The Complete WooCommerce Security Checklist

As a WooCommerce store owner, you know the importance of security. You want to protect your valuable customer data and, if your site is hacked, you risk losing sales and damaging your hard-earned reputation.

But where do you start? And how do you know if your site is protected?

We’ve put together a WooCommerce security checklist that acts as a guide to securing your website. If you can answer “yes” to the following questions, then you’re off to an excellent start! 

Are you hosting with a secure, reputable provider?

Your hosting provider is the first line of defense against attacks. If they don’t have proper security measures in place, your files and database could be vulnerable, even if you do everything else right. When choosing a host, look for one with:

  • A built-in firewall. A firewall controls who can access your server and who can’t, keeping hackers and bots away from your website files. 
  • Security scans. Many hosts regularly scan all of the sites on their server and will let you know if they notice anything suspicious, like malware. Some providers even fix those problems for you, often for an additional fee.
  • Backups. While you also want to make your own backups (more on that later), it’s a good idea to have multiple copies of your site. Many hosting companies include backups in their plans, while others offer them as a paid upgrade.
  • An excellent support team. If you do encounter an issue, you want experts available to help you figure out the next steps. Ensure that your host has a great support team that can be reached through the most convenient method for you (live chat, phone, etc.)
  • A good reputation. Check reviews from real customers and find out about their experiences. This is the most accurate way to learn about a hosting provider. 

Not sure where to start? WooCommerce put together a list of recommended hosting companies that have all been thoroughly vetted.

Do you have an SSL certificate?

An SSL (Secure Socket Layer) certificate encrypts the information sent from your customers to your website and authenticates the identity of your site. This serves as critical protection for information like credit card data and addresses. Google also considers it when determining search engine rankings.

Most hosts offer SSL certificates for free, though some charge a relatively minimal fee.

Are you using secure, safe versions of themes and plugins?

Nulled plugins and themes are pirated versions of premium plugins and themes that are offered for free or for a low price. Not only are they not supported, they’re also not updated, so they can conflict with WordPress or other plugins. And, more concerningly, they’re typically full of malware that can compromise your site and customer data.

Always download plugins and themes from trusted sources, like the WordPress repository or WooCommerce marketplace

Is everything updated on your site?

WordPress, theme, and plugin updates don’t always include new features; they often fix bugs and vulnerabilities that hackers can take advantage of. Always perform updates when they’re available to keep your site secure and avoid conflicts. 

Don’t want to keep track of updates? WordPress has an option to automate this process.

Are you using the latest version of PHP?

The bulk of WordPress core is written in PHP, a programming language. You should update the version of PHP that your site uses for the same reason you should update themes and plugins: to protect against bugs and vulnerabilities. 

You can update your version of PHP in your host settings, or ask your hosting provider to take care of this for you. View the latest WordPress requirements.

Have you reviewed your user permissions?

Each WordPress user is assigned a role, which includes a set of capabilities that allow them to perform certain tasks on your website. Administrators have full access to everything and can make any number of changes; as shop owner, this should be your role. Customers, however, have no access to the backend of your site, but can edit their own account information and view current and previous orders. See a full list of user roles and permissions.

From time to time, review and clean up your user accounts. Each user should have only the minimum necessary permissions to do their job and, if you’re not working with someone anymore, make sure to remove their account. For example, if you worked with a web development agency to build your site and the project is complete, you probably want to delete their account. 

Are you using a secure username and password?

Hackers often use bots to try thousands of different username and password combinations until they find the right one (this is called a brute force attack.) The easier your password is to guess, the more likely it is that a hacker can access your store.

A good password has an uppercase letter, lowercase letter, number, and symbol, and is at least 20 characters long. Make sure that, at a minimum, every admin user is implementing this type of password.

When it comes to usernames, avoid common titles like “Administrator” or “Admin.” Instead, create a specific username for each person.

Have you considered changing your login URL?

By default, every WordPress login page can be accessed at your URL /wp-admin. If you want to put extra security measures in place, you might want to change the URL to make it harder for attackers to guess. You can do this by editing your .htaccess file or, if you’re not comfortable changing code, use a plugin like WP Hide Login.

Have you enabled two-factor authentication for administrators?

Two-factor authentication adds an additional layer of security to your login page. To log in, you not only have to know something (a username and password), you also have to physically possess something (your mobile device.) This makes it significantly less likely that a hacker can get into your store.

Jetpack makes two-factor authentication easy. When you log into your site, you’ll receive a special, one-time code on your phone, which you’ll have to enter to complete the login process. You can even require all users to set this up. Learn more about two-factor authentication.

Are you blocking brute force attacks?

As we discussed earlier, brute force attacks happen when hackers use bots to test combinations of usernames and passwords over and over again until they find the right one. Not only does this put your store and customer data at risk, it can also slow down your website.

But Jetpack automatically blocks these attacks before they reach your site, so you don’t have to worry.

Are you scanning your site for malware?

What if someone does access your site and inject malware? You’d want to know right away, so you can remove that malware and fix the issue as quickly as possible. But hackers are sneaky — it’s not always immediately obvious that they’ve gotten in.

Jetpack Scan scanning a site for malware

Jetpack Scan alerts you of any suspicious activity right away and, since scanning takes place on Jetpack’s servers, you can access your site even if it goes down. It also offers one-click fixes for the majority of known threats.

Do you have a spam filter set up?

Spam comments aren’t just annoying; they also make you look unprofessional and can contain links that direct your customers to malware-filled sites. But sorting through hundreds of comments a week is time-consuming and frustrating.

That’s where Jetpack Anti-spam comes in! It automatically gets rid of spam from comments and forms, so you never even have to see it. You’ll save time, protect your site, and provide a better user experience all at once.

Are you monitoring your site for downtime?

If your site goes down, it could be an indication of a hack and the longer it’s down, the more sales you lose. Of course, you want to get it back up and running again as soon as possible!

Jetpack offers free downtime monitoring that checks your site from locations around the world every five minutes. If your site’s down, you’ll receive an instant notification so you can fix the issue right away.

Do you have regular, off-site backups set up?

If something happens to your site, the best protection you can have is a full backup that you can restore quickly and easily. Even if your host offers backups, it’s important that you also make your own. Why? Because if your server is compromised, any backups that are stored there may also be compromised.

Jetpack Backup is an excellent solution. There are two plan options:

  • Daily backups, which save a copy of your site once a day.
  • Real-time backups, which save a copy of your site every time you update a page, publish a new post, or make a sale. These are particularly useful for online stores, because you never have to worry about losing order information.
Jetpack activity log with backups

Jetpack stores backup files in multiple locations, completely separate from your site. This means that if your server is compromised, your backup won’t be. And in most cases, you can even restore a backup if your site is completely down! Learn more about why you should trust your site to Jetpack Backup

Start protecting your store

Good security is absolutely essential for an online store. It makes your customers happy, protects their personal information, and enables them to trust you for years to come. 

Get started with Jetpack Security.

This entry was posted in Security. Bookmark the permalink.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

Compare plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 110,168 other followers

  • Browse by topic

  • <span>%d</span> bloggers like this: