WooCommerce Security: Eight Things You Need to Do First

Although WordPress and WooCommerce have security features built in, there are some basic things that new store owners can do to ensure their customers, employees, and data are safe in the worst-case scenario.

These are eight things that all WooCommerce store owners need to do.

1. Select a reliable host

Hosting providers store your website files and database. This allows anyone to view them from anywhere in the world. You and your customers could be at risk if you choose the wrong host.

You should look for a host who is familiar with WordPress and can clearly explain what they do to ensure your safety and security. You should look for:

  • SSL certificates,which secure customer data like addresses and telephone numbers.
  • Backups allow you to restore your site if something goes wrong.
  • Prevention and attack monitoringso you can instantly see if there is malware in your files.
  • A server firewall that blocks hackers from accessing files.
  • Access to support 24/7,just for you
  • The most up-to-date server software and such as PHP and MYSQL.

This is the ability to isolate malicious files to ensure that viruses or malware cannot move to other sites and folders on the server.


See our services : Blockchain services, Backbase Vietnam


You should see a page on security on the hosts you are considering. This will allow you to verify whether they offer these features. It is a sign that you should steer clear of hosts who require you to send emails or dig deeper to find answers. This list of hosting providers can be a good place to start.

2. Strong passwords can be created and stored safely

Safety may start with your host but it is up to you to ensure safety. Secure passwords should be used for all accounts that are associated with your store.

This is how it works:

  • Use unique passwords to protect each account.
  • You can create a password using a combination of lowercase and capital letters.
  • Avoid using words, birthdays, and other phrases that could easily be guessed.
  • Prioritize length — The more complicated and long-lasting a password is, the harder it will be to crack.

Are you concerned about your password security? WordPress comes with a built-in password generator that allows you to create complex combinations of passwords that are difficult to guess.

But remembering difficult passwords may be tricky. A password manager such as LastPass1Password is an excellent solution. This is our personal favorite at Woo. These password managers securely store your passwords, and they auto-fill them on your favourite sites.

Learn more:

3. Enable two-factor authentication (2FA)

You might have your password reseted if someone has access to your email address or other account.

Two factor authentication, also known as 2FA, can be a great way to protect your online accounts from unwanted intruders. 2FA requires a second step, typically your smartphone, to verify logins and confirm that you are the owner.

Enable 2FA on all accounts. Normal circumstances would allow an individual to gain access to your email account and possibly find your login information for other accounts. However, 2FA will prevent them from physically validating the logins using your mobile device.

This second step can add a bit more time to the login process. It’s worth it to have the assurance that your sensitive data are safe.

Jetpack allows you to implement two-factor authentication free of charge.

4. Prevent brute force attacks

Brute force attacks are when hackers use bots that guess thousands upon thousands of username/password combinations to find the right one. This can allow hackers to gain access to your site and can negatively impact your load speed due to increased store traffic.

Jetpack’s brute force attack protection is a great tool to stop them. You don’t need to worry about malicious IP addresses being sent to your site. It blocks them before they reach it.

5. You can add an additional layer of protection to your site

While we’ve already discussed some ways to secure your website, you might want to consider adding more Jetpack security tools. It offers:

  • Malware scanning: Get an immediate alert if malware has been detected on your site. This will allow you to troubleshoot the problem and resolve any known threats in just one click. It’s like having someone watching over your site 24 hours a day.
  • Spam Prevention (paid). Automatically remove spam from contact forms and comments that could make you appear unprofessional. Customers can also be sent to malicious websites.
  • A Activity Log : This free tool allows you to keep track of everything on your website, from new pages and products to user logins. It also shows who and when each action was taken.
  • Downtime Monitoring (free). Get an instant notification if your website goes down. This is a common sign of a hack and can be used to quickly get it up again.
  • Automatic plugin update (free). Automatically updates plugins to ensure your site is running smoothly and secure from hackers.

Jetpack protects WordPress sites. Learn more.

6. Adjust your FTP settings

FTP (file transfer protocol), is used to transfer files from one device to another. FTP accounts can be created by your hosting provider. These accounts allow you to connect your computer to your website server. They can make any changes to your website if a malicious actor has access to them.

However, limiting permissions to these accounts can help reduce or eliminate any potential damage. You must ensure that only your FTP account has the ability to access these folders:

  • The root directory
  • wp-admin
  • wp-includes
  • wp-content

This section of the WordPress Codex provides more information on how to lock down your FTP. These precautions should also be taken by your host.

7. Keep your website updated

It is crucial to update WordPress, WooCommerce and any plugins or extensions. Your site will be more secure if you receive updates. You could put your customers and yourself at risk if you ignore them.

This is the best way to approach it. This is the best way to approach it. You can turn off the auto update feature in WordPress if you don’t want it to bother you.

8. Regularly back up all your stores

A backup of your website is the best and fastest way to restore it if it is ever compromised.

Our technology services : Magento posshopify posbigcommerce poswoocommerce pos

We recommend Jetpack Back as a WordPress backup plugin.

  • Choose from daily backups that occur every 24hrs or real-time backups that occur every time you take an action (purchased product update, page change, etc.). Your site is backed up.
  • Don’t worry about losing your order information. All of your order information can be restored from a backup five minutes ago or five weeks ago.
  • Just one click to restore. You don’t need to worry about a complicated and time-consuming restore process. Just find the date and time that you wish to restore and then click a button.

Security is a top priority when opening a store.

While it is easy to forget about security during the rush of opening a store, it’s important that you do not neglect it. It is important to protect your customers‘ data from the beginning.

These simple steps will help you create a store that is trustworthy and secure in the unlikely event of an attack.

Do you have any tips for store owners just starting to think about WooCommerce and WordPress security? Leave us a comment.