The Complete WooCommerce Security Checklist for 2024

Security is a top concern for any eCommerce store. After all, you don’t just need to keep your content safe, you also need to protect customer information and order data.

So if you’re considering starting an online shop, or if it already makes up part of your income, then it’s time to ensure that you’ve fully secured your business.

Why online stores require greater security

When you’re selling online, you’re dealing with a lot of sensitive information: personal names, credit card numbers, addresses, and more. An active shop collects new information all the time, so you have an ever-growing set of data that you’re responsible for.

Making sure your site has top-notch security will enable you to:

Protect your clients’ personal information from hackers and attackers, allowing customers to shop with confidence;
Protect your income stream from interruptions and lost sales;
Preserve all minute-to-minute sales data for tax and legal purposes;
Maintain your brand and reputation as a business that can be trusted; and
Avoid costs related to rebuilding your business after a hack, like lost sales due to downtime, refunds caused by unfulfilled orders, and website repair costs

How to identify a hack

A hack can take many forms, and you might not even realize your site has been compromised right away.

To identify a hack, look for:

New admin accounts that you didn’t create.
Spam links to malware in comments, product descriptions, or reviews.
Unusual alert boxes or links that redirect to third-party sites.
Alerts from Google that your store has been flagged.
Odd, unexpected, or missing customer emails.
Very slow load times or timeout errors.

But most business owners are too busy working on inventory, marketing, or order fulfilment to be constantly monitoring for problems or hacks. That’s why the first thing you should add is downtime monitoring, which automatically checks that your site is up and running and alerts you if it’s not. This allows you to take action immediately to repair and restore your online shop.

You can also benefit from Jetpack Scan, which is a top malware scanning plugin that automatically checks your store for hacks so you don’t have to worry! You’ll get an alert if it finds anything wrong and you can even fix the majority of known threats with just one click.

Jetpack Scan dashboard showing current malware scan progress

WooCommerce Security: 15 step checklist to secure your store

It’s always best to stop hacks before they happen. If you can answer “yes” to the following questions, then you’re off to an excellent start!

1. Are you hosting with a secure, reputable provider?

Your host is the first line of defense against attacks. If they don’t have proper security measures in place, your files and database could be vulnerable, even if you do everything else right.

When choosing a host, look for one with:

A built-in firewall. A firewall controls who can access your server and who can’t, keeping hackers and bots away from your website files.
Security scans. Many hosts regularly scan all of the sites on their server and will let you know if they notice anything suspicious, like malware. Some providers even fix those problems for you, often for an additional fee.
Backups. While you also want to make your own backups (more on that later), it’s a good idea to have multiple copies of your site. Many hosting companies include backups in their plans, while others offer them as a paid upgrade.
An excellent support team. If you do encounter an issue, you want experts available to help you figure out the next steps. Ensure that your host has a great support team that can be reached through the most convenient method for you (live chat, phone, etc.)
A good reputation. Check reviews from real customers and find out about their experiences. This is the most accurate way to learn about a hosting provider.

Not sure where to start? WooCommerce put together a list of recommended hosting companies that have all been thoroughly vetted.

2. Do you have an SSL certificate?

An SSL (Secure Socket Layer) certificate encrypts the information sent from your customers to your website and authenticates the identity of your site. This serves as critical protection for information like credit card data and addresses. Google also considers it when determining search engine rankings.

Most hosts offer SSL certificates for free, though some charge a relatively minimal fee.

3. Are you using secure, safe versions of themes and plugins?

Nulled plugins and themes are pirated versions of premium plugins and themes and are offered for free or for a low price. Not only are they not supported, they’re also not updated, so they can conflict with WordPress or other plugins. And, more concerningly, they’re typically full of malware that can compromise your site and customer data.

Always download plugins and themes from trusted sources, like the WordPress repository or WooCommerce marketplace.

the WooCommerce Marketplace featured extension collections — *Featured extension collections in the WooCommerce Marketplace*

4. Is everything updated on your WordPress site?

WordPress, theme, and plugin updates don’t always just include new features; they often fix bugs and vulnerabilities that hackers can take advantage of. Always perform updates when they’re available to keep your WordPress site secure and avoid conflicts.

Don’t want to keep track of updates? Jetpack has an option to automate this process.

5. Are you using the latest version of PHP?

The bulk of WordPress core is written in PHP, a programming language. You should update the version of PHP that your site uses for the same reason you should update themes and plugins: to protect against bugs and vulnerabilities.

You can update your version of PHP in your host settings, or ask your hosting provider to take care of this for you. View the latest WordPress requirements.

6. Have you reviewed your user permissions?

Each WordPress user is assigned a user role, which includes a set of capabilities that allow them to perform certain tasks on your website. Administrators have full access to everything and can make any changes they’d like; as shop owner, this should be your role. Customers, however, have no access to the backend of your site, but can edit their own account information and view current and previous orders. See our guide to WordPress user roles.

From time to time, review and clean up your user accounts. Each user should have only the minimum necessary permissions to do their job and, if you’re not working with someone anymore, make sure to remove their account. For example, if you worked with a web development agency to build your site and the project is complete, you probably want to delete their account unless consistent updates will be necessary in the future.

7. Are you using a secure username and password?

Hackers often use bots to try thousands of different username and password combinations until they find the right one (this is called a brute force attack.) The easier your password is to guess, the more likely it is that a hacker can access your store.

A good password has an uppercase letter, lowercase letter, number, and symbol, and is at least 20 characters long. Make sure that, at a minimum, every admin user is implementing this type of password.

When it comes to usernames, avoid common titles like “Administrator” or “Admin.” Instead, create a specific username for each person.

8. Have you considered changing your login URL?

By default, every WordPress login page can be accessed at your URL /wp-admin. If you want to put extra security measures in place, you might want to change the URL to make it more difficult for attackers to guess this URL. You can do this by editing your .htaccess file or, if you’re not comfortable changing code, use a plugin like WP Hide Login.

9. Have you enabled two‑factor authentication for administrators?

Two-factor authentication adds an additional layer of security to your login page. To log in, you not only have to know something (a username and password), you also have to physically possess something (your mobile device). This makes it significantly less likely that a hacker can get into your store.

Jetpack makes two-factor authentication easy. When you log into your site, you’ll receive a special, one-time code on your phone, which you’ll have to enter to complete the login process. You can even require all users to set this up. Learn more about two-factor authentication.

We guard your site. You run your business.

Jetpack Security provides easy‑to‑use, comprehensive WordPress site security, including real‑time backups, a web application firewall, malware scanning, and spam protection.

Secure your site

10. Are you blocking brute force attacks?

As we discussed earlier, brute force attacks happen when hackers use bots to test combinations of usernames and passwords over and over again until they find the right one. Not only does this put your store and customer data at risk, it can also slow down your website. Thus the importance of efficiently preventing brute force attacks.

module showing the total number of malicious attacks blocked on a site

But Jetpack automatically blocks these attacks before they reach your site, so you don’t have to worry.

11. Are you blocking bad actors from visiting your site with a web application firewall (WAF)?

A web application firewall (WAF) is strongly recommended as the first line of defense for online stores. WAFs analyze all incoming traffic and decide whether to allow or block traffic based on various rules. This adds an important layer of protection to your site, particularly when attackers actively exploit unpatched vulnerabilities.

A good WordPress WAF should be updated regularly with new rules by WordPress security experts as exploits and vulnerabilities are known. Jetpack’s firewall, which is included with Jetpack Scan and the Jetpack Security & Complete bundles, protects your site around the clock and is continually updated by the best WordPress security experts in the business.

12. Are you scanning your site for malware?

What if someone does access your site and injects malware? You’d want to know right away so you can remove that malware and fix the issue as quickly as possible. But hackers are sneaky — it’s not always immediately obvious that they’ve gotten in.

Jetpack Scan alerts you of any suspicious activity right away and, since scanning takes place on Jetpack’s servers, you can access your site even if it goes down. It also offers one-click fixes for the majority of known threats.

13. Do you have a spam filter set up?

Spam comments aren’t just annoying; they also make you look unprofessional and can contain links that direct your customers to malware-filled sites. But sorting through hundreds of comments a week is time-consuming and frustrating.

graph showing blocked spam on a WordPress site

That’s where Jetpack Anti-spam comes in! It automatically gets rid of spam from comments and forms, so you never even have to see it. You’ll save time, protect your site, and provide a better user experience all at once.

14. Are you monitoring your site for downtime?

If your site goes down, it could be an indication of a hack. And, the longer it’s down, the more sales you lose. You want to get it back up and running again as soon as possible!

Jetpack offers free downtime monitoring that checks your site from locations around the world every five minutes. If your site’s down, you’ll receive an instant notification so you can fix the issue right away.

15. Do you have regular, off‑site backups set up?

If something happens to your site, the best protection you can have is a full backup that you can restore quickly and easily. Even if your host offers backups, it’s important that you also make your own. Why? Because if your server is compromised, any backups stored there may also be compromised.

backup in progress on a WooCommerce store

Jetpack Backup is the ideal solution for your WooCommerce store as all plans include real-time backups:

Real-time backups, which save a copy of your site every time you update a page, publish a new post, or make a sale. These are particularly useful for online stores, because you never have to worry about losing order information.

Jetpack stores backup files in multiple locations, completely separate from your site. This means that if your server is compromised, your backups won’t be. And in most cases, you can even restore a backup if your site is completely down!

How to recover in a worst‑case scenario

If your online store has malware and you have Jetpack Security, you’ll receive a notification so you can take care of the issue immediately. Your first step should be to check your activity log, where you can see a full list of everything that occurred on your site. You can use this information to determine when the hack happened by checking for suspicious activity like unfamiliar logins and edited pages.

activity log showing everything that happened on a WordPress site

Then, the fastest way to recover is with Jetpack Backup. In just a few clicks, your site can be up and running again with minimal downtime. All you have to do is select a backup from before the hack and wait for it to restore. Yep, that’s it!

Once a clean version of your store is up and running, use Jetpack Scan to ensure there’s no remaining malware on your site. Jetpack solves the majority of known threats for you, so if anything’s found, you most likely won’t need to worry about troubleshooting.

Finally, take the time to secure your site by changing all passwords and checking that your themes, plugins, and core files are up to date.

Need any help? Jetpack Security includes priority support from an experienced technical team that can point you in the right direction.

Keep your WooCommerce store secure

Taking the time to fully secure your WooCommerce store will ensure that your customers can shop with confidence and that you won’t need to worry about your data or reputation.

And one of the best ways to do that is by combining Jetpack Security and WooCommerce — it just makes sense! They’re two established, respected WordPress plugins that work in sync to protect your website and add features. Together, they mean fewer moving parts, fewer external plugins, and greater peace of mind for you as a business owner.

Frequently asked questions

Can a WooCommerce website be hacked?

Yes, like any site, a WooCommerce store can be hacked. However, WordPress and WooCommerce include features that will help protect your content and customer data. And, when you put a few basic security measures in place — like choosing a good host, keeping things updated, and installing the best security plugin — you can rest easy, knowing your site’s in good hands.

Do you need SSL for a WooCommerce website?

An SSL certificate encrypts the information (like credit card data and addresses) that’s submitted on your site, keeping it safe from bad parties. If that information is accessed by a hacker, it could put your business at legal risk and damage your reputation. And, not only does an SSL certificate protect you and your customers, it’s also important for your search engine rankings.

While an SSL certificate is recommended for any website, it’s even more important for online stores because of the type of data they collect to process transactions.

Which SSL certificate is the best for WooCommerce websites?

Most major hosting providers include a free SSL certificate in their plans, while others make them available for an additional fee. Typically, these are easy to install in just a few clicks.

However, if your host doesn’t offer this, we recommend Let’s Encrypt. It’s a trusted service, offering free SSL certificates to support a more secure web. Note: many of the SSL certificates included in hosting plans come from Let’s Encrypt.

Learn more about installing an SSL certificate on your WooCommerce store.

How do I force HTTPS on a WooCommerce website?

When you successfully add an SSL certificate to your store, it changes your URL from http://example.com to https://example.com. The “s” in “https” stands for SSL.

When you force HTTPS on your store, a visitor who types in the “http” version of your site will automatically be redirected to the “https” version. This ensures that everything is encrypted properly for every single shopper.

You can either force HTTPS by adding a few lines of code to your .htaccess file or by using a WordPress plugin. Kinsta provides a great guide to doing this.

Is WooCommerce safer than Shopify?

Shopify is a hosted platform that handles security for you. While this has its benefits — you don’t have to worry about implementing security measures — it also means that you have virtually no control over your own protection.

And it also doesn’t mean that Shopify is more secure. Hackers and bots don’t discriminate, after all. They just try site after site until they find one that they can get into. So if you put proper security measures in place, your store will be just as secure — and, in many cases, more secure — than others on any platform.

It’s also important to note that both WordPress and WooCommerce are backed by a team that’s passionate about helping you succeed. They constantly work to keep the platform secure, which is why regularly updating your software is so important.

This guide from WooCommerce provides more details about how it compares to Shopify.

This entry was posted in Security. Bookmark the permalink.

Rob Pugh

Rob is the Marketing Lead for Jetpack. He has worked in marketing and product development for more than 15 years, primarily at Automattic, Mailchimp, and UPS. Since studying marketing at Penn State and Johns Hopkins University, he’s focused on delivering products that delight people and solve real problems.