How to secure WooCommerce shop? If you’ve launched your own WooCommerce e-shop, congratulations! The benefits this platform provides for its users will help you in building your business. Yet, there are certain issues that shouldn’t be omitted. One of the main factors in e-commerce is security. Many people usually neglect it creating very simple passwords, saving on website security measures and putting away making important decisions.
Certainly WordPress and WooCommerce have built-in security tools, but if you have opened or plan to open your online shop, you should know several ground rules, using which you may secure your clients, employees and all data in the event of any hacking attack. Most of the security measures are taken in advance, so it’s better to secure yourself from the start than losing more money later.
How to secure WooCommerce shop
We will give you seven simple steps every new seller should take in terms of security.
Choose the best hosting
Not everything in terms of security depends on you. That’s why the first thing you should do is to choose reliable and reputable hosting, which considers security one of its No.1 goals. Locating your website on first available hosting is a bad idea.
Theoretically you should find provider that pays special attention to website security. Here are the main features good web-hosting should provide:
- Attack control and prevention.
- Proactive reviews, as well as patches of security threats.
- Servers with new software using latest PHP versions.
- Infection spread isolation and elimination. This helps to avoid spreading the viruses to other websites located on the same server.
Good web hosting company should have a page dedicated to security, so that you may find all the needed information. If you need to contact support to find out the details, it’s better to choose another option.
Create secure passwords
After choosing hosting you need to take security measures that you can. Think of and set strong passwords for all of your accounts related to a shop.
Here are several suggestions:
- Use password that is different from the passwords for any other accounts.
- Use small and capital letters, as well as symbols and digits.
- Don’t use real words, dates of weddings, birthdays and other events, which may be possibly found out.
- Make your password as long as you can. The longer is your password, the harder it is to hack.
But how do you know if your password is secure? Since WooCommerce 2.5 when creating new account a built-in password security indicator is shown.
You may create password using integrated password builders. For instance, Google Chrome features password generator that may be turned on manually in settings.
You may also use password managers, such as LastPass, so that you won’t forget any passwords. They will help you to safely save and use your own passwords.
Turn on two-factor authentication for all of your accounts
No matter how strong is your password, you still should have additional security. Two-factor authentication, or as it is shortly called 2FA, may provide additional security from undesired intrusions. It usually means using sign-in confirmation with a smartphone. After entering password for your account, you will receive sms with a code that you should enter in the field. Ideally you should switch this feature on for all of your accounts.
If a violator will gain access to your e-mail, he may find all usernames and passwords not only for your online shop, but also for other websites. When using 2FA they can’t physically log in, even if they cracked a password.
Of course, this second step makes login procedure longer, but believe us, it’s better to spend more time and feel safe than be worried all the time and lose both valuable data and resources in the end.
As of 2FA application, one may use free Google Authenticator app available for iOS and Android. Besides username and password one should enter code generated by the app.
Limit the number of force login attempts using Jetpack Protect
Even if you use the most intricate passwords and two-factor authentication, you won’t be always protected against those who will try to hack your shop by force.
Jetpack Protect security features will help you, allowing to limit the number of unsuccessful login attempts to admin panel of your shop. It blocks IP-address that was used for this purpose. In this way any harmful login attempts are eliminated. You may also see the statistics in admin panel.
You may set one or more trustworthy IP-addresses to avoid annoyances, in case if you have forgotten or entered improper password. Jetpack plug-in is free, and you may turn on/off its features, such as Jetpack Protect, at your own will.
Use VaultPress to improve security
Except for password and hosting security, you need to have active security against potential attacks, especially the ones that are aimed at harming your shop.
VaultPress is custom-designed software for WordPress-based websites and shops. It provides multi-level support and security. Below is the list of VaultPress main features.
- Automatic backup and restore.
- Daily security checks to make sure there is no suspicious code on your server and that you data is not damaged.
- Spam protection in comments and reviews with Akismet.
VaultPress protects your shop against different factors from harmful code to spam comments. WooCommerce shop owners may use trial version of VaultPress for one month.
How to secure WooCommerce shop – Suggestions
Check and change FTP settings
There is another security measure that may be taken within minutes – access restriction to vulnerable FTP directories.
Unprotected environments of shared hosting or hacked passwords jeopardize gaining access to your website’s FTP. If intruders have FTP access, they may upload malicious files directly to WordPress directory. We suggest you to limit write access to these directories to minimize or completely remove chance of damaging.
Make sure that only your FTP account has access to the next folders:
- Root directory (except for .htaccess, if you use a plug-in for URL redirects)
You will also need to grant write access to wp-content for your server.
To find out more about limiting access to your FTP, read carefully the section WordPress Codex.
Plan and perform updates
This is the last advice for those who have just launched their store and want to secure it to the maximum – don’t neglect updates.
After some time WordPress, WooCommerce, plug-ins and extensions updates may seem bothersome. Since we recommend making back-ups and testing updates in testing environment, probably you would like to postpone these updates. If so, attackers will find more chances to find insecurities in your shop and gain access to it. Updates are used to protect your website, and if you ignore them, you endanger yourself, your business and your clients.
What should you do then? Just set certain time period, such as once in a month/week, for checking updates, making a back-up, testing and installing update on your website. If needed, add this task to your schedule to find time for it. Believe us, this won’t be a waste of time, and you will say thank you to yourself later.
If you will add update procedure to your usual routine, as well as other security measures, which we suggested before, this process will become a common daily task. Soon you will use protected online store without thinking of postponing anything.
Let us sum up and memorize seven major points, which you should remember and take into account to make your WooCommerce shop secure.
- Choose hosting that claims security as its top priority.
- Set strong passwords and keep them safe using password manager.
- To prevent from unauthorized access, use two-factor authentication for all of your accounts (not only for a shop).
- Use Jetpack Protect to limit the number of brute force login attempts.
- Make your website more secure with VaultPress (monthly plan is available).
- Change FTP access settings to restrict the write access to mission-critical folders and files.
- Plainly plan WordPress and WooCommerce updates.
By following these seven simple advice, you may form the basis for creation of reliable and secure online shop that will be protected against hacker or any other kind of attack.
Remember that security should be the top priority for your shop. When starting any type of website it’s very easy to forget about security. This issue should be taken very seriously, if you wish to run your business successfully. The protection of your data and your client’s data should be your major task right from the jump.
If you have something more to advise those who only start learning WordPress and WooCommerce security issue, or to new entrepreneurs that have just opened their own shops based on this platform, we will gladly hear your opinion in the comments.