As an online store owner, security is one of your top priorities. Not only are you responsible for your own files, order information, and hard work, you’re also responsible for customers’ personal data. The last thing you want is for that information to fall into the wrong hands.
But eCommerce security doesn’t have to be daunting! It’s just a matter of putting the right practices into place and implementing the right tools. Let’s take a look at some strategies, broken down by priority.
Before we look at each in detail, here’s the full security checklist:
- Choose a good host
- Use high-quality plugins
- Implement strong passwords
- Prevent brute force attacks
- Update WordPress, themes, and plugins
- Enable backups
- Add an SSL certificate
- Re-evaluate user access levels
- Implement security scanning
- Monitor site activity
- Set up a firewall
- Enable secure authentication
Essential security practices:
1. Choose a good host
Good site security starts with a good host, so do your research. Here are a few things you want included in your hosting plan:
- A firewall, which places a virtual wall between your server and the rest of the internet to protect website content
- Regular, automatic backups of your entire site, so if anything does happen, you can restore data and files
- Malware scanning and protection so you can quickly react to any problems and prevent them before they occur
- The latest version of software, like PHP and MYSQL, which limits vulnerabilities hackers can exploit
- Excellent support to help you address malware, hacks, and other security issues
Typically, each host and plan will list the security features offered, but don’t be afraid to ask. You can also read customer reviews to find out about their experiences. These recommended WooCommerce hosts are a great place to start.
2. Use high-quality plugins
While plugins and extensions are great ways to expand store functionality, not all are created equal. A poorly coded plugin makes it easier for hackers to get into your site, so always use reputable, vetted sources with good reviews. Don’t cut corners and download free versions of premium plugins from third parties; they’re often modified to include malware. Finally, make sure that your plugins are regularly updated and work with the latest versions of WordPress and WooCommerce.
The WooCommerce extension library offers hundreds of free and premium extensions that help with everything from functionality and design to marketing and store management.
3. Implement strong passwords
A weak password can undermine even the best security setup. Hackers often use bots to execute brute force attacks, where they check different combinations of letters, numbers, and symbols until they guess a website’s password. Because these attacks are automated, they can try thousands of passwords per second.
The more complex the password, the harder it is for bots to figure out. Here are a few basic principles of developing a strong password:
- Try for a length of at least ten characters.
- Use a mix of capital letters, lowercase letters, numbers, and symbols.
- Avoid common words like “password,” your business name, or your username.
- Don’t use the same password for multiple accounts.
Worried about remembering a complex password? Try using a secure password management tool like LastPass.
4. Prevent brute force attacks
You can also fight against brute force attacks by stopping them before they reach your site. Jetpack’s Brute Force Attack Prevention feature automatically stops hackers and bots in their tracks, protecting you from unauthorized access. Turn it on with one click, then rest easy knowing your store is protected.
5. Update everything
WordPress, theme, and plugin updates often provide new functionality and features that make your store even better. But they also repair security bugs and vulnerabilities that hackers can take advantage of. That’s why it’s so important that you regularly update everything.
To make this easier, Jetpack offers automatic plugin updates so you never have to worry about forgetting an update again.
6. Enable backups
Backups are essentially an insurance policy for your website — you hope you never have to use them, but you’ll be glad you have them if you do.
If your online store goes down, not only could you lose sales, you could also lose order information and customer trust. But with a tool like Jetpack Backup, you can restore your entire site in just a few clicks and get things up and running quickly.
While daily backups are performed automatically every 24 hours, real-time backups are an excellent option for eCommerce stores because they’re performed as you make changes to your site. Update a page, add a product, or complete a new sale? You can restore a backup of your site to the point right before that action took place. And since so much happens on a store in 24 hours, this keeps you from losing valuable transactions.
7. Add an SSL certificate
An SSL (secure socket layers) certificate protects transactions that happen on your site by encrypting the data. So every time a customer makes a purchase, fills out a contact form, or even signs up for your email list, their data is kept private. This is not only important from a legal perspective, it also helps your website show up higher in search results because Google understands its importance.
You can typically obtain an SSL certificate from your host for free or for an additional cost. Reach out to your provider to find out the details.
Moderate-level security practices:
1. Re-evaluate user access levels
If more than one person works on your store, it’s important to understand exactly what they can access and what actions they can take. WooCommerce employs user roles and capabilities to take care of this — they define exactly what each person can do on your website.
The most important thing to remember is that a user should only have the permissions that they absolutely need to perform their duties. Find out more in our full guide to user roles and permissions.
2. Implement security scanning
Just like you should scan your home computer for viruses or malware, you should also scan your website. Otherwise, how would you know if there was an unauthorized login?
Often, hackers won’t change or deface your website; instead they’ll steal customer data or inject malware, which may not be immediately obvious. Jetpack Security Scanning checks your website daily for suspicious code and activity and sends you an email if something’s wrong. They also provide automated fixes for the majority of known security threats so you won’t even need to worry about finding a solution.
3. Monitor site activity
It’s important that you check up on your site from time to time and understand exactly what actions are taking place and who is performing them. Jetpack’s activity log allows you to quickly review changes that take place on your site and identify anything odd.
View the date and time someone logged in, updated a page, removed a plugin, and more. If someone logs in and makes an unauthorized change, you’ll know immediately and react, whether that person was a hacker or one of your team members. And if you’ve enabled Jetpack real-time backups, you can restore a backup from right before a specific action took place.
Advanced security practices:
1. Set up a firewall
Even if your host includes a firewall, setting one up on a website level adds another layer of security, blocking common threats before they even reach your store. You can typically set up a firewall through a plugin, but can customize things even more if you have advanced knowledge or specific needs. Some of the most common, and trusted, WordPress firewalls are Sucuri, Wordfence, All In One WP Security & Firewall, and iThemes Security.
2. Enable secure authentication
Secure authentication takes login protection one step further by sending a unique code to your mobile device every time you log in. So even if someone figures out your password, they have to physically have your phone in order to access your website. You can set this up by using Jetpack’s free Secure Authentication tool.
Secure your online store
Security is a critical part of running an online store. After all, customers put their personal information in your hands and you want them to trust you!
While this isn’t an exhaustive list of ways to protect your site, it’s a great place to start. Take the time to go through each of the steps (most only take a few minutes to implement) and you’ll have a much safer website.
Thanks Joe – was already doing much of this, but as a newbie to running a store it’s good to know what I can do to top up.