This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

📣 Join industry experts in BFCM Prepathon 2023 to dominate the sales season! Book Your Spot →

13 Security Tips for WooCommerce Stores

Updated on June 18, 2021

6 Min Read
13 Security Tips For WooCommerce Stores

Running a successful online business involves a lot of work. You will always be adding products, fixing bugs, and conducting marketing activities. Plus, you will be worried about your site’s security, as online theft is on the rise.

Security of your eCommerce store must be of top priority, as it involves people logging in and entering their personal details.

For many, WooCommerce is used to create entry-level online shops. According to BuiltWith stats, WooCommerce holds more than 42% of the market share. As the rule goes: the higher the market share, the bigger the chances of getting hacked. Therefore, it is essential to harden the security measures of WooCommerce stores.

In this tutorial, we are going to go over security measures that you should take to secure your WooCommerce store.

if you haven’t build your WooCommerce store yet check this detailed WooCommerce tutorial guide

1. Keep Everything Updated

WordPress occasionally gets a major version release after every four months. It also gets regular security fixes as vulnerabilities are detected in the existing core.

It is not always necessary to upgrade to latest version release of WordPress. For example, if you are currently using WordPress 4.6.x and WordPress 4.7 is released, it may not be compulsory to update to latest version.

However, it is necessary, though, to implement the most recent security releases (e.g. WordPress 4.7.2, the last digit “2” indicates security patch version) as it contains major security patches. You can find complete lists of WordPress versions here.

Apart from updating the WordPress core, you should also keep your themes and plugins updated to fix any vulnerabilities in them. Our friends at MalCare has written a detailed guide to update WordPress safely.

2. Use Security Plugins

There are many WordPress security plugins available that help a lot in improving the security of your website. It is recommended to use just one of them on your site. Using multiple security plugins will have dire consequences, like breaking your site entirely.

Some of the top WooCommerce security plugins that we recommend are:

  1. MalCare Security Solution
  2. iThemes Security
  3. Sucuri Security
  4. All In One WP Security & Firewall
  5.  Wordfence

3. Use Strong Passwords

Most websites get hacked because they use weak passwords. Passwords like “password”, “helloworld”, “myname”, and even alphanumeric combinations are considered weak passwords because a Brute Force Attack can easily crack the username and password combination of your website.

To encourage stronger passwords, WordPress comes with a built-in feature “Better Passwords” that generates a strong password for its users.

4. Use a Different Username Than “Admin”

Like passwords, using commonplace admin usernames, like “admin” or “storename”, is a bad practice. Combining a strong password with an admin username that is hard to guess can give a hard time to hackers.

To change your current “admin” username, you will need to create a new admin user and log in with that and delete the old “admin” account.

To do this, log in to your WordPress admin, navigate to User -> Add New, create a new account and assign Administrator from available WordPress user roles. After that, log out and log in with the new admin account and delete the previous account and associate all previous posts to the new admin user.

5. Hide Author URL

Each time you create a user you get a URL like websitename.com/author/myname. Finding usernames from authors’ archives eliminates one step from hackers checklist. He just needs to crack the password.

It is recommended to change the authors’ archives URL from the username. It can be easily changed by customizing user_nicename under the wp_users table.

6. Use a Secure Hosting

Along with making your WordPress application secure, it is critical to protecting your hosting server if you have your servers by adding firewalls, using strong SSH username and password, and changing permissions on critical files amongst other things.

If you are hosting your ecommerce store on a hosting provider, make sure that the host is using server-level security. Cloudways provides managed WooCommerce hosting. What that means is, we take care of the server security and nullify any attack on servers. We also provide SSH and SFTP access and make sure all the communication between you and our servers is encrypted.

Silicon Dales — Case Study

We’ll send a download link to your inbox.

Thank You

Your Ebook is on its Way to Your Inbox.

A shared hosting environment is cheap but isn’t the most secure option for your ecommerce business. Any other website getting compromised on that server might put the entire server in jeopardy.

7. Add SSL Certificates

Adding SSL to your WooCommerce store is essential, in particular on the checkout and account login and creation pages. As sensitive information is being exchanged between the user and website, it is vital that the information travels over an encrypted channel. Google Chrome also starts marking Non-SSL sites as Not-Secure.

Adding SSL on your website might be complicated on many hosting providers. On Cloudways, you can quickly add an SSL on WooCommerce store. That is not all; you can have many SSL-protected stores on the same Cloudways-managed cloud server.

After SSL is installed, navigate to WooCommerce -> Settings and enable “Force Secure Checkout”.

8. Always Keep Multiple Backups

Keeping backups of your websites must be amongst your top priorities. You should always keep multiple backups of your site. It will give you a peace of mind, as you can easily restore your bug-free website quickly.

You can automate WooCommerce backups by using a UpdraftPlus plugin and make a backup policy.

On Cloudways, we already have a backup system, and the good thing is you do not need to pay extra for it. By default backups of all your websites are taken once a day, but you can set the frequency of backup storage. We even allow hourly updates. Plus, you can easily restore your website to the previous version by just clicking a button.

Backup on Cloudways Server

9. Use a Premium Theme with Support

If you are serious about your ecommerce business, then it is better to invest in a Premium theme that comes with technical support and frequent updates. You can find top-of-the-line WooCommerce themes on ThemeForest or WooThemes or buy directly from popular theme providers, like TeslaThemes.

10. Disable Edit Files from Admin

Another security measure you can take is by disabling the Edit files from the WordPress admin. If a hacker gains access to your WordPress admin, you don’t want him to edit the files freely from the admin panel.
You can easily disable the edit files option for all users by adding the following line of code to your wp-config.php file.

define( ‘DISALLOW_FILE_EDIT’, true );

11. Limit Login Attempts

Many security plugins that I mentioned include the possibility of limiting login attempts. Restricting the number of login attempts to your admin panel will block attackers and is the first line of defense against the Brute Force Attacks.

12. Disable Pingbacks and Trackbacks

You don’t need to use this feature for your WooCommerce store. It is better to disable them, as it can be used to carry out low-level DDoS attacks or send automated spammy notifications to your website.

To disable trackbacks and pingbacks, just add the following line of code to .htaccess file.

# START XML RPC BLOCKING
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
# FINISH XML RPC BLOCKING

13. Use a Secure Database Password and Change Database Table Prefix

Just like using a secure WordPress admin password, it is necessary to use a secure MySQL database password and username.

Also, you can change the default “wp_” WordPress database prefix to something else. Changing the prefix is a small security measure, you can read more about it here.

There are many other ways to protect WordPress with .htaccess. Do you have more WooCommerce security tips for protecting Woo stores? Let me know about it in the comments section below. Oh yeah! If it’s your first time on Cloudways, check out our WooCommerce Performance-Optimized Cloud Platform. Woo stores on Cloudways are 100% faster than conventional hosting mediums.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Ahsan Parwez

Ahsan is the Community Team Manager at Cloudways. He loves to solve problems and help Cloudways' clients in any aspect he can. In his free time, you can find him playing RTS PC games.

×

Get Our Newsletter
Be the first to get the latest updates and tutorials.

Thankyou for Subscribing Us!

×

Webinar: How to Get 100% Scores on Core Web Vitals

Join Joe Williams & Aleksandar Savkovic on 29th of March, 2021.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Want to Experience the Cloudways Platform in Its Full Glory?

Take a FREE guided tour of Cloudways and see for yourself how easily you can manage your server & apps on the leading cloud-hosting platform.

Start my tour
Unleash The Cloud.
Not Budgets.

For 4 Months +
Up To 30 Free Migrations

Cyber Week

SAVINGS
Time Left In Offer
  • 0

    Days

  • 0

    Hours

  • 0

    Minutes

  • 0

    Seconds

40% OFF

On All Plans

GET THE DEAL NOW