10 Steps for a Safe & Secure WooCommerce Checkout Process

When it comes to running a WooCommerce store, a secure checkout process is one of the most critical elements. While every step in the buyer’s journey is important, protecting your data and your customers’ personal details is absolutely essential. Keeping credit card numbers and other sensitive information shielded from hackers or other data breaches should be every store owner’s number one priority.

Here are ten ways to ensure a safe and secure WooCommerce checkout experience:

1. Choose a secure host

Using a secure hosting platform is a simple and straightforward measure you can take to contribute to your site’s safety. A secure host is a shield against malicious activity to keep your site and its visitors safe from cyber attacks using firewalls and anti-virus protection. Some hosts offer eCommerce plans that provide features specific to the needs of online merchants. Look for plans that mention PCI compliance and choose VPS, cloud, or dedicated hosting if possible.

2. Install an SSL certificate

“SSL” is short for Secure Socket Layer. It’s a layer of security protocol between your browser and web server that encrypts communication between the two. Installing an SSL certificate is important because it enables encryption of customer information such as credit card numbers. This makes it very difficult for hackers to intercept sensitive information as it’s being transferred. 

You can tell if a website has a valid SSL certificate as the URL will begin with “https” instead of “http” and the browser bar will show a lock icon in grey or green. These visual indicators tell visitors that the site is secure and the owner’s identity has been verified. Customers value privacy and security, so they’re far more likely to trust and make purchases from SSL-enabled sites. 

SSL certificates are also a major factor if you want to ensure higher search rankings and avoid ‘Not Secure’ warnings from browsers. Google actually favors WooCommerce stores using https  over those that don’t and added it as a ranking signal back in 2014

In an effort to further encourage websites to use secure data transfer protocols, Google Chrome started marking non-SSL enabled sites as “Not Secure” back in 2017. Firefox and Safari quickly followed suit and now, when you visit a website without a security certificate, you’ll be presented with a warning saying that your connection is not private. These can scare off potential customers.

See our post for further reading on this: How to install a Free SSL Certificate.

3. Be PCI-DSS compliant 

PCI-DSS compliance is required by any online merchant who directly handles credit card data. This applies whether you’re a startup or a big company. Also, your compliance must be updated annually as per the Payment Card Industry Data Security Standard

PCI-DSS compliance ensures the security of credit card transactions in the payment industry. Businesses are required to follow certain technical and operational standards like regular testing of security systems and processing, installing and maintaining firewall configurations, encrypting cardholder data, and restricting physical access to cardholder data.

4. Choose a secure payment gateway

A payment gateway is a merchant service used by store owners to securely accept credit or debit card purchases from customers. Not all gateways are the same, so you’ll want to choose the right one for your needs.

Things to consider when selecting a payment gateway:

  • Which currencies you want to accept
  • How much of a transaction fee you’re willing to charge (or absorb the cost of)
  • How fast you need the money from the transaction to hit your bank account
  • Which payment methods you’d like to offer
  • Which payment methods are accepted in the countries you sell to
  • How it encrypts sensitive information in order to avoid payment processing fraud

Finally, you’ll want to choose between a hosted or integrated payment gateway. A hosted gateway is managed by a third party, so the customer will leave your site to make their purchase. The nice thing about hosted gateways is that you aren’t responsible for PCI compliance and integration is fairly straightforward.

The downside, however, is that customers don’t always trust them, so they have the potential to lower your conversion rates. Nevertheless, they can still be a sound option as some visitors are more comfortable using a hosted gateway they’re familiar with (like PayPal). 

WooCommerce Payments dashboardd

An integrated payment gateway like WooCommerce Payments, on the other hand, doesn’t redirect to a third party at checkout. It provides a seamless user experience, is very safe, gives you greater control over the transaction process, and inspires customer trust. 

The biggest drawback is that you’ll store tokenized credit card data and other sensitive customer information on your server, so you’ll be responsible for PCI compliance. Integration can also be slightly more hands-on.

The type of payment gateway you choose is ultimately up to you and what your business’s needs are. Do some research, and make sure whatever you opt for has a reputation for being secure. 

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site. Get up to 50% off your first year.

Explore plans

5. Prevent brute force attacks

Brute force attacks are the most common form of hacking. They happen when hackers use botnets to try different combinations of usernames and passwords until they get into your site. These attacks not only slow down your store, they can permit unauthorized access so that hackers can modify code, add spammy links or comments, and put your content and customer data at risk.

To prevent this, use strong passwords that are hard to guess. Try a mix of numbers, letters, and characters. Also, don’t use your name or birthday. Automatic password generators and password management software can help with this. 

Finally, opt for a brute force protection plugin to block unwanted login attempts from botnets. Jetpack brute force attack protection uses state-of-the-art technology to block malicious login attempts from thousands of known bots. Best of all, it’s free for all Jetpack users.  

6. Identify and remove malware

Malware is any type of hostile or intrusive software designed to infiltrate your site. It costs eCommerce businesses millions in lost revenue every year. Each type of malware has a different agenda — website defacement, malicious redirects, and theft of customer data. 

Jetpack Scan running on a site

Malware is bad news for any site owner, but it can be a downright nightmare for an eCommerce merchant. Using a best in class security plugin like Jetpack Security will help keep hackers from gaining access to your site to inject malware in the first place. Additional tools like Jetpack Scan alert you to identify and remove malware present on your site, identify affected files, and fix the majority of issues with a single click. 

7. Know everything that happens on your site

Having a list of what’s going on behind the scenes on your eCommerce site minimizes the guesswork involved in site management, debugging, and repair. 

Jetpack’s Activity log for WordPress lets you see right away if someone has made changes to a page on your site. And, in the event of a security breach, it helps you determine when someone gained access to your site and what damage they did. This way, you can stop any further harm before it happens.  

activity log showing what happened on a WordPress site

The free version of the activity log gives users access to the 20 most recent site events, while paid Jetpack Security plans provide up to a one-year archive of events. 

8. Install an anti-spam plugin 

No one likes a spammer, and spam can destroy your site’s reputation if you’re not careful. Too much of it can even result in Google removing you from its search results entirely. It can also bog down your database, slowing down your site. 

Using a plugin like Jetpack Anti-spam lets you beat spam by automatically blocking it from comments and contact forms. It’s powered by Akismet, the world’s leading spam prevention service, so you know it’s trustworthy and effective. 

9. Prevent fraudulent orders

Fraudulent orders are an unfortunate, sometimes unavoidable, part of running an online store. But, there are quite a few ways to stop them. 

Here are some of the most effective methods to avoid fraudulent orders:

  • Add a CAPTCHA. CAPTCHA is an acronym for Completely Automated Public Testing, and it’s used to determine whether visitors are humans or sneaky bots. Setting up a CAPTCHA is easy to do with reCaptcha for WooCommerce
  • Use WooCommerce Anti-Fraud. This plugin is designed to help you identify fraudulent transactions and catch them while they’re happening. The tool uses advanced rules to scan and provide a score for each transaction. You can use these to automatically identify and block fraudulent orders and get notifications based on an order’s risk assessment.  
  • Limit purchase quantities. One common form of fraud is purchasing large volumes of products from websites that don’t have quantity limits. Criminals do this to quickly extract as much value as possible from a stolen card before it’s discovered. The WooCommerce Min/Max Quantities extension lets you set limits for individual products as well as entire orders.
  • Require an account for customers to place their orders (if necessary). Requiring an account helps prevent fraudulent orders, but the extra steps can also dissuade legitimate customers from making a purchase.
  • Verify customers and customer details before you ship the item. If you suspect fraud, follow up with the customer first to ensure they’re a real and legitimate buyer. This is always a good idea if something looks fishy, even if you’ve taken all of the other necessary precautions. 

10. Keep WordPress, themes, and plugins updated

Security experts around the world are always studying WordPress code and reporting bugs and fixes 24/7. When a security vulnerability is reported, WordPress, theme, and plugin developers release an update to fix it. So, make sure you keep everything up-to-date.

Keeping your WooCommerce checkout experience safe and secure does require a fair bit of due diligence and work on the backend, but the peace of mind it saves can’t be bought. Plus, you have easy-to-use, affordable WordPress security tools at your fingertips to make the whole process smoother! 

This entry was posted in Security. Bookmark the permalink.

Rob Pugh profile
Rob Pugh

Rob is the Marketing Lead for Jetpack. He has worked in marketing and product development for more than 15 years, primarily at Automattic, Mailchimp, and UPS. Since studying marketing at Penn State and Johns Hopkins University, he’s focused on delivering products that delight people and solve real problems.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site. Get up to 50% off your first year.

Explore plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 112.6K other subscribers
  • Browse by Topic

  • %d