A Guide to Woocommerce Security

Published on:
December 2, 2013

 

Owning and/or managing an ecommerce website can sometimes be overwhelming.  Far too often I am asked to review a Woocommerce website for marketing or development work and I then immediately realize that the store is insecure and contains possibly serious security issues.  This puts a massive amount of liability on the owner of the website, but little to no liability on past developers or designers.  Many of these cases of insecurity is simply a business owner developing their own ecommerce website, or developers who simply don't understand the requirements of a properly secured woocommerce store.  Proper Woocommerce security simply cannot be overlooked for the long term protection of your investment.

Call KickinKnowledge at 415-237-3932 to schedule a free security review of your website.

The first sign of an insecure woocommerce website is the absence of a padlock in your browser address bar and no https before the website address.  If you enter your credit card data on a page that is insecure, you are putting yourself at risk for man-in-the-middle attacks and eavesdropping of your confidential data.  Woocommerce is supposed to secure your checkout when you enable "Force secure checkout" checkbox in the Settings.  This requires the purchase of a SSL certificate from a certified vender like Verisign, Thawte, Comodo, or Godaddy.  The payment gateway which you use for Woocommerce will alert you in the documentation if a SSL certificate is required, and generally any of the "on-site" payment gateways like Authorize.net will require an SSL for payment.  So if you don't have an SSL , I recommend Thawte, as they have fair pricing and a number of different coverage levels depending on your ecommerce store variables (the extenteded validation SSL certificates are awesome, as they allow for the long green security validation bar for extra security comfort in certain browsers)  Unfortunately, even with Woocommerce setup for secure checkout, and an SSL certificate installed on your server, that doesn't always cover some parts of the website generated via plugins and also certain themes.  You may still be stuck with no padlock, and insecure data warnings.

 

[fusion_builder_container hundred_percent="yes" overflow="visible"][fusion_builder_row][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"]

Enable HTTPS in Woocommerce

Enable HTTPS in Woocommerce

 

Fortunately, their are a number of ways to diagnose the insecure checkout problems with Woocommerce websites.  Here are the steps I use to assess security with Woocommerce:

1) Have you confirmed that the server has a dedicated SSL certificate installed correctly (check with your host if you're not sure)

2) Have you forced secure checkout in Woocommerce Settings (as described and pictured above)

3) Have verified a secure padlock showing in Google Chrome and Firefox?

IF # 3 is not showing,  I use the WordPress HTTPS plugin

If that plugin does not solve your padlock issues, then you will want to run your checkout url through www.whynopadlock.com - or, you may use Google Chrome - Right click on the Checkout page, choose Inspect Element, and you should see all the insecure content warnings in the Console.  An alternative is to use Mozilla Firefox and the Firebug/Web Developers tool browser plugin.  Usually it is caused by images loaded via theme options with http:// instead of https:// in the url (a quick and easy fix) or third party integrations (social plugins)  Sometimes you have to use a plugin like Widget Logic to make sure that insecure content is not loaded on your Checkout page.  As a "side" note, if sidebar widgets are causing the problem, you should probably switch to a full page (no sidebar) page template anyways.  This thought behind this conversion element is that less distractions from the actual checkout process leads to more conversions.  Also notice in the image below from a previous ecommerce client, that there is an visual accreditation of the Geotrust SSL and the Authorize.net SSL badge.  These are also great for improving conversion.

 

[/fusion_builder_column][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"]

secured woocommerce checkout verified in google chrome

Secured Woocommerce Checkout Verified in Google Chrome

 

What are some other recommendations for keeping Woocommerce secure?

1) I always use the Limit Login Attempts plugin Wordfence to protect against brute force password attacks, and a variety of other security issues.

2) Use a reputable host like Hostgator, Bluehost, Rackspace, etc.

3) Updates!  Always keep WordPress, themes, and plugins updated to the latest version.

4) Have a backup and recovery plan for a quick comeback if a security breach or malicious code insertion is detected.

5) Preferably use SFTP or SSH when accessing your server files.

6) Advanced: Ensure that your MySQL database has a secure passwords and do not share access with anyone.  At Kickin Knowledge we also like to change the WordPress database table prefix to something other than wp_, for an extra layer of obscurity.

7) Keep a policy of having extremely secure and unique passwords for your hosting account and your wordpress administration login.  Use numbers, letters, special characters, and a minimum of 14 characters.

8) Limit your use of plugins, as the more plugins, the more possible security holes and usually slower website.

9) Buy a premium and consistently updated woocommerce theme from a reputable developer like woothemes or themeforest.

10) Advanced: Edit your htaccess to protect against sql injections. If you are not comfortable with the htaccess file and all of its functions, it is best you read to understand these items first, as you can do some serious damage to your website (although all are reversible if you have backups) If you use Yoast SEO for your Woocommerce seo, then you can access the htaccess file from there!  Remember to backup your original first before adding any of the code snippets below -

Add this snippet first

[/fusion_builder_column][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][box] ## Include this at the start of your .htaccess file ## Options +FollowSymlinks RewriteEngine On[/box]

SQL injection block for WordPress htaccess

[/fusion_builder_column][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][box] ## SQL Injection Block ## RewriteBase / RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ - [F,L] RewriteCond %{QUERY_STRING} ../ [NC,OR] RewriteCond %{QUERY_STRING} boot.ini [NC,OR] RewriteCond %{QUERY_STRING} tag= [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} (|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR] RewriteCond %{QUERY_STRING} ^.*([|]|(|)||ê|"|;|?|*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*("|'|<|>||{||).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC] RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ - [F,L] [/box]

Hide your server signature

[/fusion_builder_column][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][box] ## Disable the Server Signature ## ServerSignature Off[/box]

Block All Access to Specific Security Sensitive WordPress files

[/fusion_builder_column][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][box] ## Block Sensitive Files ## Options All -Indexes Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all [/box]

I know, it's a lot of stuff to work through.  Once these security changes are implemented, you can concentrate more on the items that will bring you ROI, like search engine optimization and paid advertising.  You do not want to deal with Google unranking your website if you get hacked with malicious code, or even worse, compromising a customers private credit card data through your Woocommerce checkout.  When in doubt, or if you have any questions, contact Kickin Knowledge or another experienced Woocommerce security expert and have them audit your website.  We also have a great blog post for finding help with Woocommerce. Call me, Justin, the author of this article at 415-237-3932 to schedule a free security review of your ecommerce store.

[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

About the Author:
Justin Murray
Justin Murray

Justin Murray is the Owner and operator of Kickin Knowledge, a San Diego web design, development, and marketing company. With over 8 years of online marketing and website experience, Justin has a passion for building and promoting businesses on the internet. Justin studied Computer Science from Coleman University, with a concentration in Computer Networking, where he achievied certifications in A+ Computer Repair, as well as CompTIA Certifications in Computer Security and Networking.  Considered a "jack of all trades" when it comes to websites, Justin brings experience and dedication to Kickin Knowledge. Kickin Knowledge proudly specializes in Wordpress, Woocommerce, E-commerce, SEO, and PPC (pay per click like Google Adwords) marketing services.

Email Justin:

Questions? Call (415) 237-3932

Our Services

We offer Website Design, Local SEO, Google & Facebook Ad Management, and more!

About Us

Kickin Knowledge
San Diego Website & Marketing Company
4629 Cass St. #165
San Diego, CA
92109

envelope-olightbulb-o