Do you have an e-commerce site or you intend to build one in future?
We’ve got an interesting article that will show you how to hack-proof it.
WooCommerce is an open-source eCommerce plugin from the software stable of the world’s most popular CMS platform – WordPress. It is created as an online store building platform for merchants who are comfortable with WordPress and its CMS abilities. Since its launch in 2011, WooCommerce has been rapidly building on the market share that WordPress had already captured.
According to Builtwith, as of January 2018, an estimated 1,986,324 online stores have been built using WooCommerce.
That makes it a treasure trove for hackers who want to cripple an entire industry or its significant part. WooCommerce is seemingly an easy target for two reasons:
- It is used by small-scale users who may not invest time and money in ensuring cyber security
- It is an eCommerce plugin. Like an out of box software, it is possible to spot loopholes and force backdoor entries that can take down the entire system. Regular updates and patch installs are mandatory, which most users don’t do diligently.
Also, in July 2016, security experts had found that WooCommerce exhibited cross-site scripting vulnerability which will allow a hacker to steal the login credentials of the victim or even perform actions on their behalf.
So, one cannot completely write off the need for ensuring security on a WooCommerce website. Of course, WordPress has integrated some really nice security features into WooCommerce.
But, there is always room for improvement. Some extra mile efforts that would go a long way in keeping your WooCommerce store secure as Fort Knox.
This blog is a collection of such WooCommerce security tips. They include:
- Change your admin username
- Have a strong password policy
- Opt for secure hosting
- Encrypt using SSL certificates
- Schedule regular backups
- Update security themes & plugins
- Limit failed login attempts
- Limit trackbacks & pingbacks
Start with Changing Your Admin Username
Most Brute Force Attacks begin by trying to guess the admin’s username and password. Even WordPress founder Matt Mullenweg has the need to change the default ‘admin’ as the username. Keeping an easy-to-guess username like ‘admin’ is like giving a free entry to the hacker.
Here is how you can change your admin username to ensure a basic level protection against brute force attacks:
- Add a new user by heading to users -> New users
- Create a new user with a different name and email address and give them the role as ‘Administrator’
- Now log out of WordPress and login from the username that you have made admin
- Delete the admin user
- As the final step, check the “Attribute all posts and links” to the new user and click on confirm. You’re done.
Ensure that the new user to whom you have given the credentials is protected with a strong password.
Have a Strong Password Policy
Now that you have changed the default admin role, you need to ensure that the new admin profile and the subsequent users follow a strong password policy. A strong password policy will prevent users from using common and weak passwords.
Consider setting a password policy that is a combination of alphabets, numerals and special characters. Also, remember to change it every month or at least once every 2 months to safeguard your login credentials.
Opt for Secure Hosting
Well, your WooCommerce store is only as secure as the platform in which it is hosted. You can spend thousands of dollars buying and installing security plugins, but, if the hosting service provider is not somebody who gives first priority to security, then all your hard work vanish in a flash.
While choosing a hosting service provider, pay attention to choosing one which offers:
- Monitoring and prevention of security attacks
- Constant security updates and patch installs
- Use of latest server software
- Round the technical support, in case something goes wrong
This is why we recommend Siteground for all web hosting services.
Encrypt Using SSL Certificates
In an age where hackers have become so smart to code their own ‘fake’ websites and apps, the only proven way to stay secure on the web is with the help of an SSL certificate. You can get a cheap Wildcard SSL certificate to secure unlimited subdomain hosted under a single domain.
A Wildcard SSL Certificate offers many benefits like 256 bit SSL encryption, 99.9% all browser compatibility, unlimited server license and unlimited certificate re-issuance during certificate lifespan. That is one way of ensuring that your website becomes a security vacuum that cannot be penetrated from any side.
Schedule Regular Backups
The best way never to lose anything on the Internet, is to keep offline backups of it. Your data and your customer data is a thing of great interest for hackers. If you have databases that contain customer profiles, credit card information or other sensitive information that you don’t want the world to know, it is better to keep them safe in offline databases.
Update Security Themes & Plugins
According to this iThemes blog, more than 52% of WordPress websites get hacked through vulnerabilities present in security plugins and 11% from themes. WooCommerce often releases security patches and updates that eliminates these vulnerabilities.
However, most users miss to update their WooCommerce platforms, thus exposing themselves to attacks. Luckily, there is an option to upgrade the platform on the background even when your works are going at full throttle in the frontend.
Limit Failed Login Attempts
Hackers deploy brute force attacks by constantly bombarding the loading page with guessed usernames and passwords. Remember why we asked you to change the default admin username and password? An additional security measure in addition to changing the default username would be to limit the number of failed login attempts. This would help prevent the hacker from trying to force login through endless attempts. To give enough cushion for genuine failed attempts, set the login limit at 3 or 5.
Limit Trackbacks & Pingbacks
Hackers thrive on a mesh of trackbacks and pingbacks. In fact, they are used widely to deploy DDoS attacks. But, you need link building to improve your online presence too.
But, for WooCommerce stores, which are primarily online stores, there is no need for visitors or users to give links to your websites. So you can safely disable all trackbacks and pingbacks to your website by using the following code:
# START XML RPC BLOCKING
Deny from all
# FINISH XML RPC BLOCKING
That brings us to the close of how to fix your WooCommerce security vulnerabilities so that you can sell happily without any worries.
Are there other methods that work best for you? Has your account been hacked before?
Let’s have your opinion in the comments section below.