using a security plugin, and getting an SSL certificate.
Is a security plugin necessary for WooCommerce?
While you can maintain the WooCommerce security without a security plugin, a plugin would make it a lot easier to do so. Security plugins are developed by experts which can comb through tons of data in seconds and find malware and vulnerabilities that are time-sensitive. Additionally, plugins clean up your website safely and securely, while adding an extra layer of security through a firewall.
Preeti is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Preeti distils the wisdom gained from building plugins to solve security issues that admins face.