WooCommerce security: the 7 things you should do first

Written by Nicole Kohler on February 15, 2016 Blog, Security, Start your store, Technical WordPress.

In all the frenzy and excitement that accompanies setting up a new WooCommerce store, it’s all too easy to miss little details. After all, we do live in a “move fast and break things” culture — why slow down when you can get your store live now and fix the problems later?

But security isn’t exactly a “little detail.” Yet it’s often overlooked by new shop owners, who unknowingly use weak passwords or skimp on site security, assured that everything will be fine and they’ll never be unlucky enough to be attacked.

While security measures are built into WordPress and WooCommerce out of the box, there are a few basic things new store owners should be doing to keep their customers, team, and data safe in the event of those worst-case scenarios. It’s certainly true that you might never encounter a hacker… but if you do, it’s still best to be prepared.

Here, we’ve compiled seven introductory steps to WooCommerce security that all new store owners should take. Read on to learn what they are.

Choose a great host — it all starts with them

There are plenty of things that you can do to keep your new store secure, but this isn’t to say that security should be entirely your responsibility.

In fact, the very first step you take should be choosing a reputable, reliable host that makes site security one of their top priorities. You shouldn’t put your new store just anywhere — making a poor choice could put both you and your customers at risk.

Ideally, you should seek out managed WordPress hosting from a company that clearly states what they do to make your safety and security a priority. Look for features like:

  • Attack monitoring and prevention
  • Proactive reviews and patches of security threats like core WordPress bugs, plugin exploits, and so on
  • Up-to-date server software (using the most recent versions of PHP, etc.)
  • Ability to isolate and prevent the spreading of infections so that a hacked site or virus cannot move to other sites on the same shared server

The hosts you evaluate should have a page on security on their site, so you can find this information out on your own. If you have to dig deeper or send emails to get answers, it might be a sign to steer clear.

Create (and safely store) strong passwords

While safety might start with your host, it’s up to you to follow through. The next step you’ll want to take, when it comes to setting up your store, is picking secure passwords for any and all accounts associated with your store.

This means:

  • Using a different password than you do for other accounts
  • Creating a password that has a mixture of capital letters, lowercase letters, numbers, and symbols
  • Avoiding dictionary words, anniversaries, birthdays, or other combinations that could be easily guessed
  • Prioritizing length — the longer and more complex a password is, the harder it is to crack, even by a program

Worried about whether or not your passwords are truly secure? Fear not: since the release of version 2.5 of WooCommerce, we have a password strength indicator built in that pops up whenever a new account is being created:

How strong is that password?
How strong is that password?

There are also often built-in password creators in your favorite password management applications, or if you’re using Chrome, you can enable its own secure password generator. So you might not even need to think about the passwords you’re creating — the apps can handle that for you.

Think remembering these passwords is going to be tricky? Check out a password manager like LastPass or 1Password (our personal favorite here at Woo) to safely store and retrieve your data. They’re easy to use and make security surprisingly convenient.

Enable two-factor authentication (2FA) on all your accounts

Of course, a strong password on your store’s admin login might not be enough. If someone gains access to your email or another account, they might still be able to gather enough information to reset your password and log in anyway.

Two-factor authentication, most commonly abbreviated as 2FA, is a fantastic way to safeguard all of your online accounts against unwanted intruders. 2FA relies on a second step — typically your smartphone — to validate logins and verify that you are the owner of any given account.

You should ideally enable 2FA on all of your accounts. Under normal circumstances, an individual who successfully gains access to your email account could potentially find the login information for your store and other accounts. But with 2FA, they won’t have the ability to physically validate the logins and gain access.

It’s true that adding this second step also adds a little more time to your login process. But again, it’s absolutely worth the peace of mind knowing all that sensitive data is safe.

Looking for an app to manage your 2FA details? Try Google Authenticator — it’s free, and it’s available for both iOS and Android devices. Logins can be added in seconds with barcodes and codes accessed with just one simple click.

Set up Google Authenticator on your smartphone (for free!) to make 2FA a breeze.
Set up Google Authenticator on your smartphone (for free!) to make 2FA a breeze.

Limit brute force login attempts with Jetpack Protect

Even with the best passwords in the world and 2FA enabled, some unsavory individuals still might try to brute force their way into your store. Luckily, there’s a simple way to keep them out.

Jetpack’s optional Security Features, namely Jetpack Protect, allow you to limit the number of times anyone can unsuccessfully attempt to log into your store before their IP address is blocked. Malicious login attempts are stopped in their tracks, keeping attackers out in the cold where they belong.

Jetpack will even show you what it's done for your site thus far. Peace of mind right on your Dashboard.
Jetpack will even show you what it’s done for your site thus far. Peace of mind right on your Dashboard.

Jetpack does, of course, allows you to whitelist one IP address so that forgotten or mistyped passwords don’t cause problems for you. And you can also okay additional IPs via your WordPress settings, if you desire.

Concerned about price? Don’t be: Jetpack is free, and you can enable and disable functions like Jetpack Protect at your own discretion.

Add site protection with VaultPress

So far we’ve discussed host security and password security. But you need an active defense against potential attackers, especially those who aim to harm your store rather than access your data.

Enter VaultPress. This software, built for WordPress-powered sites and shops, provides multiple levels of protection and support, including:

  • Automated, realtime backups and restores
  • Daily security scans to ensure all is well, no suspicious code is active on your server, and no data has been compromised
  • Protection against review and comment spam with Akismet

VaultPress keeps your store safe from harm, whether it comes in the form of malicious code injections or annoying comments. And WooCommerce store owners can get their first month free by following this link.

Check and adjust the settings on your FTP directories

Here’s a simple precaution that should only take you a few minutes at most: locking down your site’s sensitive directories via FTP.

Insecure shared hosting environments or compromised passwords might make it possible for an individual to access your site’s FTP, where they could upload harmful files to your WordPress directories. But limiting the write access on these directories can keep them out and reduce or even completely eliminate the potential for damage.

FTP directory caption
Check the permissions on your FTP directories to make sure unwanted intruders stay out.

Ensure that only your FTP account has write access to the following folders:

  • The root directory (excluding .htaccess if you use a WordPress plugin to set up URL redirects)
  • wp-admin
  • wp-includes
  • wp-content

You will also need to give your server write access to wp-content.

For more details on locking down your FTP, have a look at this section of the WordPress Codex.

Anticipate updates and make plans to address them

The final security tip we have for those of you just starting out is this: don’t ignore updates.

The process of updating WordPress core, WooCommerce, and your plugins or extensions might seem like a hassle after a while. Since we recommend making a backup at the very minimum, and also suggest testing major updates on a staging site, you might be tempted to let those updates slide until “later.”

“Later” is the perfect time for an individual educated on exploits and insecurities to access your store, though! Updates are released for a reason, and they often make your site more secure. So by ignoring them, you could be putting yourself — and your customers — at risk.

The best way to approach this? Set aside a time each month, every two weeks, or even each week to review your updates, make backups, test them, and deploy to your site. Put an appointment on your calendar if you need to — just make time for the process.

If you work updates into your routine, just as you do every other security tip we’ve suggested in this post, it will quickly become less of a hassle and more of an everyday occurrence. And soon, you’ll be running an attack-proof store without even realizing it, or giving any mind to putting things off until “later.”

When starting your store, make security a priority

It’s easy to lose sight of security in all the hustle and bustle of launching your store, but it’s not something you should take lightly. Keeping your customers’ data — and your own — safe should be a top priority from the very start.

To review, here are the seven things you should do first to secure your WooCommerce store:

  1. Choose a reputable, reliable host who makes security a top priority
  2. Create strong passwords for your store, and keep them safe in a password manager
  3. Use 2FA on all of your accounts to prevent logins from those who might guess or otherwise locate your passwords
  4. Enable Jetpack Protect to limit bruce force login attempts
  5. Add security to your site with a monthly plan from VaultPress
  6. Check the settings on your FTP directories to ensure no one can write to sensitive folders or files
  7. Anticipate updates to WordPress and WooCommerce core, and make plans to address them at specific times

By following these simple steps, you’ll create the groundwork for a safe, trustworthy store that is well-protected in the rare event of an attack.

Have any suggestions for new store owners who are just beginning to think about the topic of WordPress and WooCommerce security? We’d love to hear from you in the comments.

12 Responses

  1. Gerd
    February 19, 2016 at 2:30 pm #

    The best way to approach this? Set aside a time each month, every two weeks, or even each week to review your updates, make backups, test them, and deploy to your site. Put an appointment on your calendar if you need to — just make time for the process.

    For this to work best, it would be good if minor bugfix releases of WooCommerce had some kind of fixed dates or release schedule (in the same way as there is for major versions).

    • Nicole Kohler
      February 19, 2016 at 3:52 pm #

      That’s some good feedback, Gerd. Sometimes bugfixes are a bit unavoidable (for example, if we’ve been alerted to a security issue in WordPress or a conflict with another plugin) but we can try to take this into consideration for any minor releases, as you mention 🙂

  2. Rai
    February 19, 2016 at 8:09 pm #

    Hi Nicole,
    Thanks for the article.
    What about permissions to the user database?, I always put all privilegies but I think all is not ok, can you share about this?.

  3. Emily Johns
    February 22, 2016 at 10:59 am #

    For non expert bloggers and coders, I suggest installing a WordPress plugin, to make things easier.
    From the ones you mentioned, I found “Wordfence Security” plugin a free solution to secure blogs and make them faster.
    Tested and happy with it!

  4. robi
    February 22, 2016 at 8:45 pm #

    wow, great tips. I just needed a fresh and updated “how to” for woocommerce. Thank U very much.

    • Nicole Kohler
      February 23, 2016 at 5:28 pm #

      Thanks robi, glad you found it useful 🙂

  5. samdani
    February 26, 2016 at 10:10 am #

    Somebody wants to make a website for his/her own . Now everything is okay but one thing should be memorized that a weak secured WordPress will not be tonic and for this before taking step he or she has to confirm the strong security for his/her site . in this case the steps narrated here are very conducive .

  6. Rayhan
    March 4, 2016 at 7:54 am #

    Hi Nicole,
    It is really a great article. I am going to start my new woo-commerce site. I must follow these security steps. Thank you very much.

  7. chris
    March 6, 2016 at 9:15 am #

    there is one thing I was looking for on this article ssl certificate to ensure that all data are encrypted before transmission between client and server occurs and making sure that all cipher methods are well updated to ensure that all possible vulnerabilities are addressed.

WooCommerce - the most customizable eCommerce platform for building your online business.