WooCommerce Security: The 7 Things You Should Do First

Originally Published on Woocommerce.com By Nicole Kohler

While security measures are built into WordPress and WooCommerce out of the box, there are a few basic things new store owners should be doing to keep their customers, team, and data safe in the event of those worst-case scenarios.

Here are the seven things all new WooCommerce store owners should do first.

New store? Quickly detect fraudulent transactions with WooCommerce Anti-Fraud.

1. Choose a reputable host — it starts with them

You shouldn’t put your new store just anywhere — making a poor choice in host can put both you and your customers at risk. Choose a reputable, reliable host that makes site security one of their top priorities:

Ideally, you should seek out managed WordPress hosting from a company that clearly states what they do to make your safety and security a priority. Look for features like:

  • Attack monitoring and prevention
  • Proactive reviews and patches of security threats like core WordPress bugs, plugin exploits, and so on
  • Up-to-date server software (using the most recent versions of PHP, etc.)
  • Ability to isolate and prevent the spreading of infections so that a hacked site or virus cannot move to other sites on the same shared server

The hosts you evaluate should have a page on security on their site, so you can find this information out on your own. If you have to dig deeper or send emails to get answers, it might be a sign to steer clear.

Create (and safely store) strong passwords

While safety might start with your host, it’s up to you to follow through. The next step you’ll want to take, when it comes to setting up your store, is picking secure passwords for any and all accounts associated with your store.

This means:

Using a different password than you do for other accounts
Creating a password that has a mixture of capital letters, lowercase letters, numbers, and symbols
Avoiding dictionary words, anniversaries, birthdays, or other combinations that could be easily guessed
Prioritizing length — the longer and more complex a password is, the harder it is to crack, even by a program

Worried about whether or not your passwords are truly secure? Fear not: since the release of version 2.5 of WooCommerce, we have a password strength indicator built in that pops up whenever a new account is being created:

There are also often built-in password creators in your favorite password management applications, or if you’re using Chrome, you can enable its own secure password generator. So you might not even need to think about the passwords you’re creating — the apps can handle that for you.

Think remembering these passwords is going to be tricky? Check out a password manager like LastPass or 1Password (our personal favorite here at Woo) to safely store and retrieve your data. They’re easy to use and make security surprisingly convenient.

2. Enable two-factor authentication (2FA)

Of course, a strong password on your store’s admin login might not be enough. If someone gains access to your email or another account, they might still be able to gather enough information to reset your password and log in anyway.

Two-factor authentication, most commonly abbreviated as 2FA, is a fantastic way to safeguard all of your online accounts against unwanted intruders. 2FA relies on a second step — typically your smartphone — to validate logins and verify that you are the owner of any given account.

You should ideally enable 2FA on all of your accounts. Under normal circumstances, an individual who successfully gains access to your email account could potentially find the login information for your store and other accounts. But with 2FA, they won’t have the ability to physically validate the logins and gain access.

It’s true that adding this second step also adds a little more time to your login process. But again, it’s absolutely worth the peace of mind knowing all that sensitive data is safe.

Looking for an app to manage your 2FA details? Try Google Authenticator — it’s free, and it’s available for both iOS and Android devices. Logins can be added in seconds with barcodes and codes accessed with just one simple click.

Set up Google Authenticator on your smartphone (for free!) to make 2FA a breeze.

3. Limit brute force login attempts

Even with the best passwords in the world and 2FA enabled, some unsavory individuals still might try to brute force their way into your store. Luckily, there’s a simple way to keep them out.

Jetpack’s optional Security Features, namely Jetpack Protect, allow you to limit the number of times anyone can unsuccessfully attempt to log into your store before their IP address is blocked. Malicious login attempts are stopped in their tracks, keeping attackers out in the cold where they belong.

Jetpack will even show you what it’s done for your site thus far. Peace of mind right on your Dashboard.

Jetpack does, of course, allows you to whitelist one IP address so that forgotten or mistyped passwords don’t cause problems for you. And you can also clear additional IPs via your WordPress settings, if you desire.

4. Add additional site security

So far we’ve discussed host security and password security. But you need an active defense against potential attackers, especially those who aim to harm your store rather than access your data.

We’ve already mentioned Jetpack, and here’s another instance where it can lend a hand. Jetpack’s security features give you multiple levels of protection and support, including:

Automated, real-time backups and restores
Daily security scans to ensure all is well, no suspicious code is active on your server, and no data has been compromised
Protection against review and comment spam

Jetpack keeps your store safe from harm, whether it comes in the form of malicious code injections or annoying comments. Learn about all of these security features, and the available plans containing them, on this page.

5. Check and adjust the settings on your FTP directories

Here’s a simple precaution that should only take you a few minutes at most: locking down your site’s sensitive directories via FTP.

Insecure shared hosting environments or compromised passwords might make it possible for an individual to access your site’s FTP, where they could upload harmful files to your WordPress directories. But limiting the write access on these directories can keep them out and reduce or even completely eliminate the potential for damage.

Ensure that only your FTP account has write access to the following folders:

The root directory (excluding .htaccess if you use a WordPress plugin to set up URL redirects)

You will also need to give your server write access to wp-content.

For more details on locking down your FTP, have a look at this section of the WordPress Codex.

6. Learn how to safely update your site and create backups

The final security tip we have for those of you just starting out is this: don’t ignore updates.

The process of updating WordPress core, WooCommerce, and your plugins or extensions might seem like a hassle after a while. Since we recommend making a backup at the very minimum, and also suggest testing major updates on a staging site, you might be tempted to let those updates slide until “later.”

“Later” is the perfect time for an individual educated on exploits and insecurities to access your store, though! Updates are released for a reason, and they often make your site more secure. So by ignoring them, you could be putting yourself — and your customers — at risk.

The best way to approach this? Set aside a time each month, every two weeks, or even each week to review your updates, make backups, test them, and deploy to your site. Put an appointment on your calendar if you need to — just make time for the process.

If you work updates into your routine, just as you do every other security tip we’ve suggested in this post, it will quickly become less of a hassle and more of an everyday occurrence. And soon, you’ll be running an attack-proof store without even realizing it, or giving any mind to putting things off until “later.”

When starting your store, make security a priority

It’s easy to lose sight of security in all the hustle and bustle of launching your store, but it’s not something you should take lightly. Keeping your customers’ data — and your own — safe should be a top priority from the very start.

To review, here are the seven things you should do first to secure your WooCommerce store:

1.Choose a reputable, reliable host who makes security a top priority
2.Create strong passwords for your store, and keep them safe in a password manager
3.Use 2FA on all of your accounts to prevent logins from those who might guess or otherwise locate your passwords
4.Enable Jetpack Protect to limit bruce force login attempts
5.Add security to your site with a paid Jetpack plan
6. Check the settings on your FTP directories to ensure no one can write to sensitive folders or files
7.Anticipate updates to WordPress and WooCommerce core, and make plans to address them at specific times

By following these simple steps, you’ll create the groundwork for a safe, trustworthy store that is well-protected in the rare event of an attack.

Have any suggestions for new store owners who are just beginning to think about the topic of WordPress and WooCommerce security? We’d love to hear from you in the comments.