Last updated - August 18, 2022
WooCommerce has hundreds of thousands of users because it is the simplest way to build an eCommerce store with WordPress, a CMS that millions of people are familiar with. In any community of that size, there is a wide range of expertise and experience, not to mention plenty of myths and misunderstandings.
In this article, I’m going to take a look at a few of the security-related myths I’ve come across in discussions with WooCommerce retailers.
Your Web Hosting Provider Is Responsible for WooCommerce Security
There is a kernel of truth to this myth: WooCommerce hosting providers should take care of data center, network, and server security. They should update server software, including the operating system. They should make sure that their servers don’t run vulnerable software. However, there is a limit to what a hosting provider can do to keep a WooCommerce store secure.
There is nothing a hosting provider can do if a WooCommerce store owner installs a plugin or theme that contains malware; forgets to update WordPress, WooCommerce, and other plugins and themes; or uses an easily guessed password with the default admin account.
The hosting provider and the store owner share the responsibility for WooCommerce security. A store can be made vulnerable through lapses by either side of the hosting partnership.
Your Store Isn’t Important Enough to Be Hacked
The false assumption underlying this myth is that criminals only target stores with tens of thousands of customers. It seems plausible because big stores are more valuable targets: they have more resources, more personal data to exploit, more visitors to infect with malware, and more credit card numbers to steal.
But, in reality, even a small store is useful to criminals. The cost of compromising a vulnerable WooCommerce store – or any web application – is tiny. Most stores are compromised by automated bots using known vulnerabilities and obvious weaknesses. The bots scan thousands of stores, and they don’t care whether a store has ten or ten thousand visitors in a day – both will be compromised and exploited if they aren’t adequately secured.
Large stores are worth more to criminals, and they may give them attention that they don’t give to smaller stores, but a web application with a security vulnerability will be compromised eventually, regardless of its size.
It’s OK to Share WordPress Passwords
Retailers may need to give developers, designers, or other employees admin access to their WooCommerce store from time to time. There are two ways to do this:
- Give them the username and password of an existing admin account, one that is used by the store owner or another trusted individual.
- Create a new admin account to be used only by the professional.
The first of these is more convenient in the short-term, but it has significant implications for the security of the site. At some point, it will be necessary to withdraw the access that has been granted, which is more difficult if multiple users share the same password. In reality, shared accounts are rarely deleted, and shared passwords rarely changed. It is not unusual for businesses to be hacked by disgruntled ex-employees using old passwords that were never changed.
When every user – whether and admin user or not – has their own account, each can be given just the access they need and it can be later withdrawn without inconvenience.
WordPress Themes Aren’t a Security Risk
WordPress themes change the appearance of a WordPress store, but their influence goes deeper than superficial design changes. A WordPress theme is no less a piece of software than a plugin; an insecure theme is as risky as an insecure plugin. For the most part, themes downloaded from the official repositories and theme developer websites are secure if kept up-to-date. Themes sourced from elsewhere are more of a risk.
This myth bites particularly hard for WooCommerce retailers who install nulled (pirate) premium themes. It is a favorite tactic of criminals to inject malware into nulled themes. When unsuspecting WooCommerce store owners install a theme, they also install a backdoor that gives the criminal total access to the site.
A Firewall Will Keep Your WooCommerce Store Safe
There are several different types of firewalls, and they work to repel distinct categories of attack. The firewall provided by a WooCommerce hosting provider works at the network layer (also called Layer 3). It can stop traffic directed at particular ports or from specific IP addresses. It can’t stop malicious attacks that aim to exploit flaws in the web application itself; to a Layer 3 firewall, these look like legitimate web requests for port 80.
A Layer 7 (application layer) firewall is needed to catch attacks such as SQL injection attacks, cross-site scripting attacks, and attacks that aim to exploit software flaws in WordPress, WooCommerce, or plugins. Also known as web application firewalls (WAFs), they are an invaluable layer of defense.
The best WooCommerce hosting providers offer built-in WAF functionality, but WooCommerce retailers can install a WAF via the Sucuri or WordFence plugins.
Updating Plugins Is Enough to Keep Your Site Safe
Can a WooCommerce store be hacked because of a plugin vulnerability when all of its plugins are up-to-date? Yes, it can. There may be zero-day vulnerabilities in plugins; that is, vulnerabilities that haven’t been patched because the developer doesn’t know about them. There isn’t a lot a WooCommerce store owner can do about that. But there is another source of risk for up-to-date stores.
It’s a mistake to assume that because you are diligent about updating plugins, the same is true of plugin developers. A WooCommerce store owner may religiously update their plugins, but what if the developer stopped releasing updates 18 months ago? There may be a vulnerability that will never be fixed by the developer, and the store owner who focuses solely on update notifications will be none the wiser.
In addition to updating plugins, WooCommerce retailers should check how recently plugin developers released an update. A plugin that hasn’t been updated for months is not necessarily insecure, but it warrants a degree of suspicion.
It’s a good idea to make sure that the plugin hasn’t been abandoned and that the developer has plans to release an updated version at some point. If you can’t verify that a plugin is getting attention from its developer, consider seeking an alternative.
It’s important to keep your WooCommerce store safe
WooCommerce is a powerful and easy to use eCommerce solution, and it’s just as secure as any other CMS or eCommerce application. But, to keep it safe, retailers need to understand at least the basics of web application security. Hopefully, this article has overturned some misconceptions about WooCommerce security and will help retailers to keep their store and their customers safe.
Further Reading
