9 Ways to Make Your WooCommerce Store More Secure

WooCommerce Security

Hackers present a tangible threat to online retailers and it’s more important than ever to ensure your website is guarded. One of the best ways to keep your store safe is to create a plan for addressing problems before they occur. This can save you major headaches down the road and it will also keep your customers’ information safe.

Sites built on WooCommerce and WordPress are tempting targets for cyber-criminals, due to their ubiquity and the types of data they tend to contain.

But, first, what are the hacks you’re defending your site from? Hackers are creative and have an arsenal of strategies. Depending on the circumstances, they might try some of the following:

Types of attacks:

  • Cross Site Request Forgery (CSRF): CSRFs trick trusted users into transmitting unwanted commands. These attacks are also popularly known as one-click attacks or session riding attacks.
  • Cross Site Scripting (XSS): Often confused with CSRFs above, these attacks involve tricking your site into displaying malicious javascript.  Two primary ways these attacks are mounted are via unsanitized url parameters ( reflection ) and product reviews or blog comments ( persistent ).
  • Brute Force Attacks: Brute Force Attacks attempt to gain access to data by trying multiple passwords or passphrases with the goal of eventually landing on the correct one.
  • Keylogger: Keyloggers are software or devices that secretly track keystrokes, giving insight on passwords and activity.
  • Denial of Service / DoS (or Distributed Denial of Service / DDoS): A DoS is engineered to bring a website down by overwhelming a target with requests and disrupting their ability to operate normally.
  • Injection Attacks: Injection Attacks are a class of attacks that inject malicious data into a website.
  • Clickjacking (or User Interface Redress Attack): Clickjacking tricks users into performing activities they don’t mean to, by hiding links beneath legitimate-seeming buttons and links.

Our coolblueweb developers have also seen:

  • Xmlrpc.php: A brute force attack that uses WordPress XML-RPC to place many commands within a single request.
  • Exploits on Outdated Versions: Attacks that take advantage of vulnerabilities in older versions of WooCommerce
  • Shady Plugins and Themes: Bad plugins and themes can compromise the overall security of your website.
  • Attempts to log/steal customer payment data: Once a hacker gains access to your web server, they will often try to log and steal your customers’ credit card numbers.

So what steps can you take to protect your website? We recommend implementing the following:

1.    Select a Strong Password

Creating a strong password is one of the simplest things you can do, yet it’s a step that is often overlooked. Yes, using your pet turtle’s name for your password does make it easy to remember, but it also leaves you vulnerable. Strong passwords should be:

  • Long
  • Random
  • Unique
  • Impossible to Remember

There are also password managers that help generate and store your security information. We like 1Password for storing and generating secure passwords.

WordPress 2.5 + also has a password strength indicator included. If it recommends a stronger password, pay attention.

2.    Don’t Choose a Default Administrator Name

This security measure can be easy to overlook, but if you choose easy-to-guess usernames such as “Admin” or “[Company Name]”, you’re removing one step from the login process, which makes it that much easier for a hacker to access your data.

3.    Implement 2-Factor Authentication

2-Factor Authentications add a second layer of protection to the login process. When users attempt to access their accounts, a message is sent to an associated cell phone or email account to confirm the user’s identity. Though this extra step can seem irritating in the short term, it’s worth weighing the long term protective benefits. Our devs recommend WordFence for implementing 2-Factor Authentication, as it also provides protection from brute force attacks, hacks within files and more.

4.    Check Your SSL Certificate

SSL Certificates are a vital part of any eCommerce store. In order to secure the checkout process on your website, you must buy a SSL certificate from a certified vendor in order to keep your customers’ data safe. Websites with SSL certificates have a padlock in the address bar of their browsers, as well as an https:// prior to their site address, both features that shape consumer trust.

Do you have an SSL certificate, but aren’t showing a padlock or https://? It’s time to get in touch with your developer to see if your plugins or themes might not be covered by the certificate, or if some troubleshooting will take care of the problem.

5.    Make Sure Your Hosting is Secure

The wrong host can also expose you to attacks, or leave you hanging after attacks do happen. It’s important to research your hosting plan and make sure you have access to free site restoration if something does go wrong, as well as server software that is completely up-to-date. Many hosts will also have preventative tools in place to keep an eye on your site and impede attacks. A common misconception is that you must have WP hosting if you’re operating a WordPress site. Talk with your developer to get insight into what will be the best fit for your needs.

6.    Use Nonces

Nonces are used to verify that a request is original and not duplicated. In WordPress, nonces are tokens made up of a combination of numbers and letters. They’re used to check the identity of the user performing a specific operation, helping to protect sites against CSRF attacks. Once the nonce expires, it cannot be used again.

7.    Keep Everything as Up-To-Date as Possible

This is general good practice for WordPress and WooCommerce. Neglecting to update sites and plugins is tremendously risky. When updates aren’t performed, opportunities arise for hackers to take advantage of the resulting holes.

It’s easy to procrastinate on updates, but doing so leaves your site at risk. Updates to plugins, themes and WordPress itself frequently address security concerns, so it’s important to be proactive. Make a plan with your developer regarding when and how updates will be performed and include time for backups and testing.

8.    Have a Backup Plan

Even if you do everything right, things can still go wrong. Make sure there’s a backup plan in place for your website. Whether it’s through hosting or a security plugin, having a backup will allow you to curtail any unexpected damage.

9.    Consider Installing a Strong Security Plugin

A good security plugin can be a lifesaver. It will help you create the backup plan addressed above, as well as providing options for restoration, should they be needed. Daily scans keep an eye open for fishy activity and some plugins even fight comment spam. Here at coolblueweb we like WordFence, but talk with your developer to see what plugin will be the best fit for your website.

Don’t let your site’s security be an afterthought! Taking steps to secure your site now and having a plan in place in case something goes wrong later will keep you and your customers protected. Coolblueweb has a variety of proven tools to secure WooCommerce sites against attackers. Contact us today at info@coolblueweb.com.

Sarah has been with coolblueweb since 2012. She enjoys dance, movies and laughing at inappropriate times.