5 WooCommerce security tips, before AND after an incident

WooCommerce Security

Your WooCommerce website is your source of income. Whether you’re handling a handful of transactions per day or 1,000 transactions an hour, your money is at stake and keeping your website security up to par is vital. Given that you are handling money, credit cards, and personal information, your website is a target, and you should be ready for the worst case so you can respond adequately to lock down your woocommerce security both before and after a breach should it happen.

Before: WooCommerce security hardening and monitoring

1. Account passwords strength and roles

The first and easiest step is to use secure passwords on all admin accounts. A weak password is leaving the back door wide open to your website.

Woocommerce Security Login Protection

You should periodically review who has admin access to the website and remove or downgrade users who no longer need that level of access. Consider using the Shop Manager role in WooCommerce more – it can handle order fulfillment without having access to change site settings. Every admin user account is a potential access point. Admins should also be required to use two-factor authentication (2FA) so that even if their password is compromised, an attacker still won’t be able to gain access to your website.

Some of our clients go a step further and lock the most sensitive features down to only specific, named admins. This way even if someone is improperly granted admin access they still can’t perform certain functions. This sort of hardening requires custom development, which our certified Platinum WooCommerce Experts can assist with setting up for your website.

2. Have a decent firewall in place

Besides user management, an important step we set up for all clients is a firewall which can lock user accounts after too many failed login attempts, also known as brute-force prevention. We also periodically scan websites with a third party service that can detect malicious code. This code can be hidden in image files, logs, and plugins, and can be hard to track down otherwise.

3. Review your plugins regularly

Another important item to regularly review is to make sure plugins are not only up to date, but also reviewed to see if they are still needed. An old plugin that’s not used on the site but still installed is a significant potential attack vector, especially if it’s no longer being updated by its author.

After: Your woocommerce security is breached, now what?

4. What to look for

FirstTracks has assisted multiple clients who have had their websites breached in some way. For WooCommerce websites, attackers will most commonly attempt to add a credit card skimming script to checkout.

WooCommerce Security Code Scan

You’ll most commonly notice this if, after entering your credit card number, the credit card fields suddenly go blank and ask you to reenter your number. This should be a major red flag, and should be tested for regularly. We recommend testing this in an incognito window in your browser, as scripts are often smart enough to hide themselves when the checkout page is being looked at by a logged in admin. Besides credit card skimmers, the other exploit you might see is just changing all your website content so it’s filled with spam.

5. Key things you need to do asap

If you’re seeing any of the above, your site has been breached, and you need to rectify the situation immediately. At FirstTracks, step one is starting a fresh scan via Sucuri, as mentioned above. That can be sufficient in and of itself. But once the scan has finished and any malicious code has been removed, it’s absolutely necessary to repeat the hardening steps above to make sure the attacker can’t come back. Every admin’s password should be reset, every plugin should be audited and updated, and every page should be checked for broken functionality and spam content.

Customer communication

If the incident may have caused customer information, especially information like credit card details, to be released, customer communication is vital. In fact in many cases, it’s legally required. This can be handled pretty easily via email communications with customers who have made any purchases on your website when the breach happened. Owning the situation and being direct and upfront with the situation is the best approach in these situations. Let your customers know what happened and what you have done to prevent this in the future. Your customers will feel better knowing you are being proactive about the situation and have things under control.

Need help with your WooCommerce security?

If you have read through this post and don’t know when the last time was that you reviewed these critical items you should contact us. Our team of certified Platinum WooExperts has been designing, developing and supporting WooCommerce Websites for over 14 years. We have seen it all and we can help you get your website ship shape and secure in no time. Fill out this short form or give us a call at 603-924-1978, we look forward to meeting you and learning more about your business soon!

New Ideas & Inspiration