3 Common WooCommerce Store Security Flaws (And How To Fix Them)

Last updated - October 6, 2022

Though it offers an impressive degree of accessibility, ecommerce isn’t an easy field to succeed in. The level of competition on the market is such that all ambitious sellers must persist in improving their stores or be readily outperformed by their various rivals. Making a store great requires the ticking of numerous boxes, naturally: everything from technical SEO to on-page copy demands painstaking attention. One factor often gets overlooked, though: cybersecurity.

It’s easy to understand why this is the case. Major security issues are reasonably uncommon, and the average small-scale merchant might never encounter one, leading them to assume that investing in the field is a waste of time and money. But the more you aim to achieve, the more is on the line, and the more you endanger your brand by failing to make cybersecurity a priority.

WooCommerce, running of course on the hyper-popular WordPress CMS, is among the most reliable ecommerce platforms in the world. It’s used and recommended by businesses both big and small, offers a potent mix of power, flexibility, and ease of use, and features and robust design. But no platform is perfect, and WooCommerce is no exception.

In this post, we’re going to look at three of the most common security flaws affecting WooCommerce stores. In doing so, we’ll explain how you address and resolve them, making your WooCommerce store as tough as it can be. Let’s get started.

Weakness to repeated login attempts

A recurring issue with online systems of all kinds is apathy concerning the strength of login details. People know they’re supposed to set strong passwords, change them semi-frequently, and even throw in multi-factor authentication (a good idea for battling fraud), but they reason that they don’t need to because they’re not going to be subject to hack attempts. So when those attempts arrive (and they’re more frequent than many assume), they lead to major problems.

But the weakness of WooCommerce in this area doesn’t concern inadequate login details: that’s a generic issue, after all. Instead, it concerns the prospect of repeated login attempts, however unsuccessful. The default address of the admin panel is open to anyone, meaning that someone who wants to try a brute-force hack of the system can simply throw login attempts at it in the thousands using a bot network. Even if that doesn’t get anywhere, the hosting will struggle to properly address the login attempts, leading to massive slowdown.

Now, you can certainly set up a system to block particular IP addresses that have been associated with brute-force attacks, but hackers today will use essentially-unlimited proxies to make this all but ineffective (if you’re unsure how a proxy works, here’s a simple explanation). So what’s the solution? In the end, it comes down to setting sensible rules.

WordPress (and WooCommerce by extension) can draw upon plenty of strong security plugins such as Wordfence Security (see above), most of which allow the definition of traffic rules. If an unfamiliar address attempts more than a couple of login attempts within a certain period, it can be blacklisted until the user behind it (if there is a user behind it) gets in touch to request approval. This is the best way to keep your store accessible without leaving it weak to attacks.

Conflicting or vulnerable plugins

The more you want your store to do, the more plugins you can consider installing. In most cases, this doesn’t lead to any issues aside from general slowdown resulting from so many things needing to load and work at the same time. In some cases, though, you can have several plugins trying to access and modify the same files, leading to unexpected results.

You might notice key functions failing, elements not loading, or entire pages going down. And if any of the conflicting plugins have roles pertaining to security, your site can be left in a much more vulnerable state. To avoid plugin conflicts, you must read descriptions very carefully (looking out for known conflicts), refrain from installing multiple plugins of a given type (don’t install two email marketing services, for instance), and consider solving the plugin problem with another plugin if necessary (yes, there’s a plugin for identifying conflicts — see below).

That isn’t the only issue stemming from plugins, however. Even if you have zero conflicts among them, any plugin you use can be inherently vulnerable — and when you allow a vulnerable plugin access to the back end of your system, you render the entire system vulnerable. This is why it’s so important to read plugin reviews and check developer reputations before you install and activate something with admin-level power. Developer intentions aren’t enough: they need to know what they’re doing and understand how to patch any issues people find.

Outdated software foundations

WordPress is updated very regularly: it has to be updated regularly given how many people rely on it, because that popularity (along with its accessibility) makes it an attractive target. Finding a new vulnerability in WordPress can make millions of websites hackable in the blink of an eye, and the platform would lose a lot of faith if one such vulnerability went unaddressed for long.

WooCommerce is updated much less regularly, but that’s due to a stronger focus on substantial iterations: each release is tested more extensively, and can rely to a decent extent on the security innate to the WordPress platform. It isn’t an indication of a lack of effort from the developers. So if both parts of the puzzle are in active development, what’s the issue?

Simply enough, the problem here is that WordPress, even extended with WooCommerce, is chiefly a self-hosted solution. This means that the software isn’t handled on behalf of the merchant. Updates will continue to be available, but they won’t be forced unless automatic updates are toggled: this is good design because store owners may want to wait until out of working hours to install updates, but it also poses a clear risk.

The solution, then, depends on the situation. One option is to pay for a dedicated hosting service that offers update installation as a primary service. The other is to enable automatic updates for everything that’ll accept them and get into a routine of reviewing and installing updates at least once each week (if you read about a recently-identified exploit and feel concerned, you can check sooner).

A plugin like Companion Auto Update can make things easier by sending you email notifications when there are updates available, allowing you to skip a weekly check in the event that no such notifications arrive. How you do this is up to you, then: all that matters is that you keep every aspect of your store fully updated. 

These three flaws are reasonably common with WooCommerce. They’re not incredibly concerning — it’s a strong platform overall — but that doesn’t mean you can afford not to take action. Consider the solutions we’ve set out here and do what you can to make your WooCommerce site more resilient. You’ll be glad you did.

Further reading