woocommerce (2)

Security should be the number one priority for every online store owner. If you run an eCommerce website, you know that customers enter personal details, credit card information, and other sensitive data. If this information winds up in the wrong hands, the ripple effect can be detrimental to customers’ financial well-being, causing irreparable damage to your business’s reputation.

In this guide, we’ll explore proven WooCommerce security strategies you can implement to secure your online store against hackers, fraudsters, and other cyber threats. Let’s dive in.

Why Should You Secure Your WooCommerce Store?

Hackers are an ever-present threat to online businesses. Based on our observations, there are several reasons why securing your WooCommerce store should be a top priority for your business.

You’re in Possession of Sensitive User Data

The very nature of online businesses means that you handle sensitive customer information. Think—credit card and banking details, payment information, personal details, etc.

If this information gets into the wrong hands, there's a good chance it'll end up on the black market, where it will be sold to fraudsters and other malicious actors. As a result, your customers may fall victim to marketing scams, spam emails, or financial loss if fraudsters use their credit cards to make unauthorized purchases.

You Must Secure Critical Business Data

Hackers accessing your online store may erase critical business information, including products, services, shipping information, customer contact details, etc. If you collect payments for orders and fail to deliver on your promise due to losing this data, your business is at risk of being labeled fraudulent—through no fault of your own. Rebuilding a tarnished reputation is difficult (if not impossible) to do.

The Imminent Risk of Scams and Fraud

If hackers hijack your online store, they may use their new-found leverage to dupe customers and divert traffic to phishing sites to harvest login credentials or sell them fraudulent goods.

When customers visit your store and make a purchase, they entrust you with confidential information. They trust that you have taken the necessary measures to secure their information. The last thing they expect is their personal and payment details to end up in the wrong hands.

Your business data, reputation, and sensitive customer information are at stake if you don’t prioritize your store’s WooCommerce security.

See also: The Unspoken Truth About Running a WooCommerce Store

Understanding the Risks and Consequences of Inadequate Security

Now that you know why you should secure your WooCommerce store, let’s explore some potential risks and consequences of inadequate site security.


You Might Have to Rebuild Your Online Store from Scratch

Think about all the hard work that went into developing your online store, all the effort that went into your website's design, content, and functionality, and the time and resources you used to optimize your eCommerce store for search engines and boost your brand's visibility.

Now, imagine what a security breach would mean for your store.

All that time, effort, and resources you invested into building your website will all have been for nothing. If hackers hijack your online store, you'll have to rebuild a new website from scratch.

Sensitive Customer Information May Fall Into the Wrong Hands

Building your online business to the point where customers trust you with sensitive personal details and payment information takes time and raw grit. They’ve entrusted you to keep their names, addresses, phone numbers, and credit card information safe. They expect you to prevent this information from being accessed by hackers.

If malicious actors get these details, they may steal or defraud unsuspecting customers of their hard-earned money. This can have far-reaching repercussions on their financial welfare.

You Might Fall Into Legal and Financial Trouble

If the security of your online store is compromised and hackers get their hands on sensitive customer information, that could land you in a world of legal and financial trouble. You could be looking at multiple lawsuits from numerous customers seeking to hold you and your business liable for their losses and the breach of their privacy.

The court may go as far as to place a lien on your assets to recover monetary losses to compensate customers. Based on our own experience, such cases can take a toll on your financial and psychological well-being.

Customers May Lose Trust in Your Brand

It takes a long time to build your brand reputation. It’ll only take a few moments to destroy the trust you have built with existing and prospective customers if hackers hijack your online store or steal sensitive business and customer information.

You May Lose Your Search Engine Rankings

Google, Bing, and other search engines are wary of websites with security breaches. To avoid sending users to a compromised website, Google will usually down-rank hacked sites or de-index them entirely. If your online store previously ranked among the top search engine results, it will no longer feature there. It will disappear, and your website will no longer get organic traffic.

How Secure Is WooCommerce?

Like all reputable eCommerce platforms, WooCommerce is pretty secure as far as its out-of-the-box security features go. Remember, WooCommerce is a plugin built for WordPress. It is designed to convert your WordPress website into an online store.

The plugin has many built-in security features and is backed by a dedicated team of expert developers to ensure that your online store and associated data are kept safe from hackers and other cyber threats. The fact that it is open-source also means that it has a worldwide community of developers dedicated to ensuring that it is safe and secure for users. 

That said, while WooCommerce’s built-in features are nothing short of impressive, they do not guarantee protection against external security threats. Your online store is still at risk of breach from DDoS and brute force attacks and vulnerabilities in third-party plugins and themes. These aspects of your store’s security are entirely in your hands.

How can you identify whether your WooCommerce store has been hacked? Some tell-tale signs to look out for include:

  • The appearance of new admin accounts you did not create;
  • Spam links in the comments section of your website, product reviews, or descriptions;
  • Unusual alerts of links redirecting users to third-party websites;
  • Alerts from Google indicating that your online store has been flagged for security risks;
  • Missing, unusual, or unexpected customer emails;
  • Frequent timeout errors or slow page loading times.

There’s no denying that running an online store is hard work. Between working on inventory, fulfilling orders, and marketing your business, finding the time to constantly monitor your store for potential security breaches is near impossible.

That's why you should install a downtime monitoring plugin to automatically check your website is running and alert you if it is not. Real-time alerts such as these allow you to take immediate action to fix and restore your online store’s operations in the event of a security breach.

WooCommerce Security: 10 Proven Security Tips to Protect Your Store

So far, we’ve established why you need to secure your online store, the potential risks inadequate security poses to your business, and how to tell whether your site’s security has been breached. It's time to dive into the top foolproof strategies you can implement to protect your WooCommerce store against hackers. Here are the top 10:

1. Use a Secure Hosting Provider

This is arguably the most overlooked security measure when it comes to safeguarding your online store against cyber criminals. Your hosting provider stores your WordPress database, core files, and site content, allowing users to view them from whichever location they may be.

Your hosting provider’s level of security forms the foundation of your website’s security. In other words, if your provider’s core security infrastructure isn’t strong enough to ward off malware and hackers, your website’s database and core files don’t stand a chance against these threats.

The question then becomes: How can you tell whether your hosting provider is secure?

The answer to this has everything to do with the platform's security features. Our findings indicate that common buzzwords to look out for include:

  • SSL certificates to protect sensitive customer data and payment information.
  • Automatic backups to restore your site in the event of a security breach.
  • Attack prevention and monitoring to get real-time alerts when malware is detected in your database or files.
  • Server firewall to prevent hackers from accessing your website files.
  • 24/7 support if you need immediate help during a security breach.
  • Up-to-date PHP, MYSQL, and other server software in line with the latest security protocol.
  • Malicious file isolation capability to prevent malware or viruses from spreading to other folders or websites on the same server.

It helps to check the hosting provider’s security page to confirm whether they offer these features before settling on one for your WooCommerce website.


2. Keep Your Site Software Up-to-Date

We cannot stress how important it is to keep your WordPress website, WooCommerce plugin, and every extension installed on your online store up-to-date. Software updates exist for a reason, and more often than not, it's to ensure your website remains secure against emerging threats.

Failing to update your site software and plugins puts your store, business data, and sensitive customer information at risk. Over half of all reported WordPress vulnerabilities result from out-of-date plugins—WooCommerce included.

The key to ensuring that all your online store software is updated is to set aside a specific time daily to review your store updates, back up your site data, and install those updates on your website. If doing it manually doesn't sound the least bit appealing to you, consider enabling WordPress’ auto-update feature for your plugins and software to be updated automatically.

Also, ensure you regularly back up your WooCommerce store. The reason for this is simple: If, for whatever reason, your online store’s security is compromised and hackers end up gaining access to your site, having a clean, malware-free, unadulterated version of your store is the fastest way to getting your website up and running again.

The secret to having a good backup version of your site lies in installing a robust backup plugin equal to the task. You want to pick a tool that saves your website automatically in real time. Ideally, it should save multiple copies of your site and store them separately from your server in case your hosting provider's security is compromised. It should also allow you to restore the backup quickly, even if your store is inaccessible.

Consider installing Jetpack VaultPress Backup on your WooCommerce store. It is by far the industry standard and hands-down the best WooCommerce security plugin when it comes to backing up your online store.

3. Frequently Scan for Malware

Malicious software, or "malware," is software developed for malicious use. It is, by far, the most common tactic hackers use to hijack websites and redirect web traffic to phishing sites where they can steal customer login credentials and credit card/banking information.

If a hacker infiltrates your online store or site server, you’ll want to know about it immediately. That way, you can mitigate the threat quickly, protect your customers from financial loss, and get your website back up and running in the shortest time possible.

Since it is not possible to monitor your website for signs of malware manually 24/7, you can install a malware scanning plugin to regularly search for malware and potential vulnerabilities hackers might exploit.

Jetpack Scan is an excellent malware guard you can install on your WooCommerce store. Using this product, our team has discovered that it sends a real-time alert if it finds malware in your online store, allowing you to troubleshoot and fix the threat in one easy click.

While at it, ensure you take the necessary measures to prevent brute-force attacks on your store. A brute-force attack is a hacking method cybercriminals use to guess tens of thousands of username and password combinations using bots until they get the right one. The effects of a brute force attack on your online store are twofold.

First, it allows the hacker to gain access to your website. Second, it negatively impacts your site loading times due to the sudden upsurge in traffic to your store.

To protect your online store against brute force attacks, consider installing Jetpack. It is the best WooCommerce security plugin when it comes to protection against brute-force attacks. It automatically blocks malicious IP addresses before they ever reach your website.

Alternatively, you can install a WordPress extension that limits the number of times site visitors can attempt to log in to your online store. A legitimate user won’t typically require more than a few tries to sign in. For instance, you can set the attempted login limit to three times within a specific duration.

4. Ensure User Accounts Have Strong Passwords

It is your responsibility as the online store owner to ensure that all accounts associated with your WooCommerce store have secure passwords. By "secure," we mean hard to crack. It only takes one user account with a compromised password for a hacker to access the store's backend and steal sensitive customer and business information.

To ensure user accounts—including those associated with your domain name provider, hosting provider, and WordPress website—have secure passwords, they must satisfy the following criteria:

  • Each account, particularly the WordPress admin accounts, must have a unique password;
  • Every password must comprise a combination of upper and lowercase letters, numbers, and symbols;
  • The password should not be an easily guessable phrase or number such as birthdays, anniversaries, names of loved ones, etc.;
  • The password length minimum should be longer than eight characters—the longer, the better.

WordPress’ built-in password generator is great for creating long, complex, and hard-to-guess character combinations. You can use the Password Policy Manager plugin to set password rules for all users with access to your website. You can even configure it to require users to reset their passwords every so often.

You can use password managers if you're worried about remembering your passwords. These will store your passwords safely and securely.

While at it, take a moment to review your user permissions. WooCommerce and WordPress generally come with set permissions assigned to various user roles. Ensure that you review these permissions to confirm the level of access and capabilities each user has with regard to managing your online store. As a rule, always provide each user with the minimum possible permissions required to do their job.

For instance, the Admin role has complete access to every element of your website. The user can add, edit, or delete code and site files. On the other hand, a store manager role doesn’t need all these capabilities.

5. Implement Two-Factor Authentication

A strong password means nothing if someone gains access to the associated email and proceeds to reset your password. Someone with access to your open email account can do this easily. That’s where two-factor authentication (2FA) comes in and is a foolproof way to protect your user accounts against unauthorized third-party access.

As the name suggests, 2FA adds a second layer of protection—typically a code sent to your smartphone—requiring users to validate their logins aside from entering the correct username and password. At the very least, ensure you implement 2FA for each admin account. It would be an even better idea to enable 2FA on all user accounts associated with your WooCommerce store to keep sensitive data safe.

6. Install a Web Application Firewall

Think of your website as a building. A web application firewall (WAF) would then be the security guard at the entrance door, deciding who to let in and who not to.

A WAF functions to review traffic to your online store before applying certain rules to decide on which visitors to allow or disallow.

WAFs like Jetpack Protect Firewall have a massive database of known threats and can adapt in real time depending on the activity in your online store. When choosing a WAF, we recommend picking one that can automatically adjust its rules when it senses a threat to ensure your website is always protected.

There are generally two types of WAFs you’ll encounter.

On the one hand, you have DNS-level WAFs that route all traffic through the provider’s cloud proxy servers, allowing only the genuine ones to access your website.

On the other hand, you have application-level WAFs that review site traffic once it reaches your server but before they load WordPress scripts. After we tried it in practice, we found that a DNS-level WAF is better for your site's security.

See also: What Is the True Cost of Running a WooCommerce Store?

7. Review and Modify Your Site’s FTP Settings

FTP is short for File Transfer Protocol. It refers to the rules that allow files to be transferred between your computer and your hosting provider’s server. By creating an FTP account through your hosting provider, you can make changes to your site files or give your staff access to your website without sharing your hosting login credentials with them.

If a hacker or any other malicious actor somehow gains access to your FTP account(s), they can make changes to your site. That's why your first order of business during setup should be to limit the permissions on them.

Only your FTP account should have access to the following folders in your website’s backend:

  • wp-admin
  • wp-content
  • wp-included
  • Root directory

8. Install an SSL Certificate

The function of a secure socket layer (SSL) certificate is to encrypt sensitive information transmitted by users on your eCommerce store. Credit card information, banking details, and contact form submissions are a few examples of sensitive information that could wreak havoc if it fell into malicious hands.

SSL certificates are necessary for your online store’s security and play a critical role in your website’s SEO.


Most hosting providers usually include a free SSL certificate along with their plans. If yours does not, you can always get a free certificate from Let’s Encrypt, a trusted open-source provider.

9. Block Contact Form and Comment Section Spam

There are various ways spam can show up on your WooCommerce store. You might find spammy contact form submissions, fake product reviews, or blog post comments. Spam isn’t just annoying for site visitors; cybercriminals can embed malicious links to redirect customers to phishing websites, tank your rankings on search engines (while boosting theirs), and use your contact form to defraud site visitors.

To ward off spam, you must go to your WordPress dashboard, access Settings, and select Discussion. While you’re there, some of the changes you can make include:

  • Making it a requisite for authors to log in before they can post comments;
  • Enabling an email notification every time someone posts a comment;
  • Enabling manual admin approval for each comment before it is posted on your website;
  • Setting specific criteria—such as flagging particular words, phrases, and links—to automatically mark certain comments as spam.

Likewise, to edit your WooCommerce settings for product reviews, go to WooCommerce in your WordPress dashboard, select Settings, and click Products. You can then configure Review settings, such as only allowing verified purchasers to leave reviews.

If manually reviewing every comment sounds nightmarish, consider installing a plugin like Akismet, renowned for filtering spam with near-100% accuracy. The great thing is that, unlike other spam blockers, Akismet doesn’t use CAPTCHAs to filter spam—a tool many users find annoying.

10. Install a WordPress Activity Log Plugin

A WordPress Activity Log plugin allows you to track every activity on your site. If anyone logs into your store dashboard or website and updates pages, adds, deletes, or edits a product, the activity log will provide detailed information on who performed what action and when.

As you would expect, the main advantage of this tool is that it allows you to identify any suspicious activity that might point to a security breach. Think—the deletion of a security tool, the appearance of a newly published page, or a user login from an unknown account or location you don't recognize. An activity log also lets you hold other store users accountable for their actions on your website.

Final Thoughts on How to Secure WooCommerce Site

There you have it! 10 proactive strategies you can implement to boost your online store’s WooCommerce security. Remember, security is the single most important aspect of running an online store and with good reason. Customers entrust you with sensitive personal and payment information, including their credit card details, which they expect will be kept safe from hackers, fraudsters, and other malicious actors.

If a security breach that could otherwise have been avoided causes this information to fall into the wrong hands, you would be solely responsible. You could potentially be held liable for any resulting losses.

Use the tips in this guide to protect your WooCommerce website from hackers and safeguard your customers’ information to protect your brand’s reputation.

Thinking of migrating your online store from your existing eCommerce provider to WooCommerce? Cart2Cart can help you do just that in a few easy clicks. Our automated shopping cart migration tool allows you to replatform your online store quickly and securely with no downtime or risk of data loss.

Sign up today for a free demo to see Cart2Cart in action.


How secure is WooCommerce?

As far as reputable eCommerce platforms go, WooCommerce is as secure as it gets. Its out-of-the-box security features are pretty impressive. The fact that it is open-source also means that it is backed by a team of dedicated developers worldwide to ensure it is safe and secure against hackers and other cyber threats.

How do I password-protect a product in WooCommerce?

To password-protect an item in your online store, all you have to do is:

  • Open the Add/Edit Product screen, go to Publish, and select the Visibility option;
  • Click the Password Protected option and enter your preferred password;
  • Click OK and then Publish/Update as usual.

How to protect my WooCommerce store

Some of the steps you can take to secure your online store include:

  • Using a secure hosting provider;
  • Keeping your site software up-to-date;
  • Frequently scanning your online store for malware;
  • Ensuring your store’s user accounts have strong passwords;
  • Implementing two-factor authentication (2FA);
  • Installing a web application firewall (WAF);
  • Reviewing and modifying your site’s FTP settings;
  • Installing an SSL certificate;
  • Blocking contact form and comment section spam;
  • Installing a WordPress activity log plugin to monitor suspicious activity.

How do I make my WooCommerce store private?

To make your WooCommerce store content private, you’ll need to install the WooCommerce Private Store plugin. Once it is activated, your online store will be hidden from public view.