A Guide to Woocommerce Security


Owning and/or managing an ecommerce website can sometimes be overwhelming.  Far too often I am asked to review a Woocommerce website for marketing or development work and I then immediately realize that the store is insecure and contains possibly serious security issues.  This puts a massive amount of liability on the owner of the website, but little to no liability on past developers or designers.  Many of these cases of insecurity is simply a business owner developing their own ecommerce website, or developers who simply don’t understand the requirements of a properly secured woocommerce store.  Proper Woocommerce security simply cannot be overlooked for the long term protection of your investment.

Call KickinKnowledge at 415-237-3932 to schedule a free security review of your website.

The first sign of an insecure woocommerce website is the absence of a padlock in your browser address bar and no https before the website address.  If you enter your credit card data on a page that is insecure, you are putting yourself at risk for man-in-the-middle attacks and eavesdropping of your confidential data.  Woocommerce is supposed to secure your checkout when you enable “Force secure checkout” checkbox in the Settings.  This requires the purchase of a SSL certificate from a certified vender like Verisign, Thawte, Comodo, or Godaddy.  The payment gateway which you use for Woocommerce will alert you in the documentation if a SSL certificate is required, and generally any of the “on-site” payment gateways like Authorize.net will require an SSL for payment.  So if you don’t have an SSL , I recommend Thawte, as they have fair pricing and a number of different coverage levels depending on your ecommerce store variables (the extenteded validation SSL certificates are awesome, as they allow for the long green security validation bar for extra security comfort in certain browsers)  Unfortunately, even with Woocommerce setup for secure checkout, and an SSL certificate installed on your server, that doesn’t always cover some parts of the website generated via plugins and also certain themes.  You may still be stuck with no padlock, and insecure data warnings.


Enable HTTPS in Woocommerce

Enable HTTPS in Woocommerce


Fortunately, their are a number of ways to diagnose the insecure checkout problems with Woocommerce websites.  Here are the steps I use to assess security with Woocommerce:

1) Have you confirmed that the server has a dedicated SSL certificate installed correctly (check with your host if you’re not sure)

2) Have you forced secure checkout in Woocommerce Settings (as described and pictured above)

3) Have verified a secure padlock showing in Google Chrome and Firefox?

IF # 3 is not showing,  I use the WordPress HTTPS plugin

If that plugin does not solve your padlock issues, then you will want to run your checkout url through www.whynopadlock.com – or, you may use Google Chrome – Right click on the Checkout page, choose Inspect Element, and you should see all the insecure content warnings in the Console.  An alternative is to use Mozilla Firefox and the Firebug/Web Developers tool browser plugin.  Usually it is caused by images loaded via theme options with http:// instead of https:// in the url (a quick and easy fix) or third party integrations (social plugins)  Sometimes you have to use a plugin like Widget Logic to make sure that insecure content is not loaded on your Checkout page.  As a “side” note, if sidebar widgets are causing the problem, you should probably switch to a full page (no sidebar) page template anyways.  This thought behind this conversion element is that less distractions from the actual checkout process leads to more conversions.  Also notice in the image below from a previous ecommerce client, that there is an visual accreditation of the Geotrust SSL and the Authorize.net SSL badge.  These are also great for improving conversion.


secured woocommerce checkout verified in google chrome

Secured Woocommerce Checkout Verified in Google Chrome


What are some other recommendations for keeping Woocommerce secure?

1) I always use the Limit Login Attempts plugin Wordfence to protect against brute force password attacks, and a variety of other security issues.

2) Use a reputable host like Hostgator, Bluehost, Rackspace, etc.

3) Updates!  Always keep WordPress, themes, and plugins updated to the latest version.

4) Have a backup and recovery plan for a quick comeback if a security breach or malicious code insertion is detected.

5) Preferably use SFTP or SSH when accessing your server files.

6) Advanced: Ensure that your MySQL database has a secure passwords and do not share access with anyone.  At Kickin Knowledge we also like to change the WordPress database table prefix to something other than wp_, for an extra layer of obscurity.

7) Keep a policy of having extremely secure and unique passwords for your hosting account and your wordpress administration login.  Use numbers, letters, special characters, and a minimum of 14 characters.

8) Limit your use of plugins, as the more plugins, the more possible security holes and usually slower website.

9) Buy a premium and consistently updated woocommerce theme from a reputable developer like woothemes or themeforest.

10) Advanced: Edit your htaccess to protect against sql injections. If you are not comfortable with the htaccess file and all of its functions, it is best you read to understand these items first, as you can do some serious damage to your website (although all are reversible if you have backups) If you use Yoast SEO for your Woocommerce seo, then you can access the htaccess file from there!  Remember to backup your original first before adding any of the code snippets below –

Add this snippet first

[box] ## Include this at the start of your .htaccess file ## Options +FollowSymlinks RewriteEngine On[/box]

SQL injection block for WordPress htaccess

[box] ## SQL Injection Block ## RewriteBase / RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ – [F,L] RewriteCond %{QUERY_STRING} ../ [NC,OR] RewriteCond %{QUERY_STRING} boot.ini [NC,OR] RewriteCond %{QUERY_STRING} tag= [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} (|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR] RewriteCond %{QUERY_STRING} ^.*([|]|(|)||ê|”|;|?|*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(“|’|<|>||{||).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC] RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ – [F,L] [/box]

Hide your server signature

[box] ## Disable the Server Signature ## ServerSignature Off[/box]

Block All Access to Specific Security Sensitive WordPress files

[box] ## Block Sensitive Files ## Options All -Indexes Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all [/box]

I know, it’s a lot of stuff to work through.  Once these security changes are implemented, you can concentrate more on the items that will bring you ROI, like search engine optimization and paid advertising.  You do not want to deal with Google unranking your website if you get hacked with malicious code, or even worse, compromising a customers private credit card data through your Woocommerce checkout.  When in doubt, or if you have any questions, contact Kickin Knowledge or another experienced Woocommerce security expert and have them audit your website.  We also have a great blog post for finding help with Woocommerce. Call me, Justin, the author of this article at 415-237-3932 to schedule a free security review of your ecommerce store.

About the Author:

Justin Murray is CEO of KickinKnowledge, Web Developer, Designer, Marketing Jack of all Trades. Specializing in SEO Consulting and Ecommerce Consulting.

Leave A Comment