7 Key Steps for Keeping Your WooCommerce Store Secure
While with WordPress anyone indeed can make a website, not all websites are created equal. A simple blog only needs to be stable enough to service its readers, but a website which collects user login data requires more security, under GDPR, CCPA, or a similar data protection act or simply as the best practice. WooCommerce stores not only collect user data, they collect credit card data, making WooCommerce security remarkably sensitive.
Reputation is hard to earn but easy to lose. Would you be confident about giving your credit card information to an online store with a history of security breaches? We didn’t think so. So, if you run a WooCommerce store, we assume you are interested in making it as safe to use as you possibly can. This is what we will talking about:
A majority of WordPress users don’t own servers, and the same goes for WooCommerce store operators. This step, therefore, basically boils down to your choice of a hosting provider. Your hosting provider stores all your website files, including your database, and should have safeguards in place to protect those files from malicious attacks. In the article linked above we have gone on at length about the general aspects of choosing a provider for your WordPress website. Here, we will concentrate on the security aspects.
As with most things, you get what you pay for: security takes considerable effort, and, with free hosting, the hosting provider will likely keep it at a minimum. Some important features you should consider are SSL certificates (a must), up to date software (this will recur in this text – always make sure to have the latest update), disk write protection or limitation, backups, and round-the-clock access to support.
Some hosts may offer regular backups and security scans as part of their service package. Our advice is at least to consider it.
Your server software updates will likely be up to your hosting provider, though you should still be able to check the current version of your server’s PHP from the back end of your hosting account. You need to go beyond that, though, by updating all the software your website uses. This includes themes, plugins and the WordPress software itself.
As we’ve mentioned before, obsolete software is a vulnerability. The developer may abandon any piece of software for a variety of reasons, which means that they also stop updating the software’s security features. WordPress software, such as themes and plugins, is developed by thousands of people the world over, compatibility issues may arise. All of this may affect your shoppers’ data safety. This is why you should backup your WordPress website regularly, but especially before making major updates.
Another avenue of illicit access to your website could be FTP, or File Transfer Protocol. Typically, you would use FTP accounts to connect whichever device you use to maintain your website to your website server.
There is much to be said about how to properly use FTP, so we will be brief: what you need to make sure is that only trusted FTP accounts access your website’s root directory, as well as wp-admin, wp-includes, and wp-content folders.
Now, a chain is only as strong as its weakest link, and we are at a loss to think of a weaker link than using password123 for a password, other than maybe using password123 for all your passwords.
Best practices now mean creating unique and strong passwords for all your accounts. This means that you should avoid dictionary words and names, and instead mix it up with upper and lower case letters, digits, and punctuation, in strings as long as possible. This will make your passwords more difficult to crack, but also more difficult to remember, which is why you should consider investing in a password manager. Password managers are a simple and safe way of storing strong passwords without needing to remember all of them.
In especially sensitive areas (that is, with Woocommerce stores and other websites which collect user data), you should go beyond simply changing your passwords towards the more secure: you should most definitely introduce two-factor authentication. Two-factor authentication is simply another layer of protection: just knowing a password is no longer enough to log in. This means that even if your password is compromised, people with malicious intent will not have it easy doing any actual damage.
What goes for you, we shouldn have to say, also goes for all your staff with login credentials: you can’t afford a single weak password.
Brute force attacks are a way hackers use to breach your login forms. They do this by using software to try countless combinations of user names and passwords automatically until they chance upon a right one.
One way of preventing these attacks from ever succeeding is to use strong passwords and 2-factor authentication, as we have discussed above. You might also consider limiting login attempts. By limiting the number of times a login can be attempted from the same IP address, you limit the hackers’ ability to breach your store’s security. The login limiter will simply lock them out temporarily or permanently.
All of the above deal with how to avoid getting hacked in the main. But what if your online store does get hacked? We have already talked about backing up your website before installing updates, but you really should be making regular backups even if you are not considering making updates: this is how you get your website back in case it is hacked and important files have been deleted or damaged.
It could be that your host offers backups and security scans as part of a package. In that case, you might get them to automatically revert to the last version of your online store known to be safe in case you find your website hacked. If not, chances are you will have to restore your website manually from your own backup. And even if your host does perform regular backups, it does no harm to keep extra safe and do your own independently.
Of course, backing up your files and restoring your website from backup can be long and arduous processes. It comes as no surprise, then, that there is a slew of backup plugins for WordPress to choose from if you want to automate these processes.
While your host may perform security scans themselves, it cannot hurt, as with backups, to do your own scans, just in case. Malware is malicious software which can be introduced to your website using faulty or out-of-date software such as plugins and themes, but there are ways to introduce it even using comments. The more ways your shoppers have of interacting with your website, the more careful you should be.
Scanning your WordPress website for malware can be done manually, but reviewing huge numbers of files is tedious. That is why there is a selection of malware scanning tools, both free and premium, which you might want to consider.
As you can see, there is a lot to be said and done about WooCommerce security. When all is said and done, though, you will be able to say with confidence that you have done all you possibly could have to safeguard your reputation for safety, as well as – more importantly – your shoppers’ sensitive data.
To recap: close off any avenues of access to malicious players, such as out-of-date software, weak passwords, and your servers, and make regular backups just in case you need your website restored.