WooCommerce sites certainly have unique needs in terms of web security, and as e-commerce increases worldwide, so does the risk of fraud and security breaches.
Online security really is a basic requirement, just like the health inspection rating of a restaurant, and any issues that arise in your online store can undermine your web visitor’s trust.
While there is no 100% guarantee when it comes to security, you can protect your visitors and business by implementing these key protocols.
1. Implementing Server-Level Security Measures
When it comes to website security, your hosting server is the first line of defense. Even if you have the best security plugins and measures on your WordPress site, a breach on the hosting level will make those tools useless.
When evaluating hosting options, consider that a more dedicated environment means that there is less risk of another site on the server compromising yours. Be very careful placing a WooCommerce site on a budget, shared hosting environment with minimal security.
Look for quality WordPress hosting options where there are security measures on the server-level, such as disk write protections and limitations. Disk write protection means that the hosting server limits the processes that can write to disk, making it harder for a hacker to exploit a theme or plugin vulnerability. In a similar way, disk write limitations mean that any attempts to write to the disk are logged, which can help with spotting malicious activity.
While an SSL certificate is now a best practice for all sites, it’s a requirement for WooCommerce sites for PCI security standards. So, make sure to configure (and renew) your SSL certificate with the hosting company.
Lastly, your hosting server and website should be regularly updated to the latest PHP version. Older versions of PHP often have security vulnerabilities that are no longer patched. Just as you upgrade WordPress and your plugins, your website and server should be running the latest PHP for both security and performance. WordPress has started to encourage website owners to stay on top of these updates by notating outdated PHP versions in the WordPress Site Health check.
2. Staying on Top of Plugin & Security Updates
Performing regular plugin updates and staying on top of the WordPress core releases is one of the most important security steps. A common source of infection for hacked sites is a vulnerability in an outdated plugin or theme. In 2019, Sucuri reported that 56% of hacked sites were outdated at the time of infection.
For WooCommerce sites, it’s critical to stay on top of the latest updates for WooCommerce as these often include security patches and maintenance fixes. For example, the WooCommerce 4.6.2 update was released in November 2020 and it included a fix for a bug that allowed anonymous users to create an account during checkout even if this setting was turned off in the dashboard. WooCommerce encouraged site owners to implement this update immediately. Delaying on these types of updates can leave your e-commerce site exposed to such security risks.
Some site owners may postpone doing plugin updates out of fear that these updates may cause things to break on the site or result in a WooCommerce maintenance issue. For this reason, it’s a great practice to perform all plugin updates in a staging area or production environment first before implementing them on your live site.
Even if you are actively maintaining your plugins, it’s possible that one of those installed plugins may be abandoned by its developer. WordPress actively removes these types of plugins from the repository because they can pose a security and performance risk.
However, with over 50,000 plugins available in the WordPress repository and numerous WooCommerce extensions, it can be difficult to catch these removals. The free or paid WordFence plugin can be a great resource and once installed, WordFence will send notifications if any installed plugins on your site have been removed and are a security risk.
3. Set up Security Monitoring
While hosting level security and regular maintenance will reduce the opportunities for hackers, it still won’t cover all the bases. Unfortunately, there are constantly new threats on the horizon, some of which are automated attacks on WordPress and WooCommerce sites. It’s impossible to block those 24/7 on your own. Thanks to security monitoring tools, you won’t have to.
Consider setting up 24/7 security monitoring on your WooCommerce site to detect any malware or breaches to the site. Both the free and premium version of the WordFence plugin and Sucuri’s paid services are popular choices for WordPress sites. These solutions offer a malware scanner and will alert your team of any suspicious activity. The paid services can also include an automatic removal of malware, which can assist in quickly cleaning up the site after any security issues.
As another security practice, it’s best to minimize the number of WordPress administrator accounts. Review the accounts every few months and actively remove any previous employees or old vendors who should no longer have access to the site.
For an e-commerce site where any downtime can impact sales, you may also want to consider additional security with a web application firewall (WAF) through services such as Cloudflare or Sucuri. This can protect the site against malicious bot traffic or a DDoS attack, which is intended to take your server or website down by flooding it with bad requests.
4. PCI-DSS Compliance & Anti-Fraud Measures
While the previous security protocols can be implemented on informational sites as well, this measure is specifically applicable to e-commerce sites.
Every website that processes credit card transactions must comply with PCI-DSS – Payment Card Industry Data Security Standard. These global standards were established to help reduce credit card fraud.
One of the best ways to comply with these requirements is to use a secure payment gateway. Stripe, PayPal and Authorize.Net are all popular options. WooCommerce also supports these standards by never storing credit card details within the site. If you are setting up your own e-commerce site, make sure to never set up a basic form that stores credit card information within the site. Instead, using one of the best WooCommerce gateway plugins is the safer choice.
Unfortunately, even if you are following these standards and using a secure payment gateway, your online store can be negatively impacted by e-commerce fraud. It’s fairly common to see users testing stolen credit card accounts on an e-commerce site. The WooCommerce Anti-Fraud extension is a great resource for detecting fraudulent transactions. The plugin labels each transaction with a risk score and it can be configured to automatically cancel or pause suspicious transactions.
Lastly, it’s important to protect your site against automated bots that could be creating fake accounts and guest orders on the site. The best defense is to set up Google recaptcha on all of the WooCommerce checkout forms by using the Recaptcha for WooCommerce extension.
5. Taking Daily Database Backups
This last security protocol is your safety net. While all of the previous steps will help you avoid security breaches, if the worst case scenario occurs and your site is hacked, having a backup of your WordPress site and database is a lifesaver.
When a site is hacked, you’ll typically go through a clean up process and remove all of the malware and infected files. Sadly, there are some cases where a site is hacked so badly that critical information and files are lost in the process. In this scenario, having a clean backup of the site is vital and means that you don’t have to rebuild the entire site.
There are hosting environments that offer an automatic daily backup of the site on the server level. If you don’t have this option, you can also utilize a WordPress plugin to take automatic backups of the site on a daily or weekly basis. Or follow this guide on how to backup WooCommerce to be sure your ecommerce site is safe.
Depending on your solution, watch the settings in terms of how long the files are stored. These backup files are typically quite large. If the backups are stored on the site or server level, this can increase the database size of your site, leading to higher hosting costs. One way to mitigate this is to set up checkpoints and make sure older backups are only stored for a certain period of time.
Be careful when automatically restoring a backup for WooCommerce sites, however, because it will overwrite any transactions that came in since the backup was taken. A skilled web development team can make sure to properly use the files if you are facing a security issue.