Running a successful online business involves a lot of work. You will always be adding products, fixing bugs, and conducting marketing activities. Plus, you will be worried about your site’s security, as online theft is on the rise.
Security of your eCommerce store must be of top priority, as it involves people logging in and entering their personal details.
For many, WooCommerce is used to create entry-level online shops. According to BuiltWith stats, WooCommerce holds more than 42% of the market share. As the rule goes: the higher the market share, the bigger the chances of getting hacked. Therefore, it is essential to harden the security measures of WooCommerce stores.
In this tutorial, we are going to go over security measures that you should take to secure your WooCommerce store.
if you haven’t build your WooCommerce store yet check this detailed guide about how to set up your WooCommerce Store.
- Keep Everything Updated
- Use Security Plugins
- Use Strong Passwords
- Use a Different Username Than “Admin”
- Hide Author URL
- Use a Secure Hosting
- Add SSL certificates
- Always Keep Multiple Backups
- Use a Premium Theme with Support
- Disable Edit Files from Admin
- Limit Login Attempts
- Disable Pingbacks and Trackbacks
- Use a Secure Database Password and Change Database Table Prefix
1. Keep Everything Updated
WordPress occasionally gets a major version release after every four months. It also gets regular security fixes as vulnerabilities are detected in the existing core.
It is not always necessary to upgrade to latest version release of WordPress. For example, if you are currently using WordPress 4.6.x and WordPress 4.7 is released, it may not be compulsory to update to latest version.
However, it is necessary, though, to implement the most recent security releases (e.g. WordPress 4.7.2, the last digit “2” indicates security patch version) as it contains major security patches. You can find complete lists of WordPress versions here.
Apart from updating the WordPress core, you should also keep your themes and plugins updated to fix any vulnerabilities in them. Our friends at MalCare has written a detailed guide to update WordPress safely.
2. Use Security Plugins
There are many WordPress security plugins available that help a lot in improving the security of your website. It is recommended to use just one of them on your site. Using multiple security plugins will have dire consequences, like breaking your site entirely.
Some of the top WooCommerce security plugins that we recommend are:
- MalCare Security Solution
- iThemes Security
- Sucuri Security
- All In One WP Security & Firewall
3. Use Strong Passwords
Most websites get hacked because they use weak passwords. Passwords like “password”, “helloworld”, “myname”, and even alphanumeric combinations are considered weak passwords because a Brute Force Attack can easily crack the username and password combination of your website.
To encourage stronger passwords, WordPress comes with a built-in feature “Better Passwords” that generates a strong password for its users.
4. Use a Different Username Than “Admin”
Like passwords, using commonplace admin usernames, like “admin” or “storename”, is a bad practice. Combining a strong password with an admin username that is hard to guess can give a hard time to hackers.
To change your current “admin” username, you will need to create a new admin user and log in with that and delete the old “admin” account.
To do this, log in to your WordPress admin, navigate to User -> Add New, create a new account and assign Administrator from available WordPress user roles. After that, log out and log in with the new admin account and delete the previous account and associate all previous posts to the new admin user.
5. Hide Author URL
Each time you create a user you get a URL like websitename.com/author/myname. Finding usernames from authors’ archives eliminates one step from hackers checklist. He just needs to crack the password.
It is recommended to change the authors’ archives URL from the username. It can be easily changed by customizing user_nicename under the wp_users table.
6. Use a Secure Hosting
Along with making your WordPress application secure, it is critical to protecting your hosting server if you have your servers by adding firewalls, using strong SSH username and password, and changing permissions on critical files amongst other things.
If you are hosting your ecommerce store on a hosting provider, make sure that the host is using server-level security. Cloudways provides managed WooCommerce hosting. What that means is, we take care of the server security and nullify any attack on servers. We also provide SSH and SFTP access and make sure all the communication between you and our servers is encrypted.
Silicon Dales — Case Study
We’ll send a download link to your inbox.
Your Ebook is on its Way to Your Inbox.
A shared hosting environment is cheap but isn’t the most secure option for your ecommerce business. Any other website getting compromised on that server might put the entire server in jeopardy.
7. Add SSL Certificates
Adding SSL to your WooCommerce store is essential, in particular on the checkout and account login and creation pages. As sensitive information is being exchanged between the user and website, it is vital that the information travels over an encrypted channel. Google Chrome also starts marking Non-SSL sites as Not-Secure.
Adding SSL on your website might be complicated on many hosting providers. On Cloudways, you can quickly add an SSL on WooCommerce store. That is not all; you can have many SSL-protected stores on the same Cloudways-managed cloud server.
After SSL is installed, navigate to WooCommerce -> Settings and enable “Force Secure Checkout”.
8. Always Keep Multiple Backups
Keeping backups of your websites must be amongst your top priorities. You should always keep multiple backups of your site. It will give you a peace of mind, as you can easily restore your bug-free website quickly.
You can automate WooCommerce backups by using a UpdraftPlus plugin and make a backup policy.
On Cloudways, we already have a backup system, and the good thing is you do not need to pay extra for it. By default backups of all your websites are taken once a day, but you can set the frequency of backup storage. We even allow hourly updates. Plus, you can easily restore your website to the previous version by just clicking a button.
9. Use a Premium Theme with Support
If you are serious about your ecommerce business, then it is better to invest in a Premium theme that comes with technical support and frequent updates. You can find top-of-the-line WooCommerce themes on ThemeForest or WooThemes or buy directly from popular theme providers, like TeslaThemes.
10. Disable Edit Files from Admin
Another security measure you can take is by disabling the Edit files from the WordPress admin. If a hacker gains access to your WordPress admin, you don’t want him to edit the files freely from the admin panel.
You can easily disable the edit files option for all users by adding the following line of code to your wp-config.php file.
define( ‘DISALLOW_FILE_EDIT’, true );
11. Limit Login Attempts
Many security plugins that I mentioned include the possibility of limiting login attempts. Restricting the number of login attempts to your admin panel will block attackers and is the first line of defense against the Brute Force Attacks.
12. Disable Pingbacks and Trackbacks
You don’t need to use this feature for your WooCommerce store. It is better to disable them, as it can be used to carry out low-level DDoS attacks or send automated spammy notifications to your website.
To disable trackbacks and pingbacks, just add the following line of code to .htaccess file.
# START XML RPC BLOCKING <Files xmlrpc.php> Order Deny,Allow Deny from all </Files> # FINISH XML RPC BLOCKING
13. Use a Secure Database Password and Change Database Table Prefix
Just like using a secure WordPress admin password, it is necessary to use a secure MySQL database password and username.
Also, you can change the default “wp_” WordPress database prefix to something else. Changing the prefix is a small security measure, you can read more about it here.
There are many other ways to protect WordPress with .htaccess. Do you have more WooCommerce security tips for protecting Woo stores? Let me know about it in the comments section below. Oh yeah! If it’s your first time on Cloudways, check out our WooCommerce Performance-Optimized Cloud Platform. Woo stores on Cloudways are 100% faster than conventional hosting mediums.
Customer Review at
“Great performance for the price, and plenty of control”
Sean P [SMB Owner]