Listen to Audio
The WooCommerce plugin is a blessing for the eCommerce industry. Whether you are an independent seller, a start-up, or an established brick-and-mortar store owner who is taking your business online, WooCommerce is for everyone. Clean and attractive designs, customization options, and ease of use have made it one of the most user-friendly eCommerce plugins for WordPress websites.
How Can I Secure My WooCommerce Store?
With a shocking number of hacking incidences taking place in the world every day, security has become the top priority for any website. eCommerce websites are obviously in more vulnerable positions as they are responsible for customers’ financial details such as credit card/debit card numbers, bank details, CVV information, etc. A single data theft incidence can cause lethal damage. In this article, we’ll discuss several ways to secure your WooCommerce store.
Tips To Protect Your WooCommerce Website Check Your Webhost’s Security Measures
Choosing the right web host is crucial for security. If the only criteria you have for selecting a hosting provider is choosing the one with the cheapest rates, you are setting your business up for failure! You must choose a web host that provides multiple layers of security.
Research the features each web hosting plan offers. Do you read any or all of the following phrases?
- Up-To-Date Server Software
- Secure DDoS Defense
- Hack Protection
- Automatic Backups
- Daily Malware Scan
- Attack Monitoring and Prevention,
- Malware Protection
- Email protection
- Spam protection
Select the hosting provider that offers the majority of these security features. If you can’t find such features in a particular hosting plan’s product information, contact the hosting company’s customer care department and ask about their security features. If they charge extra for some of these security measures, include that price in the overall hosting cost while comparing the plans.
Bonus: Choosing the right hosting company can significantly improve your website speed, which ultimately boosts your SEO efforts.
Prevent Brute Force Attacks by Capping Login Attempts
Brute force attacks are very popular among hacker’s community, and they are quite dangerous, too. Brute force attacks occur when hackers have access to a pre-guessed database of millions of user IDs and passwords, which they set to automatically apply on a website’s login page with the use of bots until the correct login credential and password combination is found.
WordPress sites are more vulnerable to brute force attacks because WordPress allows unlimited login attempts. You can prevent the brute force attacks by limiting the number of login attempts a user can make in a specific period. Once the user makes, say, three to five unsuccessful login attempts, the system blocks that user temporarily for a couple of hours.
To enable this login limitation, install plugins like Loginizer, The iThemes Security, Limit Login Attempts Reloaded, WPS Limit Login, etc. They offer the lockdown feature and are easy to install and use.
- Change the URL and File Locations.
- The fundamental requirement of a brute force attack is having access to a site’s login page, where a hacker’s script can enter the millions of IDs and passwords. If not by brute force attack, there are many ways attackers can figure out your id and password. Once the attacker logs in to your WooCommerce admin panel, the damage they can cause is unimaginable! What if the attackers can’t find the login page on the first place?The default admin URL in WordPress is yoursite.com/wp-login.php or www.yoursite.com/wp-admin. If you make a unique URL such as www.yoursite.com/redrosesloginpage.php or www.yoursite.com/ihaveakitty.php, only the person with the correct URL can reach to your login page. So, even if an attacker gets access to your login credentials, they can’t find your login page. You can update URL using plugins such as iThemes Security or WP-DBManager.
- A website’s WordPress database is also a gold mine for hackers. By default, it has wp- table You can change it with some unique file name such as Johndoewp- or coolwp- or mynewwp- etc.
- Move the wp-config.php file from root directory to any other folder above the root directory.
- Encrypt the Data Transmission
When someone provides their financial information (such as a credit card number, CVV, and card’s expiry date) or personally identified information (PII) (such as full name, email id, password, address, phone number, etc.) on your WooCommerce store, the data is transmitted in plain text.
If hackers manage to get access to that data, they can easily read, interpret, and use that information. Attackers are so advanced these days that you can’t do much to prevent them from getting access to the transmitted data. All you can do is to encrypt the data using a robust algorithm so that the hackers can’t interpret the data once they get access to it.
To facilitate encrypted communication, you need to install an SSL certificate on your website. An SSL certificate encrypts the connection between the user and the server by creating a secure channel. The encryption is done with 2048-bit strong digital signature and 256-bit longer encryption key, which is almost impossible to break. That’s how all the data transfer between your clients and you remain secure.
Many hosting sites offer free domain validated (DV) single domain SSL certificates. Unfortunately, free SSL doesn’t come with any warranty. So, if the encryption fails, you’re on your own. If your hosting provider allows third-party SSL, get a commercial SSL with a reasonable warranty, which can cost as little as $10/year with a $50,000 warranty.
Bonus: An SSL certificate will remove the “not secure” warning from the web address bar and place a padlock symbol in front of your domain name and enable HTTPS. Furthermore, Google rewards encrypted websites with better rankings on its search engine results page (SERP).
Without an SSL/TLS certificate:
With an (EV) SSL/TLS certificate:
Install Two-Factor Authentication (2FA)
Many organizations, especially financial institutes, are enabling two-factor verification for their users. When users log in to their account or make any financial transactions, they need to pass through another layer of security along in addition to using their traditional password. Users receive a one-time password (OTP) or verification code via mobile or email, which they must provide to proceed further.
You can enable two-factor authentication on your WooCommerce store’s login page. And the best part is, it’s FREE with the Google Authenticator plugin. Plus, it has the option of sending the verification code in SMS-text message, too, so even if your phone isn’t connected to the internet, you won’t find any issue in getting the code.
In fact, you should enable 2FA for all your customers’ login accounts. So, even if their login credentials become compromised, no unauthorized person can log in to their account.
Keep All IT Hardware and Software Updates and Patches Current
Many software and plugins developers release updates to fix vulnerabilities in the previous versions of their products. You must immediately update your WooCommerce plugin whenever an update is released. In fact, you should update all WordPress components as soon as any updates or patches roll out. Why is it so important? Because updates are there for a good reason. The developer teams continually monitor their software to identify and eliminate vulnerabilities. If you don’t install their updates, hackers can exploit these vulnerabilities to attack your website.
Note: The Managed WordPress hosting plan such as Kinsta, Bluehost, WPengine, FastComet SiteGround, Flywheel, etc. can automatically update all WordPress components.
Implement Stronger Password Protection Method
If you think you’re serious about your passwords and never use a weak password, that’s awesome! But, can you guarantee that your customers, vendors, and other users (such as employees, co-admins, etc.), who also have logins on your website are as serious about passwords?
In reality, people tend to choose passwords that are easy to remember — like their date of birth, parents or spouses’ names, pets’ names, any object or phrases, etc. The UK’s National Cyber Security Centre reports that “123456” was the most common password used in 2018! You must ensure that everyone who has a login account on your WooCommerce store — whether your co-admins, co-partners, employee or any outside visitor — has a strong password. For that, use the Force Strong Passwords plugin, which forces all of your site’s users to use strong passwords.
You can also use password managers like Password pointer, 1Password, LastPass, Secure Password Generator, Disable Post Passwords, etc.
You can password protect some parts of your admin dashboard, too, via .htaccess or cPanel. So, even if a hacker gets access to your admin account’s login credentials, they can’t access the crucial parts of the admin dashboard.
Other Security Measures
There are several other security methods you can implement to increase the security of your WooCommerce store site:
- Create and maintain a backup of your website. If your hosting provider doesn’t enable automatic backups, you can do it yourself using plugins such as BackupBuddy, BackWPUp, BackUpWordPress, etc.
- Use firewalls such as Sucuri, Cloudflare, Sitelock, WordFence, etc.
- Make sure only your FTP account has “write” access to the root directory, wp-admin, wp-includes, and wp-content.
- Don’t use “admin” or your store’s name as your user ID for the admin account. Use email ID or any unique word as your login instead.
- Disable trackbacks and pingbacks by adding following code to the .htaccess file:
# START XML RPC BLOCKING
Deny from all
# FINISH XML RPC BLOCKING
- Only use trusted and premium themes.
- Your website must be PCI-DSS (Payment Card Industry Data Security Standard) compliant.
Running an online store is courageous. It’s not only because the competition is cutthroat, but also because some people are reluctant to trust any new online store due to the increased rate of cybercrimes. Customers’ trust is the most valuable asset any online business, and that trust must be maintained at any cost.
Follow all of the aforementioned security measures in your WooCommerce store and keep yourself informed of the latest online security practices. In online business, as Benjamin Franklin would say, “an ounce of prevention is worth a pound of cure.”