Last updated - August 24, 2020
This article is part of the User Management Guide:
- Basic WooCommerce settings to configure accounts
- Know about user roles and capabilities
- Create a new user
- Ensure security of user data (current article)
- Improve user management
You are all excited about the new online store that you started. You have set up different user accounts for the team working with you. Among all the furor around the new venture, there is a possibility that you might have overlooked some security concerns. After reading this article, you will get an idea about some of the security aspects related to user accounts on your WooCommerce store.
Creating strong passwords is mandatory
Secure all your accounts with really strong passwords. This is actually a simple precaution, but often store owners don’t take this seriously. You can ensure a strong and secure password by following some basic steps (that you may already know).
Some simple tips for password creation
- Choose a password by mixing numbers, symbols, special characters, uppercase and lowercase letters, etc.
- Make it as long as possible. This makes it less vulnerable to attacks.
- Do not use a password that you’re already using for other accounts.
- Avoid using words or dates that attackers easily connect to your personality. Don’t make your birthday, anniversary or kid’s name your password for easy recollection.
- The new versions of WooCommerce have an in-built indicator for password strength. This ensures a strong password while you create a new account.
Use password management systems
Use an automated password generator to create a new password. This is a foolproof way to deal with the password strength issue. For example, Google Chrome’s inbuilt password generator is a good option you can try. One worrying factor for many while using auto-generated passwords is that it’s too lengthy and complicated. Use a password management system to store your password. For this purpose, WooCommerce recommends 1Password.
Try multi-factor authentication on your accounts
Typically this is done by using an evidence to verify your identity and is known simply as Two-factor authentication or 2FA. This way a login attempt to your store will be allowed only after an additional verification other than your username and password. Authenticating your smartphone for secondary evidence is increasingly becoming the norm.
Google Authenticator is a simple solution that you can rely upon for multi-factor authentication. It’s free and available on multiple mobile platforms. As the code validation is quite fast in Authenticator, the required additional login time to is minimal.
Safeguard your store against brute-force attacks
Attackers often try different, random passphrases before guessing the right one. This approach is known as the brute-force attack and is used by many hackers. Even an apparently strong password runs a risk in such cases.
Change the default administrator username
You already know WordPress has a built-in admin account with the username ‘admin.’ WooCommerce doesn’t recommend using there is a lot of scope for brute-force attackers. You should name your administrator account with a unique name or phrase that is tough to guess. When coupled with a secure password, this creates a safer environment for your store.
Jetpack Protect is a good option
Protect will limit the number of undesirable login attempts on your site. On the dashboard, you can even see the number of such attempts.
You may need to white-list your IP address while using Jetpack
On the other hand, if you enter a wrong password multiple times, you may be blocked out of your own site. However, to prevent this Jetpack has options to white-list your IP address. In addition, you can white-list using WordPress also.