WooCommerce recently became the most preferred eCommerce platform, powering around 28.14% of all online stores. From a security point of view, this means it is now attracting more web security threats than ever.
A study conducted by wpwhitesecurity.com revealed that 70% of WordPress installations are vulnerable to online attacks.
Alarming right? But this is how the cybersecurity landscape is nowadays. Hacking techniques are evolving, and perpetrators have a plethora of new and undiscovered infiltration tricks up their sleeves.
This is why cybersecurity is of the utmost consequence to e-store owners. It’s fundamentally important to be aware of best practices in security so that you can fight cyberattacks head-on, eliminate vulnerabilities, and safeguard your site from any malicious intent.
This article will give you all you need to know on WooCommerce security, so let’s begin!
Table of Content:
- How Secure is WooCommerce?
- 15 WooCommerce Security Tips for Supreme Protection
- Use the Latest Version of WordPress
- Invest in Reliable WooCommerce Hosting
- Use Strong Passwords
- Hide Author URL
- Use Security Plugins
- Regular Backups
- SSL Certificates
- Limit Login Attempts
- Disable File Editing by Admin
- Enable Two-Step Verification
- Disable Pingbacks and Trackbacks
- Disable Script Error Messages
- Remove Unwanted Files like Readme
- Protect Debug Logs
- Protect your wp-config.php File
- Last Word
How Secure is WooCommerce?
As you might already be aware, WooCommerce is a WordPress extension. Statistics suggest that every year, hundreds of thousands of WordPress websites get compromised. While this sounds appalling, to say the least, one good news is that it’s not WordPress’s core structure that is faulty. Research websites have cited other reasons, mainly external, for such a high number of data breaches.
The most common reasons include:
- Vulnerabilities in the web host account
- Security issues in the WordPress theme
- Loopholes in the third-party WordPress plugins
- Weak passwords
This suggests that if you take proper care, and proactively tie up all the loose ends of your WooCommerce website, then there is a high chance hackers will never be able to invade your space.
So let’s discuss the nitty-gritty of WooCommerce security without further adue!
15 WooCommerce Security Tips for Supreme Protection
Before we begin, please note that WooCommerce is essentially an extension of WordPress. Meaning, you install the WooCommerce plugin to an already functioning WordPress site. This is why most security tips focus at securing your WordPress site.
1. Use the Latest Version of WordPress
According to WP Scan Database’s WordPress vulnerability scans, most vulnerabilities have been found in WordPress’s 3.X versions. Ironically, only 62% of WordPress websites are running on versions 4.0 and above.
Each new update contains fixes to the vulnerabilities that were present in the previous one, so it’s crucial to update your WordPress website as soon as new versions are released.
In 2017, cracks in WordPress 4.7.1 were exploited to deface thousands of WordPress websites. However, a few weeks prior to the attack, WordPress released its version 4.7.2, which patched up all those gaps. Admins who had updated their version swiftly did not fall prey to those defacement attacks.
WordPress’s latest version, 5.4.2, came out on June 10th, 2020
2. Invest in Reliable WooCommerce Hosting
40% of WP websites were hacked because of vulnerability of the hosting accountA study by WP White Security
A lot of WooCommerce stores, especially the small ones, fall for the $5 p/m price tag and go for shared hosting. Truth is, shared hosting plans usually contain a lot of hidden costs, and don’t cover all security aspects of your website properly. Moreover, you’ll be sharing server resources with other websites. This makes you vulnerable to the cyber threats faced by those websites as well.
Managed hosting services are considered to be the best solution if you don’t want to compromise on the security of your website. The costing is transparent, and hosts will take care of all aspects of your site’s security, from monitoring to regular patching, and following security best practices.
For example, WebScoot offers managed WooCommerce hosting. We not only deploy the best security measures for our client websites but also monitor everything 24×7, and step in immediately to deal with issues, no matter the time!
3. Use Strong Passwords
To be honest, this step sounds pretty basic but statistics suggest that 80% of dictionary attacks are successful because people use weak passwords
In dictionary attacks, such as a brute force attack, hackers use advanced bots and programs to crack user’s login credentials. On average, they gain access to an account within 6 hours of trying. That’s how weak our passwords are!
The reason why most netizens fail at this basic step is that, when advisers say ‘strong’ passwords, they don’t exactly get how strong their passwords need to be. But don’t worry, you can follow certain standard protocols while setting or changing your password the next time:
- Make sure your password is unique, and hasn’t been used on other websites.
- Your password needs to be a complex mixture of alphabets, numbers, and symbols, so that it’s hard to guess.
- If you set a long password, with at least 15-20 characters, it will be harder for bots to crack.
- Use phrases that are rare, and cannot be easily linked to you, in case hackers decide to snoop around your social media account for clues.
Interestingly, you won’t have to wrack your brains too much to create a hard-to-guess combo. WordPress comes with a feature called ‘Better Passwords’, that generates strong passwords for its users.
4. Hide Author URL
Whenever you create an author account for your website, a URL like www.example.com/author/name is generated. This makes a hacker’s job one step easier, as he/she now only has to focus on finding the password for the author’s account.
It is advised to change the authors’ archives URL from the username. You can do so easily by changing the user_nicename under the wp_users table.
5. Use Security Plugins
A WordPress/WooCommerce website can’t achieve its full potential until and unless you attach plugins that enhance its functionality. WordPress offers a host of extensions (55K plus) in its repository. WooCommerce itself provides thousands of extensions built specifically for the platform on its extensions store.
It is recommeded to not install more than 1 or 2 plugins, as they can be a hassle to manage and can expose your website to even more vulnerabilities. Go for end-to-end solutions that take care of maximum security requirements for you.
Some of the top WooCommerce security plugins are:
Please note that plugins themselves can contain cracks that hackers can use to infect or access your website. It is essential to keep your plugins updated and conduct regular security patching.
6. Regular Backups
Why are backups so important? Imagine building your website from the ground up, only to loose all your data and configurations due to a website breach or updation error. Backups are the quickest way to revive your website to its last known configuration.
It’s recommended to take regular or daily backups of your website. You should keep multiple backups of your website handy, and also store them in an offsite location, perhaps in a different server. In case your website servers are attacked, your backups will remain out of the hacker’s reach.
You can consider the following plugins to automate backup tasks:
7. SSL Certificates
The ‘s’ in https stands for Secure Socket Layer (SSL) certificate. It is mandatory for websites to attach an SSL certificate to their domains, otherwise, search engines label them as ‘not secure’.
An SSL certificate ensures that communication between the website and its clients is encrypted i.e., any third party trying to listen in will not be able to decipher the data being transmitted. Not having an SSL certificate means your communication can be intercepted easily and sensitive data can be stolen.
At WebScoot, we provide free SSL to our clients as primary step for securing their store.
8. Limit Login Attempts
If hackers are conducting a brute force attack on your website, it means they are running bots or programs that are trying different login credentials to gain access to your website. If you limit login attempts, then your website will automatically block users that have exhausted the set limit of attempts. This will considerably reduce the attackers’ chances of coming to the right credentials.
Keep in mind that the attacker can use different accounts, so you should block IP addresses too. Another common practice is to increase the temporary block duration after every 4-5 attempts. This will give your threat response team buffer time to identify and deal with the attack.
You can find various plugins in the WordPress repository that will facilitate easy set up of lockdown attempt limits, lockdown durations, IP blacklisting, and IP whitelisting. Two such plugins are Cerber limit login attempts and the free WPS Hide Login.
9. Disable File Editing by Admin
Another WooCommerce security measure is to disable Edit Files from WordPress Admin. If a hacker is able to log in to your Admin’s account, then you wouldn’t want him/her to edit your store files.
To do this, add the following line of code to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
10. Enable Two-Step Verification
Multi-factor verification or two-step verification will ensure that even if your password is compromised, hackers will not be able to enter your account.
A 2SV method will send you an OTP or pin once you’ve entered your login credentials. An OTP is typically sent on your phone or email, so the hacker will not be able to complete the verification process, because there is a slim chance of him having access to your phone and password at the same time.
11. Disable Pingbacks and Trackbacks
The pingbacks and trackbacks features of your WordPress website can be used to execute low-level DDoS attacks or send spammy notifications to your website. You don’t require this feature for your WooCommerce store, so it is better to disable it.
Add the following code to .htaccess file:
# START XML RPC BLOCKING <Files xmlrpc.php> Order Deny, Allow Deny from all </ Files> # FINISH XML RPC BLOCKING
12. Disable Script Error Messages
If your plugins or themes contain errors in their code script, then an error message revealing the complete path to your website’s root directory may be displayed on your web pages. This information is useful to hackers, as your root directory will contain your WordPress installation and website files.
Disable script error messages by adding the following code lines to your wp-config.php file:
error_reporting(0); @ini_set(‘display_errors’, 0);
13. Remove Unwanted Files like Readme
Your WordPress root directory, and many themes and plugins contain the readme.html file. Removing such files is important, as they can be used for fingerprinting or snooping.
They also contain information about the version of WordPress you’re using, which hackers can misuse. Other unwanted files include wp-config-sample.php files and install.php.
14. Protect Debug Logs
Developers often enable debug logs while installing WordPress or developing a theme or plugin. These debug logs record all PHP errors that occur during the development process. It’s obvious that if a hacker gets ahold of these, they will able to identify vulnerabilities in your website and abuse them.
WordPress uses the WP_DEBUG constant defined in wp-config.php to kick off the debugging mode. You should either remove this constant from the wp-config.php file, or set is as ‘false’ as given below:
define (‘WP_DEBUG’, false);
15. Protect your wp-config.php File
The wp-config.php file is a critical file containing your security keys (which encrypt the information in cookies) and database login information. In order to protect this file, you can:
1. Change permissions: WordPress documentation says that the permissions on the wp-config.php file should be set to 440 or 400, so that other users on the servers can’t read it. Typically, files located in the root directory are set to 644, which can easily be changed with your FTP client.
2. Move wp-config.php: config files are always located in the root directory. It is advisable to move these to a non-www accessible directory. Simply copy everything out of the config file into a different file. Then, in your wp-config.php file, include the following command to add your other file:
The above steps for WooCommerce security might seem like a lot, but the reality of today’s internet world has compelled store owners to not miss out on anything when it comes to their store’s security.
If you think we’ve missed out any tips, or have some interesting tricks to share, do mention in the comments below!