WooCommerce Security: The Eight Things You Should Do First
While security measures are built into WordPress and WooCommerce, there are a few basic things new store owners should do to keep their customers, team, and data safe in the event of worst-case scenarios.
Here are eight things all new WooCommerce store owners should do.
1. Choose a reputable host
Your hosting provider stores your website files and database, which allows them to be viewed by people all over the world. Your host should have measures in place to protect those files from hackers and malware — choosing the wrong host could put you and your customers at risk.
Ideally, you should find a host that understands WordPress well and clearly states what they do to prioritize your safety and security. Look for features like:
- SSL certificates, which protect customer data such as addresses and phone numbers.
- Backups, so that if anything does go wrong, you can restore your site in full.
- Attack monitoring and prevention, so that you’ll know instantly if malware is found in your files or database.
- A server firewall, which prevents hackers from accessing your files.
- 24/7 access to support, just in case you need it.
- Up-to-date server software, like PHP and MYSQL.
The ability to isolate malicious files, so that a virus or malware can’t move to other sites or folders on the same server.
The hosts you evaluate should have a page about security on their site, so you should be able to confirm whether or not your host offers these features. If you have to dig deeper or send emails to get answers, it might be a sign to steer clear. This list of hosting providers is a great place to start.
2. Create (and safely store) strong passwords
While safety might start with your host, it’s up to you to follow through. Choose secure passwords for any and all accounts associated with your store.
- Using unique passwords for each of your accounts.
- Creating a password with a mixture of capital letters, lowercase letters, numbers, and symbols.
- Avoiding words, anniversaries, birthdays, or other phrases that could be easily guessed.
- Prioritizing length — the longer and more complex the password, the harder it is to crack.
Worried about whether or not your passwords are truly secure? Fear not: WordPress has a built-in secure password generator that makes it easy to generate complex, hard-to-guess combinations.
But remembering difficult passwords may be tricky. One great solution is a password manager like LastPass or 1Password (our personal favorite here at Woo). They safely store your passwords and auto-fill them securely on your favorite sites.
3. Enable two-factor authentication (2FA)
If someone gains access to your email or another account, they might be able to gather enough information to reset your password and log in.
Two-factor authentication, most commonly abbreviated as 2FA, is a fantastic way to safeguard your online accounts against unwanted intruders. 2FA relies on a second step — typically your smartphone — to validate logins and verify that you are the owner.
You should ideally enable 2FA on all of your accounts. Under normal circumstances, an individual who successfully gains access to your email account could potentially find the login information for your store and other accounts. But with 2FA, they won’t have the ability to physically validate the logins via your mobile device.
It’s true that adding this second step also adds a little more time to your login process. But it’s absolutely worth the peace of mind knowing that your sensitive data is safe.
You can implement two-factor authentication for free with Jetpack.
4. Prevent brute force attacks
Brute force attacks occur when hackers use bots to guess thousands of username/password combinations until they finally come up with the right one. Not only can this allow hackers to access your site, it can also negatively impact your load time due to the increase in store traffic.
Jetpack’s free brute force attack protection feature is a great way to stop them in their tracks. It automatically blocks malicious IP addresses before they even reach your site, so you don’t have to worry about them.
5. Add an extra layer of site protection
We’ve discussed a few ways to secure your site already, but to go the extra mile, consider implementing more of Jetpack’s security tools. In addition to two-factor authentication and brute force attack protection, it offers:
- Malware scanning (paid): Get an instant alert if malware is found on your site so you can troubleshoot and fix the majority of known threats with one click. It’s like having someone guarding your site 24/7.
- Spam prevention (paid): Automatically get rid of comment and contact form spam that can make you look unprofessional and send customers to malicious, third-party sites.
- An activity log (free): Keep an eye on everything that happens on your site — from updated pages and new products to user logins — along with who performed each action and when.
- Downtime monitoring (free): Know immediately if your site goes down — a common indication of a hack — so you can get it back up and running quickly.
- Automatic plugin updates (free): Automatically update plugins to keep your site running smoothly and protected from hackers.
Learn more about how Jetpack protects your WordPress site.
6. Check and adjust your FTP settings
FTP (file transfer protocol) is used to transfer files between two devices. Through your hosting provider, you can create FTP accounts, which allow you to connect from your computer to your website server. If a malicious actor accesses those accounts, they would be able to make any number of changes to your site.
But limiting the permissions on these accounts can reduce or even completely eliminate the potential for damage. Ensure that only your FTP account can access the following folders:
- The root directory
For more details on locking down your FTP, check out this section of the WordPress Codex. Your host should also be able to help you take these precautions.
7. Always update your site
The process of updating WordPress, WooCommerce, and your plugins or extensions is absolutely critical. Updates are released for a reason, and they often make your site more secure. By ignoring them, you could be putting yourself — and your customers — at risk.
The best way to approach this? Set aside a regular time to review your updates, make a backup, and deploy those updates to your site. If you don’t want to worry about it, you can also turn on the auto-update feature within WordPress.
8. Regularly back up your store
If your site is ever hacked, a backup is the fastest and best way to get a clean version up and running again.
- Select from daily backups, which occur every 24 hours, and real-time backups, which occur every time an action (purchased product, updated page, etc.) occurs on your site.
- Never worry about losing order information. Whether you restore a backup from five minutes ago or five days ago, all of your order information is saved up to the minute.
- Restore with just one click. Don’t worry about a time-consuming, difficult restore process. Simply find the date and time you want to restore to and click a button.
When starting your store, make security a priority
It’s easy to lose sight of security in all the hustle and bustle of launching your store, but it’s not something you should take lightly. Keeping your customers’ data safe should be a top priority from the very beginning.
By following these simple steps, you’ll create the groundwork for a safe, trustworthy store that’s well-protected in the rare event of an attack.
Have any suggestions for new store owners who are just beginning to think about the topic of WordPress and WooCommerce security? We’d love to hear from you in the comments.