A WooCommerce Security Guide for Protecting Your Store and Customers

Posted on March 16, 2016 at 7:25 pm


No Comments

WooCommerce Security Measures

Have you recently started your own online shop using WooCommerce, but you're worried about your WooCommerce security measures?

You're on the right track to protecting your site and your customers, considering many site owners who use WordPress and WooCommerce forget how easy it can be for a hacker to gain access to a website.

These attacks can slow down your website, access private information and even completely crash your store without much warning.

Therefore, we want to outline some of the best WooCommerce Security measures for keeping out the bad guys. Follow the steps below for the best protection, and don't be afraid to spend a little extra money on hosting or security plugins. After all, the costliness of a website hacked is often impossible to recover from.

Step 1: Find a Host With Security Features Specifically for WooCommerce and Ecommerce Stores

The first step to securing any type of WordPress website is going with a hosting company that has what you need to keep out hackers. Since so many hosting providers are selling services online, it may seem a bit intimidating to figure out which one is best for you.

Since you're considering opening a WordPress site with the WooCommerce plugin involved, it's essential to remember that you must find a hosting provider that has a plan dedicated to WooCommerce. Although some hosting accounts provide fast speeds and quality security with plans not particularly dedicated to WooCommerce, it's nice to know that your host has put the extra effort in to give you a plan just for eCommerce.

When completing your research, look for a security page on the website. They'll talk quite a bit about speed, but our main goal today is to ensure the company is not hiding anything when it comes to security.

Therefore, take a look at the website and try to check off the following security areas:

  • Free website restoration if a security problem disables or damages your website.
  • Automated systems that scan your website for holes and bugs that could cause security issues. For example, many hosts offer behind-the-scenes programs that will update your plugins to close security holes.
  • The most up to date server software. The best hosts have state of the art systems that are used on the enterprise level.
  • Tools that constantly monitor and thwart outside attacks.
  • Programs that identify threats, isolate them and prevent them from spreading to other sites on the same server.

bluehost logo 1

Here are some secure WooCommerce hosting suggestions to get you started:

  • Bluehost WordPress +WooCommerce Hosting Plan - Starting at $11.95 per month, Bluehost sets up your WordPress site with WooCommerce already installed. An SSL certificate and dedicate IP are included for securing your eCommerce site, while the Spam Assassin Protection is constantly checking to see if any threats are out there.
  • Siteground WooCommerce Hosting - Along with a one-click WordPress and WooCommerce installation, the folks at Siteground provide auto updates for clearing out plugins and system holes, daily backups in case anything goes wrong, server level protection and account isolation for when one user account is considered a threat. It's also pretty darn affordable with support for lots of traffic.
  • Cloudways WooCommerce Hosting - Most of the copy on this hosting plan page explains how fast your site is going to be, but you'll also gain access to secure and dedicated servers, with regular OS and firmware patches. You also get an SSL certificate with quick implementation.
  • Pagely VPS - Although it's not the cheapest solution, Pagely offers support for quick scaling stores, and the VPS plans have PressArmor security, an integrated CDN, SSLs and even disaster recovery.
  • Kinsta WooCommerce Hosting - Speed is the main focus with this hosting plan from Kinsta, but it also has SSL and SPDY support for security, along with strong security measures, automatic updates and backups.

Step 2: Make a Schedule for WordPress and Plugin Updates (Consider Automating These for the Ultimate WooCommerce Security)

If you choose a host in the initial step that assists with WordPress and plugin updates, you shouldn't really have to think much about this area. In addition, WordPress now offers the ability to automatically update your plugins.

Here's the deal: When you fail to update your WordPress or plugin versions, security holes open up for hackers to make their moves. Not to mention, many updates involve filling bugs and security problems, so you're doing yourself a favor by completing these updates on a regular basis.

If you login to your WooCommerce website and see a banner that prompts you to update your WordPress version, go ahead and do it right away.

What about those plugin updates? You can manually update these, but in our experience most people forget about the plugins because the updates happen so frequently.


We recommend activating the automated plugin updates to ensure that your plugins are secure, particularly WooCommerce.

Step 3: Secure Your FTP Directories

Most eCommerce sites are going to use an FTP account at some point. This is a tool that helps you manage your site files and directories, giving you the ability to move around, edit, remove and add files from a local environment. However, you'll want to ensure that your FTP account is the only one that can make changes to your directories.

The following folders should be completely blocked from other FTP accounts, except yours: wp-content, wp-includes, wp-admin and your root directory.

In short, if attackers obtain control of your FTP, they can upload malicious files that hurt your site, or at the least, slow it down.

Step 4: Use a Security Plugin to Protect Every Aspect of Your Site

Keeping your plugins to a minimum is a solid plan if you'd like to cut out the chances of opening up security holes. However, every WooCommerce website should implement an individual security, backup and restoration plugin. A few options exist, but the main goal is to find a plugin that has automated backups and restores if anything goes wrong. It should also have daily scans to figure out if any suspicious activity if going on with the server or on your website. Finally, the security plugin should provide tools for fighting off spam that you would generally find in your comments. Akismet is a solid plugin as well.

Out of all the security, backup and migration plugins to choose from, these are the best:

What's cool about VaultPress, and some of the other options out there, is that it can restore backups automatically or through a manual process. It even comes in handy if you completely screw something up on your end. For example, if a code or plugin change crashes your site, simply go into VaultPress and restore the most recent backup file. Overall, what you're looking for is real time monitoring, since you're going to be spending most of your time selling items and talking to customers.

Step 5: Stop the Most Common Threats to Your WooCommerce Security: Brute Force Attacks

A brute force attack is when someone tries to figure out your username and password to gain access to your WooCommerce website. It's not that effective if the site has strong credentials, but it's the most common method considering people use bots to run thousands of password and username combinations. In short, it's not just a guy sitting there trying to figure out what your password is.

Therefore, you'll want to stop brute force attacks from happening. As we'll outline below, strong passwords are essential to this, but limiting the amount of times a single person can try to login is a great way to shut down the attackers.

Since it doesn't take a complex plugin to make this happen, implementing a plugin won't hurt your site performance much. Therefore, we recommend going with one of the following plugins:


The process is simple: You configure how many times a user has to login to your website. So, if you chose three attempts, the users would be blocked from your website for a period of time after failing three times.

Since bots are likely to try logging in hundreds or thousands of times, it mitigates the problem pretty darn well.

Step 6: Spend Time Implementing a 2-Factor Authentication System for Every User Account on Your Site

Some hackers are luckier, or more relentless, than others. You may have all the security measures intact, along with some quality passwords, but an attacker with access to, say, your email account, could sift through your messages to locate the information they need to login to your WooCommerce website.

The 2-factor authentication process is fairly simple. It requires a second form of confirmation after you've punched in your password. For example, you could have a message sent to your cell phone asking if you're the one trying to login to your website. After you confirm that the login attempt is by you, the website lets you into the backend.

Although the 2-factor authentication lengthens the time it takes to login to your website, you're better off spending a little more time to protect your livelihood. In addition, you should have this login process setup for every user on your website. If your assistant has a username, make sure they must go through 2-factor authentication.


The Duo Two-Factor Authentication plugin isn't a bad place to start, but WPClef has even higher ratings than that. If you're looking to learn more about 2-factor authentication, check out the WordPress documentation.

Step 7: Generate Super Strong Passwords, and Store Them Properly

The final WooCommerce security measure is to generate passwords that nobody can predict. Once again, this goes for all users who have access to the backend of your website. One of your workers may have access to most of the features in your WordPress site, but if their password is easy to figure out, it could help a hacker get into your website.

Here's the golden rule for making a password: Create a lengthy, random combination of numbers, symbols, lowercase and uppercase letters.

This means you should never have passwords that mean anything to you. Your maiden name, birthday, dog's name, favorite car and kid's baseball team are all out of the question. In addition, you shouldn't make a password that's already used on your other accounts.

Although when you register a new WordPress user it tells you how strong your password is, we recommend going with a third-party app to generate and store your passwords. The benefit is that you get passwords that are insanely hard to crack, and you don't have to remember any of them, since they are automatically populated.


Our favorite password generators and storage systems are as follows:

How's Your WooCommerce Security?

There you have it! Is your WooCommerce website completely secure? If not, go through these steps to ensure that your website and its customers are not going to encounter any problems with hackers or identity thieves. Start with finding a secure host, and end the process by creating and storing incredibly strong passwords that no one can think of.

If you have any questions about the best WooCommerce security measures, drop us a line in the comment section below.

Leave a Reply

Your email address will not be published. Required fields are marked *