5 Post-launch Security Tips For WooCommerce Stores

Written by Nicole Kohler on April 11, 2016 Blog, Security.

As we covered in this introduction to WooCommerce security, creating the groundwork for a safe, well-protected store only takes a few steps. But most of the tips we offered are things you’d do before launching your store, or perhaps immediately after.

Security isn’t something you can think about once and never again. If you don’t keep your store up-to-date, pay attention to security trends, or harden your defenses as you grow and scale, you could be putting yourself in a very vulnerable position… and also putting your customers at risk.

Let’s explore a few more ways that you can secure your store post launch.

1. Hide the WordPress version number

“Okay,” you might be saying, “what? How does this keep me secure?”

Well — it doesn’t, not directly. But if you’re a bit slow to update WordPress sometimes, a quick peek at your source code could easily tell a potential attacker that you’re potentially more vulnerable to other attacks.

The current version of WordPress can be found in three spots:

  1. The generator meta tag in your header
  2. The generator meta tag in your RSS feed
  3. Query strings

So, if you’re one of those well-meaning individuals who wants to test out your updates for a day or two and needs to hide the version number for a good reason, you can use Frankie Jarrett’s code to hide the version number from all three of these spots. Head over to his post to pick it up, then paste it into your functions.php file.

A brief glimpse at the code, courtesy of Frankie Jarrett.
A brief glimpse at the code, courtesy of Frankie Jarrett.

Again, hiding the version on its own will not protect you — you should absolutely keep WordPress, WooCommerce, and all of your plugins and extensions updated. But we also understand that there’s often a gap between testing and implementation, so this can help keep you safe in the interim.

2. Force SSL on your checkout pages

Security starts with a secure connection. By following this tip, you can be absolutely sure that you’re protecting your customers from spying eyes while they enter sensitive billing and shipping information at checkout.

With the “Force secure checkout” setting enabled in WooCommerce, all of the pages associated with your checkout process will be forced to use HTTPS (that is, a secure connection) every time they load.

Because only a customer’s browser and your store can decrypt the information being sent across a HTTPS connection, checking this box ensures that your checkout is safe, and that no one with malicious intent can take a peek at credit card numbers or other sensitive information flowing in and out of your store.

Forcing secure checkout keeps both you and your customers safe. The only prerequisite is an SSL certificate.

This setting can be toggled on and off in WooCommerce by going to WooCommerce > Checkout and toggling the second checkbox on or off.

Note that a valid SSL certificate is required for this setting to function properly on your store. If you haven’t yet acquired a SSL certificate, read this guide to learn more about why they matter and how to get one for little to no cost.

You can learn more about this setting in WooCommerce by reading this page in our docs.

3. Make backups and security scans a daily event

In our first post on security, we recommended using trusted software to scan your site for potential vulnerabilities, brute force attacks, or malware. Now that you’ve launched, it’s time to take things to the next level.

With your store up and running, both backups and security scans should be happening on a daily basis. Backups are crucial because they give you something to fall back on in the event of data loss, while security scans prevent such loss (or infection) from happening in the first place.

You can set the frequency of scans, backups, and notifications as you like, but we recommend a daily backup and a daily scan at the very least. Some solutions offer real-time backups and more frequent scans — Jetpack‘s brute-force login protection is real-time, too — but you can scale the frequency up or down as you prefer.

If you’re still in the market for a reliable, effective backup and security solution, Jetpack Premium plans come bundled with backups — and WooCommerce customers can save 15% instantly. Get Jetpack for peace of mind from day one.

4. Change the default prefix used in your WordPress databases

Odd as it may seem, there are some nasty people out there who stage attacks on websites for their own amusement. While you might think your store is 100% safe, there are a few minor vulnerabilities that these spammers and hackers will find and exploit, given the chance.

One known potential vulnerability comes through the use of default database table settings during the setup and installation of WordPress. Changing these settings could help prevent malicious code from being injected into your server.

The default prefix for the database tables used to store WordPress information is wp_. Because most store owners don’t change this prefix during setup (or don’t even have the option to do so, depending on their host/installation procedure), using the default could put them at risk for a SQL injection attack (among others), all because hackers know full well what these default tables are named.

By now, of course, you’ve probably already set up WordPress and WooCommerce. But it’s not too late to change these settings. A SQL query or two run in phpMyAdmin will set you straight in no time.

With some well-placed SQL, you can rename your table prefixes and add another layer of security to your WordPress installation. (Image credit: Digging Into WP)
With some well-placed SQL, you can rename your table prefixes and add another layer of security to your WordPress installation. (Image credit: Digging Into WP)

Have a look at this detailed and incredibly helpful step-by-step tutorial from Digging Into WP to learn how to  change your database table prefixes to something far more complex — and far, far more secure.

SQL queries not your thing? There are a few free plugins around that will accomplish the same thing, but use caution — allowing unrestricted access to your SQL database can be dangerous. At the very least, uninstall a plugin like this once you’re done with it so there’s no potential for future unintentional renames.

5. Get rid of your “admin” account

This final piece of advice might seem annoying to some of you, or perhaps even like general knowledge to others. But it’s crucial, so we wanted to take the time to emphasize it here.

Using the default admin account built into WordPress is not recommended when you are running an online store. Much like the database table prefixes, hackers know this account (very likely) exists by default, which provides a better opportunity for them to brute force their way in.

Even similar-sounding accounts, like “testadmin,” “administrator,” or “owner” put your store at risk — they’re just as easily guessed. As the Attacking WordPress page on HackerTarget.com explains (don’t worry, it’s a resource for advice, not a how-to for hacking), once a hacker knows an account exists, they can quickly use a tool to guess your password:

[…]. 500 passwords were tested against the “testadmin” account (that was discovered during user enumeration). Those 500 passwords were tested in 1 minute and 16 seconds! While the test was running the site was still responding; a web server administrator would have no idea the attack took place without some sort of security log monitoring system in place.

They might have gotten the password wrong, but now they know something else: this account exists. (Image credit: HackerTarget.com)
They might have gotten the password wrong, but now they know something else: this account exists. (Image credit: HackerTarget.com)

The moral of the story: your administrator account(s) should be named something unique and unlikely to be guessed by someone with malicious intent. Use a unique nickname, a full name with multiple initials in between, or something else that can’t be easily guessed (for example, your first and last name or the name of your store).

And remember to use secure passwords, so even if someone does guess the name of your account, they’ll still find themselves unable to log in. If you need a refresher on what’s secure and what’s not, see section #2 in this post.

Take security seriously once your store is online

Though there are plenty of things you can do to make a store secure before launch, security should be an ongoing concern for store owners — not a “one and done” thing. By following these tips and keeping your store and WordPress updated, you’ll be in a great position to keep your customers — and your team — safe and sound.

Have any questions about the security tips recommended in this post? Or better yet, any advanced tips of your own to share? We welcome your feedback and thoughts in the comments below.

Protect your store and your customers with Jetpack

2 Responses

  1. IRD-Dev
    April 12, 2016 at 5:25 am #

    As another suggestion: Manually editing WP_USERS table and changing the values in column “user_nicename”, for all users including the WordPress Admin.

    Simply log into phpMyAdmin, select your WP database, browser the WP_USERS table, and alter (for every user) the “user_nicename” value to something different than the actual login name .. and, of course, unique across all records in this table.

    In my opinion, this action should be completed IMMEDIATELY after creating a new username .. and certainly BEFORE exposing your website to search engine crawlers.

    I performed a test, by posting TWO articles – one with a WP User “my-test-user” whose “user_nicename” value was the same as their login name. Google results included both articles and, in particular, the article published by the aforementioned user revealed their username as such: http://mydomain.com/author/my-test-user/

    Supporting articles for manually editing the “user_nicename” value:


    Granted, there are other more promising means to protecting one’s WordPress security (as outlined throughout this post). However, I do not understand why WordPress has not taken measures to fix this “information leak”.

    • IRD-Dev
      April 12, 2016 at 5:29 am #

      In regard to my specific concern — namely, not wanting the public to see the WordPress Username on Articles / Posts — here’s what I chose to do in my WP 4.3.1 project. This was in addition to changing the values in WP_USERS table column “user_nicename”, for all users including the WordPress Admin:

      1) Under Blog & Portfolio Menu > Meta Information ( /wp-admin/admin.php?page=of-blog-and-portfolio-menu ), I disabled inclusion of “Author”.

      2) On the NEWS page itself, under “Show advances settings”, I disabled “Show post author”.

      I then went a step further and added two plugins which effectively provided the level of logon security I desired:

      3) Installed plugin “Limit Login Attempts” (wordpress.org/plugins/limit-login-attempts/). This was a snap to implement and performs well to its name.

      4) Installed plugin “Google Authenticator” (wordpress.org/plugins/google-authenticator/). This, too, was a snap to implement and will work well for my particular project. I’ve used the Google Authenticator app on my Android smartphones, for several years now, to protect my Gmail, Outlook and other sensitive accounts. In fact, now that I have this working, I no longer see a need for the aforementioned plugin “limit login attempts”.


The most customizable eCommerce platform for building your online business.

  • 30-day money-back guarantee
  • Support teams across the world
  • Safe and secure online payment
%d bloggers like this: