WooCommerce Security: How Secure Is Your Customers Data?

July 5, 2018 Chris Lema

For online store owners, cybersecurity is mission critical. Today, you’re not just selling products and services, you’re selling a secure shopping experience. Customers who don’t trust you enough to enter their payment information will abandon their cart and navigate somewhere else.

But cybersecurity threats are constantly evolving and getting more sophisticated. Now, hackers use so-called “fileless” attacks that exploit your website’s vulnerabilities and steal information without the use of executable files. Security reports for 2018 show fileless attacks are on the rise.

While eCommerce plugins like WooCommerce offer adequate transactional security, they may not provide enough overall protection to stay ahead of cybersecurity threats without additional precautions. Our team has had WooCommerce security on our mind for years. As we recently launched our Managed WooCommerce Hosting service, we realized it would be valuable to outline some of the WooCommerce security issues website owners should be taking.

Strong Passwords

Weak or easily predictable passwords are major flaws in your security plan. If you’re using short, simple login credentials because they’re easy to remember or sharing logins across many websites, you’re taking an unnecessary risk with your customers’ data.

Cyberthieves use brute force attacks to guess your password. With specialized software, they can quickly make repeated attempts at different password combinations until they find yours. If your password is “password1” or “qwerty”, a brute force attack will only take a matter of minutes, but the damage to your website and your customers will last much longer.

Strong passwords are complex, long, and contain alphanumeric characters. However, this means they’re also difficult to remember. Here are some helpful ways to create strong passwords that are easy to remember:

Use Acronyms

Use a long phrase to create a shorter string of characters. For example, “Laugh and the whole world laughs with you, cry and you cry alone.” becomes LATWWLWYCAYCA — a 13-character password. Make a few letter-number substitutions and vary the capitalization, and you’ve got a fairly strong password that’s easy to remember.

Use a Passphrase

Passphrases create highly secure passwords and they’re even easier to remember than acronyms. To create a passphrase, choose four random words — “mall”, “tongue”, “meal”, “reflection” — and string them together to form a lengthy password: “malltonguemealreflection”.

Again, substitute some letters for numbers and add a few special characters and you’ve got yourself a password that will elude the best brute force efforts.

Get a Password Manager

Password managers bring the best of both worlds to password creation. They randomly generate strong passwords and remember for you.

You create a master password that gives you access to all of your other sign-in credentials. Instead of typing your passwords into a login field, you can set your manager to automatically log you into your account.

Because you’re not using the keyboard to type in your password, you’re lowering the chances of a hacker using keylogger software or “keylogger” to steal your credentials.

Two-Factor Authentication

Whether it’s for accessing your Google account or your server, you need to set up two-factor authentication (2FA) as an extra layer of security. 2FA requires those logging in to prove their identity through a physical device — most commonly, a cell phone.

This two-step process requires not only a username and password, but an additional piece of information for verification. You’ve been using 2FA for years at the bank. Withdrawing cash from an ATM requires both your debit card and your PIN — something you have and something you know.

Your sign-in credentials are the gateway to your customers’ private information. If a cybercriminal breaches your email account, they could potentially find payment information, names, addresses of your customers. But with 2FA, even if a cybercriminal steals your login credentials, they won’t be able to access your accounts without the added piece of information. You can easily set up 2FA for your WordPress account with either Google Authenticator or Google Authenticator for WordPress plugins.

Your customers need to use 2FA as well. When your website gives customers the ability to use a two-step security process, it gives them the power to protect their accounts. There are several WordPress plugins that allow you to improve security for your site with two-factor authentication. Some security plugins like iThemes Security Pro have the 2FA built right in.

Software Updates

If your website software isn’t up to date, it becomes much more vulnerable to cyberattacks. In addition to making changes to functionality, software updates also include security patches that close off vulnerabilities in the software that cyberthieves love to exploit.

If you use a dedicated or unmanaged server, you’ll need to take extra steps to keep your server software up to date. That goes for your WordPress plugins and website templates as well.

It can be a hassle to manage updates, and sometimes it’s an easy task to put off until tomorrow. But that’s a dangerous game to play. Unpatched servers open the door to cyberattacks, like the Wannacry ransomware that targeted servers with out of date software and caused millions in losses.

Keep your cybersecurity practices organized and predictable by creating a monthly schedule for checking and installing the latest updates. Even if it means a little downtime for your website, that’s still better than a DDoS attack that shuts your site down completely.

Data Encryption

One critical layer of defense against data breaches is encrypting all of the information that’s transmitted from your customers’ web browser to your server. Cyberthieves can easily swipe unencrypted data and use it to steal your customers’ identities, so using security technologies like Secure Sockets Layer (SSL) is essential.

Using a standard SSL Certificate ensures private information like credit card numbers and passwords are encrypted into data that only the customer and website can decrypt.

SSL Certificates also identify your eCommerce site as a secure website to shoppers, assuring them that their transactions and personal data are safe. Often phishing attacks lead consumers to fake websites created to look like legitimate ones for the purposes of tricking consumers into giving away their sign-in credentials.

SSL Certificates indicate to visitors that your site is secure, encrypted, and legitimate. They’re the kind of social proof you need to build trust in your website and brand — a powerful way to sell security. Sites like Let’s Encrypt offer free, automated, open certificate authority so owners can enable HTTPS for their websites.

Covered by Liquid Web’s Managed WooCommerce Hosting

Liquid Web provides SSL certs for all our Managed WooCommerce Hosting, but also sells several different SSL Certificate options from GlobalSign — a well-respected name in the encryption industry — if you need something different.

Payment Compliance

The Payment Card Industry Data Security Standards (PCI DSS) are guidelines for online transactions. Most major card acceptance programs require merchants to be PCI DSS compliant in order to use their services, so getting and maintaining compliance is necessary if you want to accept most types of payments. Plus, compliance means you’re taking the right steps to keep your customers’ data safe.

PCI DSS also covers how you should set up and maintain your server to protect your customers’ payment information. As of July 1, 2018, changes to PCI standards require merchants to upgrade to more secure communication protocols. This means adding and re-configuring your servers to work with new, more secure transaction processes. This can be a costly operation if you have to shut your website down, or if you’ve not successfully met compliance standards and can’t process transactions.

The criticate for PCI compliance depends on your designated merchant level, which is determined by how many transactions you have per year. Most merchant levels require annual self-assessments, network scans, and third-party services to scan your transactional process.

Data Backups

Backing up your data to an off-site location is the best disaster recovery plan you can have. Cyberthreats like ransomware attacks can result in corrupted data, lost money, or both.

Off-site data protection ensures you have backups for sales transactions, customer information, and server configurations ready to go if disaster strikes. Data protection solutions are growing in popularity among SMBs with limited or no IT staff and for larger companies that want to protect the data of higher risk consumer groups like mobile laptop users.

When cyberthieves try to extort a hefty ransom for getting your data back, off-site backups will transform their demands into empty threats.

Covered by Liquid Web’s Managed WooCommerce Hosting

Liquid Web includes daily backups as part of it’s Managed WooCommerce Hosting offering. So you’re fully covered.

Firewalls

Unlike their name suggests, firewalls work more like filters, constantly monitoring what data comes in and out of network, and who visits your website. For example, firewalls carefully monitor access to your customer database by outside sources, and they protect your website from dangerous DDoS attacks and other malicious traffic.

Because firewalls scan huge amounts of data, they can become a drag on your website’s performance. Your IT team should choose one that keeps your pages loading quickly.

Antivirus Protection

Like a firewall, antivirus protection identifies and eliminates (or quarantines) harmful computer viruses like trojans, bots, spyware, and worms that can infiltrate your server and cause chaos. Antivirus software monitors and scans downloaded programs and executable files, using common virus signatures to locate harmful programs. Many computer viruses are transmitted through phishing emails. Others contaminate devices through “drive-by downloads,” acquired by simply visiting an infected website.

Computer viruses spread. That’s their job, and you need the ability to keep them from spreading. One phishing email that infects your computer with a worm could potentially send thousands of infected emails to your customers with your letterhead on it! You would be contaminating their computers, putting their data at risk, and hurting your customer relationship.

Computer viruses can hurt sales. If customers can’t trust your emails, why would they trust your business? Install enterprise-level antivirus software from a reputable vendor and head off these problems before they happen.

Covered by Liquid Web’s Managed WooCommerce Hosting

Liquid Web performs nightly malware scans of your website to make sure you’re virus free.

Lock Down FTP Directories

If your core WordPress files and folders aren’t set at the correct permission levels through your FTP, a hacker could find their way into your server and inject their own code or alter your site’s content. Locking down your site’s more sensitive directories will help limit who can read, write, and execute your website files.

The FTP permission schemes for WooCommerce are the same as those for any WordPress website, so adjusting and checking them only takes a little effort. While you should always give your server read and write permissions, make sure your FTP account only has write access to your root directory, wp-admin, wp-includes, and wp-content folders.

Server Segmentation

Some eCommerce platforms put your store on a shared environment alongside other websites. That not only hampers website performance and scalability, it also affects your WooCommerce site’s security. To avoid these issues, smart store owners are turning to hosts with server segmentation or “container” architectures. With segmentation, each website running on a server gets its own, isolated environment that shares the host server’s operating system.

Containers isolate your website from other websites on your server that could put yours at risk. In a shared server environment, one malware infection can quickly spread to every other website on a server. With segmentation, these threats are limited only to those infected.

Covered by Liquid Web’s Managed WooCommerce Hosting

Our managed service is built on the concept of “orchestrated” containers. They automatically expand to provide more resources when needed, while keeping your store isolated from others.

Managed WooCommerce Hosting Handles WooCommerce Security For You

To take your WooCommerce website to a new level of security, you need to begin with a solid foundation. Managed WooCommerce Hosting not only increases your website’s performance, it lets you easily add security features that seamlessly integrate into our hosting environment.

New Call-to-action

The post WooCommerce Security: How Secure Is Your Customers Data? appeared first on Liquid Web.

Previous Article
WooCommerce Payment Gateways: Choosing the Right One for Your Online Store
WooCommerce Payment Gateways: Choosing the Right One for Your Online Store

Online store owners spend hours meticulously tinkering and tweaking their eCommerce site’s look and design,...

Next Article
What is Cloud VPS?
What is Cloud VPS?

If you have been in or around the web hosting business at all in the past few years, you have heard of the ...

Get the Latest and Greatest Information from our Blog!

Subscribe