WP Buffs Blog |

5 WooCommerce Security Issues & 12 Step Protection Plan

5 Huge WP eCommerce Security Threats and 12 Powerful Solutions (PDF included)

According to a report by the U.S. Census Bureau, the fourth quarter of 2021 saw $218.5 billion in online sales, equating to an increase of 9.4% from the fourth quarter of 2020. Even more impressive, is the fact that eCommerce accounted for 12.9% of total retail sales in Q4 2021.

As online shopping becomes a more viable (and convenient) option for consumers, it’s time for eCommerce companies to address the unique obstacles that stand in their way to closing more business. For WordPress users, one of the first to look at should be potential WooCommerce security threats.

Super Troopers Police GIF

Here’s the thing: just because customers are learning to trust online businesses with their money and personal information doesn’t mean they don’t have reservations about how secure it is to shop online. And they have good reason to be nervous.

WooCommerce security threats don’t just target big-box retailers. If your eCommerce site has something valuable worth stealing, you might find your site a target of hackers someday, too.

Rather than wait until one of these threats hits your site, you should work on building a proactive prevention plan, whether you get help with it or secure your WordPress website yourself.

The key to prevention? Understanding what the threats are, where they will attack, and how to keep them out. Let’s check out the biggest WooCommerce security threats and solutions to fight back.

Our team at WP Buffs helps website owners, agency partners and freelancer partners monitor their WordPress sites for eCommerce security threats 24/7. Whether you need us to manage 1 website or support 1000 client sites, we’ve got your back.

WooCommerce Security Threats You Need to Know About

If your business has an online presence, you should be concerned with security in general. But for eCommerce companies that deal in monetary transactions on a daily basis, being concerned with security is not enough. You should be obsessed with what those security threats are and how to keep them away from your site.

Here are the most common threats WooCommerce users face:

1. Spam

Blog comments and contact forms are an open invitation to spammers that want to leave infected links on your site or waiting for you and your employees in your inbox. This not only affects site security, but site speed, too.

spam comments wordpress

2. Brute Force Attacks

Most of us think of hackers as internet sleuths that spend hours pouring through source code in order to find a weakness in your site’s security. This isn’t always the case though.

Sometimes, hackers will use brute force attacks where they submit many passwords or passphrases with the hope of eventually guessing correctly.

Brute Force Attack

This is especially dangerous for WordPress sites since /wp-login.php and /wp-admin/ are the default login pages. The easiest way to protect against these kinds of attacks is to change your login address or use security plugins to block repeated login attempts.

3. Lack of Encryption

Ever noticed that most websites nowadays have a green padlock in the navigation bar? This is a badge that indicates to visitors that the website is secured using SSL. SSL is a security protocol that encrypts data and ensures that no one is hijacking your connection.
To put it simply, without SSL a third party could intercept data being sent to and from the website. This could be anything from passwords, credit card information, sensitive files, and more.

That’s not all though. In an effort to promote security and privacy, Google has begun penalizing sites without SSL. So not having it isn’t just unsafe, it can also hurt your organic traffic.

4. Malware

Cross-site scripting, SQL injections, malvertising, ransomware… These are different types of malware that aim to get into the backend of your website for the purposes of stealing sensitive data — from you and your customers. When researcher Willem de Groot initially studied 6,000 online stores back in 2015, he found that over half of them had been infected by malicious JavaScript coding. By year’s end, almost all of the stores had fallen to the threat.

WordPress malware warning

And that’s not the only unsettling case of malware injection.

There was eBay, whose database was hacked in 2014. While customers didn’t directly lose money as a result of the security threat, their login and password information was compromised.

There was also Target back in 2013, whose partnership with a third-party vendor with unsecured systems led to an attack. Credit card and personal data from tens of millions of customers was stolen and Target had to pay out over $18 million in lawsuits as a result.

5. DDoS

Distributed denial of service (DDoS) attacks do exactly what the name implies: they overwhelm a site’s server and take the site offline. The bot attack of 2016 against Dyn is one of the most high-profile examples of this type of threat.


Your WooCommerce Security and Threat Protection Plan

It’s important to note that attacks on your site don’t always happen for the purpose of stealing your customers’ credit card information or personal details. Hackers and bots may go digging around your site for access to your own company’s data, too. There are even times when the goal isn’t even financial in nature.

Regardless of the type of security threat you face, you can imagine how costly this could end up being to your bottom line and reputation. So, this is where the threat protection plan comes into play.

1. Server Security

First and foremost, ensure that you’re using a web hosting company that you trust has your site’s security top of mind.

This means there should be a server-side firewall, an option to add a CDN, SSL certificate availability, and hosting plans that don’t require you to share the server environment with other websites.

In terms of what you can do to better protect your hosting server, brush up on Apache security best practices.

2. Payment Gateway Security

Payment gateway plugins are a crucial part of credit card security for WooCommerce. In short, your payment provider is the one that will handle all customer transactions and ensure their data is secure. 

If you’re struggling to find a payment gateway provider, WooCommerce’s own payments plugin. WooCommerce Payments ensures all sensitive data is sent directly to the payment processor, without ever being stored on your sites database, which keeps it safe from attackers. 

3. Antivirus and Anti-malware Software

Equip your network’s computers with antivirus and anti-malware software.

4. Firewall

Ideally, your web host has a firewall in place for your server. You should also think about getting one for your computer as well as for the website itself. Many security plugins (like All In One WP Security & Firewall) come with a firewall built-in, so you can knock that off your list while simultaneously bolstering your WordPress security.

All in One Firewall Plugin

5. Spam Blocker

As mentioned above, spam can be problematic for your eCommerce site if you have a blog on it or a generic contact form. If that’s the case, use the Akismet plugin to keep known threats away from your site.

Akismet Anti-Spam Plugin

6. SSL Certificate

An SSL certificate is no longer optional for eCommerce sites, at least by Google’s standards. It’s an easy (and often free) way to add an additional layer of encryption to the transactions that take place there.

Let's Encrypt SSL Certificate

7. PCI Compliance

The PCI Security Standards Council has strict guidelines regarding how you need to secure your website if partaking in eCommerce.

These include rules about the type of web hosting, the level of security at the payment processing level, and so on. Be sure to familiarize yourself with these and adhere to them as you build and maintain your site.

PCI Security Standards Council

8. CDN

CDNs are a great way to prevent DDoS attacks on your website. Think of a CDN as another layer of hosting for your eCommerce website, this means additional layers of security, too.

9. Security Plugins

As referenced above, a security plugin would be a smart move for keeping your WordPress installation and the front-end of your site safe.

In addition to protecting your site from malware and DDoS attacks, security plugins can also block repeated login attempts and alert you that someone is trying to brute force your site. We recommend iThemes Security Pro for this.

10. Backup Plugins

Don’t forget about having a backup and restore plugin. No matter how fortified your eCommerce site may be, hackers have all the time in the world to experiment with new ways of cracking their way through.

It’s crucial that you be prepared with a way to quickly recover if something should happen to your site.

UpdraftPlus Plugin

11. Update Regularly

When software goes without required or even suggested updates from the provider, you’re putting your eCommerce business at risk. So, keep everything updated and do it regularly. This includes:

  • Your computer
  • Your company’s network
  • Your server software
  • Your PHP version
  • The WordPress core
  • Your WordPress plugins and themes

12. Passwords

While you might expect that hackers go straight for credit card information (which they do), they also target user login information.

In fact, a report from CMSWire says that 75% of all attacks on eCommerce sites during the 2016 holiday season were targeted at the login. Needless to say, stringent password security policies (including two-factor authentication) are a must.

WordPress Passwords

Woocommerce vs Shopify Which Is Better for Security?

If you’re just starting out in eCommerce, it can be tough to decide which platform is better for your business, especially when it comes to something as crucial as security. 

Unfortunately, there is no clear winner between Shopify and WooCommerce when it comes to safety.

On the one hand, as a hosted platform Shopify requires almost no setup and includes plenty of security features. On the other hand, WooCommerce allows you to go much further in your security measures by setting things up yourself. 

In the end, it comes down to personal choice. Computer savvy business owners might choose WooCommerce for the versatility of the WordPress ecosystem, while someone less familiar with tech might prefer Shopify. 


At the end of the day, your goal is to provide a safe place for customers to shop online. And you also want to conduct business in a way that keeps your bottom line protected as well.

In addition to the WordPress WooCommerce security threats and solutions above, you should also think about conducting regular security audits on your WordPress site.

If you’re intimidated by the process or unsure if you have the time to dedicate to fighting all the types of threats your WooCommerce site is facing, then hire a trusted WordPress maintenance partner to help you. Or you may even want to look at some of the other best eCommerce platforms or consider starting an online boutique of your own.

Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.

If you enjoyed this article, then you’ll really enjoy the 24/7 WordPress website management and support services WP Buffs’ has to offer! Partner with the team that offers every aspect of premium WordPress support services.

From speed optimization services, to unlimited website edits, security, 24/7 support, or even white-label site management for agencies and freelancers, our expert engineers have your back. Bring us in as part of your team to make your site Bufftastic! Check out our plans

Curious about what we do?