13 Security Tips for WooCommerce Stores

by Ahsan Parwez  February 1, 2017

Running a successful online business involves a lot of work. You will always be adding products, fixing bugs, and conducting marketing activities. Plus, you will be worried about your site’s security, as online theft is on the rise.

Security of your ecommerce store must be of top priority, as it involves people logging in and entering their personal details.

For many, WooCommerce is used to create entry-level online shops. According to BuiltWith stats, WooCommerce holds more than 42% of the market share. As the rule goes: the higher the market share, the bigger the chances of getting hacked. Therefore, it is essential to harden the security measures of WooCommerce stores.

13 Security Tips For WooCommerce Stores

In this tutorial, we are going to go over security measures that you should take to secure your WooCommerce store.

Secure WooCommerce Tips

  1. Keep Everything Updated
  2. Use Security Plugins
  3. Use Strong Passwords
  4. Use a Different Username Than “Admin”
  5. Hide Author URL
  6. Use a Secure Hosting
  7. Add SSL certificates
  8. Always Keep Multiple Backups
  9. Use a Premium Theme with Support
  10. Disable Edit Files from Admin
  11. Limit Login Attempts
  12. Disable Pingbacks and Trackbacks
  13. Use a Secure Database Password and Change Database Table Prefix

1. Keep Everything Updated

WordPress occasionally gets a major version release after every four months. It also gets regular security fixes as vulnerabilities are detected in the existing core.

It is not always necessary to upgrade to latest version release of WordPress. For example, if you are currently using WordPress 4.6.x and WordPress 4.7 is released, it may not be compulsory to update to latest version.

However, it is necessary, though, to implement the most recent security releases (e.g. WordPress 4.7.2, the last digit “2” indicates security patch version) as it contains major security patches. You can find complete lists of WordPress versions here.

Apart from updating the WordPress core, you should also keep your themes and plugins updated to fix any vulnerabilities in them.

2. Use Security Plugins

There are many WordPress security plugins available that help a lot in improving the security of your website. It is recommended to use just one of them on your site. Using multiple security plugins will have dire consequences, like breaking your site entirely.

Some of the top security plugins that we recommend are:

  1. Wordfence
  2. iThemes Security
  3. Sucuri Security
  4. All In One WP Security & Firewall

3. Use Strong Passwords

Most websites get hacked because they use weak passwords. Passwords like “password”, “helloworld”, “myname”, and even alphanumeric combinations are considered weak passwords because a Brute Force Attack can easily crack the username and password combination of your website.

To encourage stronger passwords, WordPress comes with built-in feature “Better Passwords” that generates a strong password for its users.

4. Use a Different Username Than “Admin”

Like passwords, using commonplace admin usernames, like “admin” or “storename”, is a bad practice. Combining a strong password with an admin username that is hard to guess can give a hard time to hackers.

To change your current “admin” username, you will need to create a new admin user and log in with that and delete the old “admin” account.

To do this, log in to your WordPress admin, navigate to User -> Add New, create a new account and assign Administrator from available WordPress user roles. After that, logout and login with the new admin account and delete the previous account and associate all previous posts to the new admin user.

5. Hide Author URL

Each time you create a user you get a URL like websitename.com/author/myname. Finding usernames from authors’ archives eliminates one step from hackers checklist. He just needs to crack the password.

It is recommended to change the authors’ archives URL from the username. It can be easily changed by customizing user_nicename under the wp_users table.

6. Use a Secure Hosting

Along with making your WordPress application secure, it is critical to protecting your hosting server if you have your servers by adding firewalls, using strong SSH username and password, and changing permissions on critical files amongst other things.

If you are hosting your ecommerce store on a hosting provider, make sure that the host is using server-level security. Cloudways provides managed WooCommerce servers. What that means is, we take care of the server security and nullify any attack on servers. We also provide SSH and SFTP access and make sure all the communication between you and our servers is encrypted.

A shared hosting environment is cheap but isn’t the most secure option for your ecommerce business. Any other website getting compromised on that server might put the entire server in jeopardy.

7. Add SSL Certificates

Adding SSL to your WooCommerce store is essential, in particular on the checkout and account login and creation pages. As sensitive information is being exchanged between the user and website, it is vital that the information travels over an encrypted channel. Google Chrome also starts marking Non-SSL sites as Not-Secure.

Adding SSL on your website might be complicated on many hosting providers. On Cloudways, you can quickly add an SSL on WooCommerce store. That is not all; you can have many SSL-protected stores on the same Cloudways-managed cloud server.

After SSL is installed, navigate to WooCommerce -> Settings and enable “Force Secure Checkout”.

8. Always Keep Multiple Backups

Keeping backups of your websites must be amongst your top priorities. You should always keep multiple backups of your site. It will give you a peace of mind, as you can easily restore your bug-free website quickly.

You can automate WooCommerce backups by using a UpdraftPlus plugin and make a backup policy.

On Cloudways, we already have a backup system, and the good thing is you do not need to pay extra for it. By default backups of all your websites are taken once a day, but you can set the frequency of backup storage. We even allow hourly updates. Plus, you can easily restore your website to the previous version by just clicking a button.

Backup on Cloudways Server

9. Use a Premium Theme with Support

If you are serious about your ecommerce business, then it is better to invest in a Premium theme that comes with technical support and frequent updates. You can find top-of-the-line WooCommerce themes on ThemeForest or WooThemes or buy directly from popular theme providers, like TeslaThemes.

10. Disable Edit Files from Admin

Another security measure you can take is by disabling the Edit files from the WordPress admin. If a hacker gains access to your WordPress admin, you don’t want him to edit the files freely from the admin panel.
You can easily disable the edit files option for all users by adding the following line of code to your wp-config.php file.

11. Limit Login Attempts

Many security plugins that I mentioned include the possibility of limiting login attempts. Restricting the number of login attempts to your admin panel will block attackers and is the first line of defense against the Brute Force Attacks.

12. Disable Pingbacks and Trackbacks

You don’t need to use this feature for your WooCommerce store. It is better to disable them, as it can be used to carry out low-level DDoS attacks or send automated spammy notifications to your website.

To disable trackbacks and pingbacks, just add the following line of code to .htaccess file.

13. Use a Secure Database Password and Change Database Table Prefix

Just like using a secure WordPress admin password, it is necessary to use a secure MySQL database password and username.

Also, you can change the default “wp_” WordPress database prefix to something else. Changing the prefix is a small security measure, you can read more about it here.

There are many other ways to protect WordPress with .htaccess. Do you have more security tips for protecting Woo stores? Let me know about it in the comments section below. Oh yeah! If it’s your first time on Cloudways, check out our WooCommerce Performance-Optimized Cloud Platform. Woo stores on Cloudways are 100% faster than conventional hosting mediums.

Start Creating Web Apps on Managed Cloud Servers Now!

Easy Web App Deployment for Agencies, Developers and E-Commerce Industry

About Ahsan Parwez

Ahsan is the Community Team Manager at Cloudways - A Managed Cloud Hosting Platform. He loves to solve problems and help Cloudways' clients in any aspect he can. In his free time, you can find him playing RTS PC games.

Stay Connected:

You Might Also Like...

  • Silas Selekane

    Thanks for the tip Ahsan