What You Need To Do For A Secure WooCommerce Site

By EcommercePlatforms | Business

Mar 19
WooCommerce logo

The average ecommerce startup doesn’t exactly have a huge budget to spend on getting established and building up a base of loyal customers. To begin with, and often for a long time after, money is going to be very tight — that means that frugality is essential. Fortunately, the march of technology has made it possible to get a fully-functional store very cheaply.

How, exactly? Well, WordPress led the way by making it quick and easy to start a blog or a broader website without any experience or the budget to accommodate much beyond basic web hosting, and soon enough dedicated ecommerce systems started appearing to do the same for online retail — then WooCommerce came along to push WordPress ahead again.

The WooCommerce plugin is free and intuitive, making it perfectly viable to rapidly turn a standard WordPress site into an ecommerce store. But that accessibility comes at the cost of the strict security you’d get with a fully-hosted store. Ultimately, the security of a WooCommerce store will come down to the owner — so here’s what you need to do to secure yours.

Adhere to strong password procedures

It doesn’t matter how strong a security system is if you fail to adhere to all the generic password requirements that apply to all forms of digital security, such as:

  • Using strong passwords. Don’t settle for the 6-letter name of your childhood dog. You won’t need to hit 30 alphanumeric characters — just hit 8-10 characters at a minimum and avoid using full words that can easily be guessed or brute forced. Try a password generator if you need some assistance.
  • Keeping passwords secret. It’s useless having a strong password if you readily mention it to acquaintances, leave it written on a post-it note above your office monitor, or protect it in a password vault which itself has a weak password.
  • Changing passwords semi-regularly. The longer you have a password, the more vulnerable it becomes to brute force attacks. Change your passwords on occasion (it doesn’t need to be too frequent) and you’ll avoid this danger.
  • Finding and removing any forgotten password vulnerabilities. Because legitimate mistakes do happen, systems need ways to get around forgotten passwords, often using verification details to confirm identity. If you rely heavily on your Mother’s middle name (something anyone could find), then you’re risking the safety of your entire system.

Failing to have secure passwords is simply reckless, and generally a waste of time, effort and resources put towards strong internal security.

Follow all software updates

Systems almost never ship with flawless security. Over time, people have the opportunity to look more closely at how they work, prodding and testing them to see how they respond to different approaches — and sooner or later some vulnerabilities will be found. When this happens, the software developer first needs to become aware of it, and then they need to produce and release a patch to remove those vulnerabilities.

But even if this happens very quickly (so quickly that hackers don’t have enough time to take advantage of the vulnerabilities before the update is released), it can’t fully address the problem because updates are almost never mandated. Within a closed CMS that works through the cloud, updates can be fixed, but a local WordPress installation will only update when you allow it, or when you tell it to.

As such, if you leave a WooCommerce store unaddressed for several months, you’ll inevitably return to the admin dashboard to find that there are numerous updates available. And if your store is doing a lot of business, you may be highly reluctant to install updates, knowing that it will cause disruption to your operations and lose you revenue.

Now, not all updates are urgent, but you must install any and all essential security updates. How can you tell? Read the update notes, and follow any relevant news. You’ll be able to see which updates are vital and which are optional, than act accordingly.

Don’t allow unnecessary system access

Even if someone has great intentions, they can still cause enormous damage with admin access, so it isn’t something you should ever just give out without a lot of thought. You can’t always get away with being the only person in your business with admin access, of course — there may be times when you need to enjoy some vacation days, or have other things you need to deal with besides the regular business operations.

The key is to simply make sure that you trust someone fully and believe in their competence before you grant them admin access. They need to not only be reliable but also have a strong understanding of what they can and can’t do. Otherwise, they could get lost on the dashboard and end up accidentally deleting your entire product range (make sure you protect it).

Think of your WooCommerce store as an asset that you need to protect because it’s your livelihood, your passion project, and a potential target for investment. Website valuation is a complex process, yes, but one part that’s extremely simple is security assessment — if your system has several unnecessary admins, how will possible investors, partners or suppliers view the state of your business?

Carefully vet your other plugins

It’s very unlikely that you’ll have the WooCommerce plugin installed in isolation. You’ll probably have themes installed, as well as speed plugins, SEO plugins, image optimizers, review plugins, and numerous other extensions. One of WordPress’s greatest strengths is its flexibility, but it comes at a cost — every fresh plugin you install provides a new point of vulnerability, and has the potential to cause conflict with another plugin.

To avoid any security issues, try to keep your plugin array to a minimum. Only have a plugin active (or even installed) if it’s adding something meaningful to the store. Check up on the developers and confirm that they’re trustworthy: do they update regularly? Post about relevant industry topics? Tell you about compatibility with other plugins and systems? The whole point of SecurityNinja is to ensure that WordPress sites are kept safe, and it’s reflected throughout the content of this website.

And remember that every plugin will need updates, so if you have concerns about updating the basic system, consider that it’s risky to update 20 plugins at the same time — if something goes wrong, you need to disable and reenable the plugins one by one to find the culprit. Keep your set of plugins limited to the high-quality essentials and your security will be far stronger.

WooCommerce is a fantastic ecommerce CMS, particularly for small-to-medium businesses, but its great versatility also constitutes a security concern. Follow these steps, proceed carefully, and listen to security experts — everything should be fine.