08/03/2022

8 Steps To Keep Your Woocommerce Store Secure

Insights

7 min remaining

Although WordPress and WooCommerce have security features built in, there are some basic things that new store owners can do to ensure their customers, employees, and data are safe in the worst-case scenario.

These are eight things that all WooCommerce store owners need to do.

1. Select a reliable host

Hosting providers store your website files and database. This allows anyone to view them from anywhere in the world. You and your customers could be at risk if you choose the wrong host.

You should look for a host who is familiar with WordPress security and can clearly state what they do to ensure your store’s safety.

You should look for:

  • SSL certificates that protect customer data like addresses and phone numbers
  • Backups allow you to restore your site if something goes wrong.
  • Prevention and attack monitoring so you can instantly see if there is malware in your files.
  • A server firewall that blocks hackers from accessing files.
  • Access to support 24/7, just in case

This is the ability to isolate malicious files to ensure that viruses or malware cannot move to other sites and folders on the server.

You should see a page on security on the hosts you are considering. This will allow you to verify whether they offer these features. It might indicate that you should steer clear of hosts who require you to send emails or dig deeper to find answers.

This list of hosting providers can be a great place for you to start.

2. Strong passwords can be created and stored safely

Safety may start with your host but it is up to you to ensure safety. Secure passwords should be used for all accounts that are associated with your store.

This is how it works:

  • Use unique passwords to protect each account.
  • You can create a password using a combination of lowercase and capital letters.
  • Avoid using words, birthdays, and other phrases that could easily be guessed.
  • Prioritize length — The more complicated and long-lasting a password is, the more difficult it will be to crack.

Are you concerned about your password security? WordPress comes with a built-in password generator that allows you to create complex combinations of passwords that are difficult to guess.

But remembering difficult passwords may be tricky. A password manager such as LastPass, and 1Password is an excellent solution. This is our personal favorite at Woo. These password managers securely store your passwords, and they auto-fill them on your favorite sites.

3. Enable two-factor authentication (2FA)

If someone has access to your email address or another account, they may be able to gain enough information to reset and login.

Two-factor authentication, also known as 2FA, can be a great way to protect your online accounts from unwanted intruders. 2FA requires a second step, typically your smartphone, to verify logins and confirm that you are the owner.

2FA should be enabled on all accounts. Normal circumstances would allow an individual to gain access to your email account and possibly find your login information for other accounts. However, 2FA will prevent them from physically validating the logins using your mobile device.

This second step can add a bit more time to the login process. It’s worth it to have the assurance that your sensitive data is safe.

Jetpack allows you to implement two-factor authentication free of charge.

4. Prevent brute force attacks

Brute force attacks are when hackers use bots that guess thousands upon thousands of username/password combinations to find the right one. This can allow hackers to gain access to your site and can negatively impact your load speed due to increased store traffic.

Jetpack’s brute force attack protection is a great tool to stop them. You don’t need to worry about malicious IP addresses being sent to your site. It blocks them before they reach it.

5. You can add layer of protection to your site

While we’ve already discussed some ways to secure your website, you might want to consider adding more Jetpack security tools. It offers:

  • Malware scanning: Get an immediate alert if malware has been detected on your site. This will allow you to troubleshoot the problem and resolve any known threats in just one click. It’s like having someone watching over your site 24 hours a day.
  • Spam Prevention (paid). Automatically remove spam from contact forms and comments that could make you appear unprofessional. Customers can also be sent to malicious websites.
  • An Activity Log : This free tool allows you to keep track of everything on your website, from new pages and products to user logins. It also shows who and when each action was taken.
  • Downtime Monitoring (free). Get an instant notification if your website goes down. This is a common sign of a hack and can be used to quickly get it up again.
  • Automatic plugin update (free). Automatically updates plugins to ensure your site is running smoothly and secure from hackers.

6. Adjust your FTP settings 

FTP (file transfer protocol), is used to transfer files from one device to another. FTP accounts can be created by your hosting provider. These accounts allow you to connect your computer to your website server. They can make any changes to your website if a malicious actor has access to them.

However, limiting permissions to these accounts can help reduce or eliminate any potential damage. You must ensure that only your FTP account can access these folders:

  • The root directory
  • wp-admin
  • wp-includes
  • wp-content

This section of the WordPress Codex provides more information on how to lock down your FTP. These precautions should also be taken by your host.

7. Keep your website updated

It is crucial to update WordPress, WooCommerce, and any plugins or extensions. Your site will be more secure if you receive updates. You could put your customers and yourself at risk if you ignore them.

This is the best way to approach it. This is the best way to approach it. You can turn off the auto-update feature in WordPress if you don’t want it to bother you.

8. Regularly backup all your stores

A backup is a best and fastest way to restore a site that has been hacked.

We recommend Jetpack Back as a WordPress backup plugin.

  • Choose from daily backups that occur every 24hrs or real-time backups that occur every time you take an action (such as a purchase, page update, etc.). Your site is backed up.
  • Don’t worry about losing your order information. All of your order information can be restored from a backup five minutes ago or five weeks ago.
  • Just one click to restore. You don’t need to worry about a complicated and time-consuming restore process. Just find the date and time that you wish to restore and then click a button.

Security is a top priority when opening a store.

While it is easy to forget about security during the rush of opening a store, you mustn’t neglect it. It is important to protect your customers’ data from the beginning.

These simple steps will help you create a store that is trustworthy and secure in the unlikely event of an attack.

Do you have any tips for store owners just starting to think about WooCommerce and WordPress security? Leave us a comment.

About the author

Kobe Digital is a unified team of performance marketing, design, and video production experts. Our mastery of these disciplines is what makes us effective. Our ability to integrate them seamlessly is what makes us unique.