Websites running on WordPress and WooCommerce, or in short online shops (how to set up an online shop) have significantly higher security priorities than other small projects. As e-commerce grows, and it is not slowing down, the risk of security breaches is also growing exponentially.

Supervising the safety of your online business is a fundamental task of every shop owner, just as in the offline world you need to take care of the state and standards of your restaurant in case of any kind of inspections and for the sake of your customers and your reputation. Any problems that arise in your online shop can undermine trust in your brand, and I don't have to explain what consequences this can have.

While there are no 100% guarantees when it comes to data security, you can protect your clients and your own business by implementing key procedures, a few words about which follow.

Server-side security measures

Your hosting server is always on the first line of defense against attacks. Even if you have the best possible security plugins active on your shop, errors on the hosting account side can render these plugins useless.

Some hosting settings are under your control, others are completely out of your reach. So when deciding on hosting for your WooCommerce shop, avoid low-budget services that are created for an all-purpose, often unsecure environment. Shop around for dedicated hosting or hosting that focuses on providing optimal working conditions and security for your WordPress ecosystem.

Look for high quality WordPress hostingwhich will give you the ability to implement and control key security measures on the service side. For example, protecting critical WordPress directories from writing or executing scripts.

With such protection, the server itself makes it difficult for hackers to exploit a vulnerability in the security of a theme or plugin, and vulnerabilities do happen, and not at all infrequently. Even just recently, before this article was published, there was a report about an open door in a popular plugin Elementorwhich is installed on more than 7 million websites worldwide. Of course, the developers quickly closed it, but the question remains how many people using the version of the plugin containing the vulnerability are aware of it and how many of those people have already performed the update.

This type of server-side, write-preventing security means that any attempts to do so are logged, which can help in the efficient detection of malicious activity.

And don't forget the SSL Certificate. It's already standard and even required for online shops, but I still come across shops that don't use this protection mechanism. Remember to have it and renew it.

Going further. Your server should have up-to-date versions of PHP. WordPress is rapidly evolving and doesn't lag behind new versions of PHP. At the time of writing this article, the recommended PHP version for WP is 7.4, but version 8.0 was released a few months ago and the WordPress core itself is already ready to work in this environment.

Older versions of PHP, especially those that are not further developed and updated, can contain many dangerous gateways for even a novice hacker to get into your website or shop. Make sure that your hosting provider is up to date with the latest version of PHP. This is not only a security issue, but also a performance one. Newer versions of PHP simply run faster than older ones.

Updating WordPress, plugins and theme

Performing regular updates is one of the most important factors for the security of your online shop. The most common source of site infections is a vulnerability in an outdated plugin or theme. Two years ago, Sucuri reported in its report that 56% of hacked sites had an outdated environment at the time of the attack. Gives food for thought.

Gro of my students at MeetWP tell me that they don't want to update anything on their shop for fear of the project falling apart. If there is such a fear we do update tests on a clone, or make a backup before the update so that if there is a problem we can quickly restore a previous working version. Updates are a must! Not only do they bring new features, but they also contain security fixes. For example, the WooCommerce 4.6.2 update released in November 2020 included a bug fix that allowed anonymous users to create an account during a transaction even if this option was disabled in WP settings. At the time, WooCommerce encouraged shop owners to implement this update immediately. Overlooking developments like this can put you at considerable risk.

Even if you update your plugins regularly, it is possible that one of them has been abandoned by the developer. WordPress removes these types of extensions from the repository because they can pose real security and performance risks.

This is easy to overlook, as removing such an abandoned plugin from the repo does not mean removing it from your site. That's why, for example, the WordFence plugin can inform you that you have a plugin that has been eliminated from the WordPress repository.

See how many security-related things I've written about so far, and it's not over yet 🙂

Security monitoring

In fact, I already mentioned this above when mentioning the WordFence plugin. Security monitoring is another piece of the puzzle that every shop owner should take care of.

What our hosting and the updates we make protect us from is not a guarantee of security. New threats are constantly emerging, many of which are automated attacks.

Seriously consider setting up 24/7 security monitoring to detect any malware or breaches. Both free and paid versions of the WordFence plugin and paid services such as Sucuri, BlogVault, WebTotem and others, are frequently used activity monitoring mechanisms. They offer malware scanners and alert you to any suspicious movements.

Paid monitoring services can also include automatic malware removal, which can help you quickly clean up your site after any security issues.

Another security practice is to minimise the number of WordPress admin accounts. Check accounts every few months and proactively remove previous employees or contributors or webmasters who should no longer have access to the cockpit.

For a shop where any downtime could negatively impact sales performance, consider WAF firewall protection, albeit through services such as those mentioned earlier or WordPress hostingon which the WAF runs on the server system side. This can protect a site from malicious bot traffic or a DDoS attack, which aims to shut down a server or site by flooding it with waves of requests.

Secure card payments

Online shop is also about payments, and although in Poland card payments for online transactions are still not as popular as in the West, this state is changing. A few years ago, a small percentage of customers in our shops paid by card. Today, in some projects, this form is chosen even more often than others.

Any website that handles credit card transactions must be compliant with the Payment Card Industry Data Security Standard (PCI-DSS). These global standards have been established to help reduce payment card fraud.

One of the best ways to meet these requirements is to use a secure payment gateway, such as PayPal or Stripe. WooCommerce supports these standards by never storing credit card details in-store.

Unfortunately, even if you follow standards and use a secure payment gateway, e-commerce fraud can negatively affect your online shop. It's quite common for thieves to test stolen cards right in shops like yours.

The WooCommerce Anti-Fraud extension is a great resource for finding out about fraudulent transactions. The plugin evaluates each transaction for risk and can be configured to automatically cancel or stop suspicious transactions.

It's also important to protect your shop from automated bots that can create fake accounts and orders. A good defence is to set up Google recaptcha using the Recaptcha for WooCommerce extension.

Database copies

Using the previously mentioned security measures is mainly about prevention. The worst that can happen is for your shop to be successfully attacked. The consequence of such an event may be a total shop paralysis or even destruction of its data about products, orders, customers... This can happen to anyone, even the most experienced person with great competence in WordPress security. Therefore, don't ignore the need to make copies of at least the database itself, which is the most important from the point of view of your business.

The recent events at OVH, when a server room burned to the ground, only proves the fact that threats are not just hackers.

Store a copy of your database externally e.g. in your Google Drive, Microsoft OneDrive or Dropbox service. Do it at least once a day, and in situations where your shop boasts significant traffic and sales consider implementing real-time backup services like BlogVault.

The point is that if your shop is successfully attacked, e.g. in the evening, and copies are made once a day in the middle of the night, restoring the database from this copy will mean the loss of customer data and orders from the whole day, which may turn out to be quite a problem. Real-time copies will allow you to avoid such situations.

I'll write about backup solutions for WordPress in a separate article, because it's a broad topic, and there are a lot of backup tools themselves.


The above-mentioned procedures are the most important components of protection against attacks that you should apply in your online shop. It is not so that you launch a shop and forget about its security for good, and the only thing you will be interested in is catching as many customers as possible. Of course, the shop is supposed to sell, but remember that if it is attacked and the attack is successful, sales will stop and it is not known for how long.

Apply everything I have written above and you will avoid most of the unpleasant situations that you may think are unlikely to happen to you today. The truth is that most owners of sites that have suffered in the past thought so too.

Make shop security as much of a priority as sales. Don't let it go and always try to keep up to date with it. Do not leave it in the hands of a webmaster, as this is often not effective. You take the best care of your shop because this particular shop is important and valuable to you. It generates income, it allows you to develop and that is why take care of it and it will surely repay you.


See also

DNS Anycast

DNS Anycast - what is it?

DNS Anycast, is a topic not directly related to WordPress, but one that affects how quickly a site can load, which means better quality results.

Free information on JZS news

I invite you to become a subscriber! Thousands of readers already subscribe to news from JZS.

You can unsubscribe at any time. Your address is safe here.

Featured LifeTime Offers!

pcloud lifetime

Cloud drive with lifetime access. Save your files and...

JivoChat lifetime offer

One of the best chat rooms for websites. Mature with lots of...

Pabbly Connect LifeTime
Pabbly Connect

A tool to automate online business processes and integrate the website with...

Leave a Reply

Your email address will not be published. Required fields are marked *