Last updated - February 2, 2022
As a popular platform used widely across the world, WooCommerce vulnerabilities could be a major trouble for store owners. In case you are impacted with a security vulnerability of WooCommerce, how will you handle it. In this article, we will discuss some of the precautions you can take to deal with WooCommerce vulnerabilities.
WooCommerce Critical Vulnerability July 13th, 2021
A critical vulnerability was reported for WooCommerce and the WooCommerce Blocks plugin on July 13, 2021. This vulnerability was reported by a security researcher Josh through the HackerOne security program of Automattic. Once the vulnerability was detected, there was a thorough investigation by WooCommerce, followed by the development of a security patch. This security patch was deployed automatically to all impacted versions of the plugin.
Recommended actions to tackle July 13 Critical vulnerability
WooCommerce will automatically roll out the security patch on all impacted stores. From a store owner’s perspective, it is recommended that you ensure both WooCommerce and WooCommerce Blocks are updated to their latest versions (5.5.1). It is also preferable to have your passwords updated for admin users. Another suggestion is to rotate API keys and payment gateway keys used on the store.
WooCommerce has also published a list of patch versions in this post, and if your version is not in the list, you can update both WooCommerce and WooCommerce Block plugin to the highest available version.
Reasons for not receiving the security patch automatically
There could be a few reasons for your store not receiving the security patch. These are:
- Your store is running on an older version of WooCommerce (lower than version 3.3)
- You have disabled automatic updates on your store.
- There is a possibility that the file system is read only.
- There could be conflicts from some plugins installed on your site.
For stores running on older versions, there is no further action required as this particular security vulnerability won’t have any impact. However, for all the other reasons mentioned above, WooCommerce advises store owners to try manually updating the plugin.
How to find if data was compromised?
According to WooCommerce, there is no definite way to confirm what information was exposed during the exploit. If a site is exposed to this issue, any information stored could be affected. In the case of a WooCommerce store, this could be information about customers, orders or other admin data.
One way of knowing whether this vulnerability was exploited is to check the access logs of your web server. WooCommerce has also provided sample request formats that could indicate a possible exploit attempt. Also, they have provided some IP addresses from which majority of exploit attempts came. You can read more details about this on this post about WooCommerce critical vulnerability.
Is there a possibility of password compromise?
According to WooCommerce, the possibility that this exploit could lead to the compromise of passwords is practically nil. This is because WordPress passwords use cryptographic hash function, and is impossible to crack. If you are following the password management guidelines of WordPress, your password will be secure. However, if a plugin you are using has been storing passwords in less secure ways, there could be an impact.
If you are a WooCommerce developer or own a SaaS-based tool based on WooCommerce API, you may have to inform your clients and subscribers about this vulnerability and encourage them to update to a secure version. If you are a WooCommerce store owner, WooCommerce recommends to change any private data stored in your WordPress database such as API keys as well as public or private keys for payment gateway integration. It is also advisable to change the administrator password(s), if they are used in other websites. Resetting passwords of customers is not a necessary step, though you can do it as an additional precautionary measure.
General security tips to protect your store from WooCommerce vulnerabilities
If your online store is running on WooCommerce, you may have to follow some security guidelines. Here is a list of things to pay attention to so that you can easily deal with such vulnerabilities and possible exploits.
Use a security plugin
One of the basic things you can do to deal with security vulnerabilities is to get a security plugin. There are several popular options that will ensure your site’s security through regular monitoring, integration of Web Application Firewall (WAF) and fast repair options. Some of the preferred solutions for WooCommerce site security are Jetpack, MalCare, Sucuri, etc.
Get an SSL certificate
An SSL certificate will ensure that the data exchanged between your customers and the store will be encrypted. This will ensure better site security, and you can peacefully store customer’s details including payment information on your WooCommerce store itself. Most hosting plans offer free SSL certificate, and you can even set up free SSL using Let’s Encrypt.
Ensure login security
The login page of a WordPress site is one of the most common targets for malicious attacks. Experts recommend several steps to ensure the security of your store. These are:
- Allow only limited login attempts
- Do not keep the default ‘admin’ username
- Enable Two Factor Authentication (2FA)
Manage user profiles in a secure manner
For a WordPress site or WooCommerce store, there will be scenarios where one person alone can’t manage all the administrative or store management aspects. So, you will naturally create more users for site management. One of the basic aspect to ensure here is to provide only the essential capabilities to users. You can read more about content restriction strategies in a WooCommerce store to have a better understanding of these aspects. Enforcing strong passwords for all users is another important strategy that will help with secure user management.
Use only secure themes and plugins
Even if your site is secure, a compromised plugin or theme can create security hassles for you. The solution to this is to use only plugins and themes downloaded from trustworthy sources. These include WordPress plugin repository, theme directory, WooCommerce marketplace, reputed third party developers, etc. You can read the article on trustworthy sources to buy plugins for more information.
Use a solid backup solution
Another important factor is to have a solid backup solution. Ensure that you have flexible backup schedules with the tool that you are using. UpdraftPlus is a highly recommended backup solution for WooCommerce stores.
Ensure regular updates
Another security recommendation for WooCommerce stores is to maintain a regular update schedule. Simply updating WordPress and WooCommerce won’t ensure total security if you are using several different plugins. You have to ensure all the plugins you use on your store is updated regularly as well. One practical approach to go about this will be to maintain an update schedule so that you won’t miss out on it. It will also help you be more prepared to tackle unexpected issues.
We hope this article has provided you with a good idea on how to handle WooCommerce vulnerabilities. If you would like to share your experience in such a situation, do not hesitate to leave a comment in the below section.