Security update: Best practices for securing your WooCommerce site

Last week, Sucuri’s Ben Martin wrote about his recent experience with a client’s WooCommerce site that had been breached by a malicious credit card swiper (or “skimmer”) code injection.

While this may appear alarming, it’s important to note that the attack in question required a person with “complete” access to the site to modify its core files. This reported breach does not appear to be due to any WooCommerce-specific vulnerability. It serves as a reminder that there are plenty of malicious parties on the internet and that we, as an open eCommerce community, need to remain vigilant when it comes to security.

We’d like to take this opportunity to remind you to harden your WordPress installs appropriately and consider using security tools like Jetpack, which can identify and flag the modified WordPress core files that were the culprit here.

We also recommend reviewing our guide to WooCommerce user roles, permissions, and security, as it contains valuable information regarding best practices for eCommerce businesses of any size. A security FAQ page is also available in the official WooCommerce documentation.

Be sure to regularly review your site’s roles and permissions, utilize secure usernames and passwords, back up your store, and be cautious when sharing login credentials for any reason.

Stay safe!

2 responses to “Security update: Best practices for securing your WooCommerce site”

  1. simbahosting Avatar

    “consider using security tools like Jetpack”

    Having heard from a number of people whose sites were defaced through Jetpack, this advice made me raise my eyebrow. (The attacker gained access to their Jetpack account – I am not completely clear on how – but having gained that access, they leveraged it to install malicious code on the connected sites).

    1. Peter Fabian Avatar
      Peter Fabian

      Hi simbahosting,

      While we, of course, understand that any additional code can potentially lead to an increase in attack surface, it is up to the user to use a strong password for their WordPress installation and Jetpack account. When those credentials get compromised, the site is open to hackers.

      Jetpack has a strong focus on security and quick turnaround time for fixing vulnerabilities. Similarly to other security plugins in the WordPress ecosystem, it provides additional layers of security, like checks for malware, scans of integrity of WordPress and plugin files or brute force attack protection. In addition, we always recommend users to activate 2 factor authentication for Jetpack/ accounts, which helps against user account credential attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *