As Featured In Fatstacks

WooCommerce Security Issues, Checklist, Plugins & Hosting

Published Categorised as Ecommerce Stores

This WooCommerce Security Guide for Store Owners NOT Tech Geeks is a Work In Progress – and probably always will be to a certain degree. Some topics are age old classics, meanwhile some WooCommerce and WordPress security topics and very transient.

This Security Guide for WooCommerce is therefore worth bookmarking for future as we’ll update with the latest information to keep your WooCommerce store, you, and your customer’s data safe.

If it’s Fraud Prevention for WooCommerce you’re looking for, you should checkout our WooCommerce Fraud Protection Guide including recommended WooCommerce Anti-fraud Plugins.

This security guide for WooCommerce will focus solely on protecting your WooCommerce site from Hackers, Bots and Malware to name a few.

WooCommerce Security Types

Preventative Measures

Preventing Security Breaches and keeping your site safe from hackers, bots and attacks.

Risk Mitigation Measures

Backups for restoration making it quick and easy to restore your WooCommerce store in a safe and secure manner.

Curative Measures

Cleaning up compromised WooCommerce websites.

WooCommerce Security Issues – The Different Types

Brute Force Attacks on WooCommerce

Brute force attacks focus their attention on the WordPress login page. Repeated attempts using different combinations of username and password may well be unsuccessful in terms of logging in but this additional load on your website’s servers can result in your website slowing or even crashing.

File Inclusion Exploits on WooCommerce

Coming soon

SQL Injections

Coming soon

Cross-Site Scripting (XSS)

Coming soon


Coming Soon

WooCommerce Web Application Firewalls (WAF) – How many Firewalls does WordPress need?!

Without going into the detail of exactly what is a Web Application Firewall, just trust me when I say it’s there to keep the bad guys out.

WooCommerce Security Plugin Firewalls

Most WordPress and WooCommerce Security Plugins claim to have firewall capabilities. This is the “last line of defence” type of Web Application Firewall (WAF).

In essence when using a WordPress or WooCommerce Security plugin to provide a firewall for your eCommerce store you’re still initialising WordPress BEFORE the Firewall kicks in. This means if you have any underlying vulnerabilities your WooCommerce store could be susceptible to penetration by hackers.

Security vulnerabilities could be in the form of outdated plugins, outdated WordPress core, or plugins that have had a recent vulnerability exploited that’s not yet patched. (This is also why a bunch of WooCommerce Security Plugins offer “vulnerability scanning” to try and help you identify these potential issues before they’re exploited).

So having a firewall generated by a WordPress Security Plugin on your WooCommerce store is great idea. But understand this is a last line of defence and not a complete WooCommerce security solution.

Who’s responsible for this WAF?


WooCommerce Hosting Firewalls

WooCommerce hosting providers have it in their interest to keep the bad guys out too (the hackers of course). The best WooCommerce Hosting Providers want to keep their clients safe and secure on their hosting servers, so they also typically have a WAF or Web Application Firewall that sits on the server and sites between your site and internet browsers.

This still means that hackers are hitting your server, or server cluster – but they’re at a bigger distance than if you were JUST relying on your WooCommerce Security Plugin’s self-hosted firewall.

This is where your hosting provider typically takes care of a lot of the sophistication.

Even the above simplified explanation of how this works isn’t entirely technically accurate. But this Security Guide for WooCommerce isn’t written for the guys manging WAFs it’s written for store owners. So the principles above are good enough to work with.

You’ve now got 2 firewalls, and the second has put a nice big fence around your property – but the hackers still know where you live!

Who’s responsible for this WAF?


Online Web Application Firewalls

So again, if you’re a geeky tech gal please don’t think badly of me – I’m making this WooCommerce Security Guide store owner friendly!

This level of Web Application Firewall puts a big distance between your WooCommerce store and the hacker.

In essence the hacker is hitting a completely different web space location to where your site is hosted – the hacker no-longer knows where you live!

This concept might not be unfamiliar to you – having your data distributed and served from multiple locations whilst your website sits on a server somewhere remote from the end user.

I am of course talking about a CDN or Content Delivery Network.

In a lot of cases you’ll see CDNs go hand in hand with WAFs.

This is because essentially the infrastructure for a CDN is highly aligned with Online Web Application Firewalls.

A widely used example would be CloudFlare CDN which has both a free and a paid version.

With a paid upgrade you can get access to a bunch of additional features including a Web Application Firewall that sits separate from your WooCommerce store AND your Hosting Servers.

There are a bunch of other services that CloudFlare offer that once again are facilitated by the fact they have a network of essentially data hubs distributed across the globe.

They have a specific offering also related to DDoS attacks. Also known as Distributed Denial of Service attacks.

If you’ve seen Disney’s ‘Ralph Breaks The Internet’ the attack by the “Ralph Clones” towards the end of the Movie is what I’m talking about here where essentially your site gets swamped in an attempt to prevent anyone else from accessing it.

This is somewhat related to Web Application Firewalls – but a different topic so I thought I’d just highlight there’s a difference between WAF and DDoS protection. CloudFlare offer both DDoS Protection and Web Application Firewalls.

WooCommerce captcha & reCaptcha for WooCommerce

We’re all familiar with the Google Powered Captcha or reCaptcha, and the irony that a bot has been designed to verify our humanity isn’t lost on us!

Whether it’s attacks on Contact forms, or WooCommerce Checkout Pages, Captcha’s and reCaptcha’s are an established way to secure your forms from Bot traffic at zero cost (1,000,000 entries a month before you need a paid option).

WooCommerce doesn’t come with Captcha or reCaptcha built in. Some of the reasoning behind this may be because actually the integration of the reCaptcha can be taken of by Themes, plugins and page builders.

For example the Divi Theme (our recommendation) Contact form module has the built in ability to enter keys for a reCaptcha.

This still leaves a gap on the Checkout Form, but this gap we believe is likely to be filled by the roll out of the customisable cart and checkout page designs using the Gutenberg builder. This is currently available for testing as part of the WooCommerce Blocks Extension.

So right now, you’re left with a few options for reCaptcha on WooCommerce.

The paid option at $29 per year from the WooCommerce Extensions Marketplace is likely to give you the least hassle in terms of plugin clashes and poorly configured integrations.

There are a bunch of other options, but they’re more generally developed for WordPress as opposed to specifically to meet the needs of WooCommerce which are slightly nuanced.

There are tonnes of plugins in the WordPress plugin repository with the tag “recaptcha” – see them here.

Notable captcha and reCaptcha plugins for WooCommerce that also operate a Freemium model:

WooCommerce Security Plugins – Essential Functionality

Web Application Firewalls (hosted on your WordPress installation)

We can safely put Web Application Firewalls on this list – even if they’re hosted on your WordPress website as a last line of defence, I’m sure you’d rather not leave the door wide open.

captcha & reCaptcha Form & Checkout Protection for WooCommerce

This isn’t something that comes as part of the typical security plugin feature set, but still forms a part of your battle against the bots. We therefore list this one out as an essential part of the WooCommerce security checklist that you’ll probably need a dedicated plugin to implement.

WooCommerce Security Plugins Reviewed & Compared

Coming Soon

WooCommerce Backup Plugins Reviewed & Compared

Coming Soon

You may have searched for:

WooCommerce vulnerability scanner

WooCommerce security updates

WooCommerce security services

WooCommerce security service

WooCommerce security scan

WooCommerce security plugins

WooCommerce security issues

WooCommerce security expert

WooCommerce security checklist

WooCommerce secure login

WooCommerce secret key

best WooCommerce security plugins

best WooCommerce security plugin

By Ashley Pearce

I'm the founder of Future State Media, a "small-on-purpose" creator-focused SEO agency skilled in helping creators systematically generate traffic, build audiences and maximise their monetisation whilst staying true to their brand.