Last week, Sucuri’s Ben Martin wrote about his recent experience with a client’s WooCommerce site that had been breached by a malicious credit card swiper (or “skimmer”) code injection.
While this may appear alarming, it’s important to note that the attack in question required a person with “complete” access to the site to modify its core files. This reported breach does not appear to be due to any WooCommerce-specific vulnerability. It serves as a reminder that there are plenty of malicious parties on the internet and that we, as an open eCommerce community, need to remain vigilant when it comes to security.
We’d like to take this opportunity to remind you to harden your WordPress installs appropriately and consider using security tools like Jetpack, which can identify and flag the modified WordPress core files that were the culprit here.
We also recommend reviewing our guide to WooCommerce user roles, permissions, and security, as it contains valuable information regarding best practices for eCommerce businesses of any size. A security FAQ page is also available in the official WooCommerce documentation.
Be sure to regularly review your site’s roles and permissions, utilize secure usernames and passwords, back up your store, and be cautious when sharing login credentials for any reason.