WooCommerce Security Review and Issues Analysis

The complete WooCommerce Security Review and Issues Analysis

Let’s start with some statistics

One of the articles on WP White Security gives the statistics of hacked websites:

  • 41% were hacked through a vulnerability of the hosting account
  • 29% were hacked via a security issue in the WordPress theme they were using
  • 22% were hacked via a security issue in the WordPress plugins they were using
  • 8% were hacked because of a weak password

Choose reliable hosting

41% of the hacks were enabled due to security issues on hosting platforms, so choosing a high-quality hosting company is very important. A good hosting platform should meet the following criteria:

  • Support for the latest versions of PHP and MySQL
  • Optimized for WordPress
  • Scanning for malware and junk files

Also, do not forget to backup the database and files.

Important installation settings

WordPress Security Keys. Keys improve the encryption of information stored in visitor cookies. They also make it harder for your password to be hacked, since random elements are added to it. Keys can be changed in wp-config.php.

Changing prefixes to database tables. This can help prevent SQL injection vulnerabilities. You will find the prefix to the table names in your wp-config.php file.

WordPress Themes and Plugins

Through the holes in the security of plugin codes and themes, malicious users get access to sites in more than 50% of cases. Therefore, it is important to weigh all pros and cons before using this or that plugin/theme.

Use the correct file/directory permissions

This is another important step in improving security. Installing 777 directory permissions (everyone can read, write and execute) allows attackers to download various files to this directory or modify already existing ones. It is recommended to set the following permissions (usually you can do this through the hosting panel or the FTP client):

  • All directories must have 755 or 750 permissions
  • All files must have 644 or 600 permissions
  • For wp-config.php, set 600 permissions.

Disable script error messages

If any of your plugins or themes contains an error, a message about it may appear on the site. It usually shows the complete path to your website directory. This information is useful for hackers. You can disable script error messages by adding the following lines to the wp-config.php file.

Forcing SSL

If you want the information you transmit to be protected, you need to use an SSL protocol that ensures the integrity and confidentiality of data exchanges. In WordPress, it’s as easy as pie.

First of all, find out if your provider can use SSL. If so, then open the wp-config.php file and add the following line.

       define (‘FORCE_SSL_ADMIN’, true);

Hide the WordPress version

WordPress automatically inserts its version number into the source code of the pages. Unfortunately, it is not always possible to update the engine in time. This means that knowing what version of WordPress you have with all its drawbacks and weaknesses, the attacker may cause a lot of trouble for you. In order to hide the version of WordPress, open functions.php, which lies in the folder with the active theme of your blog (wp-content / themes / title-your-themes /) and add the following code there:

    remove_action (‘wp_head’, ‘wp_generator’);

Plugins to enhance WordPress and WooCommerce security


When it comes to WordPress and WooCommerce security plugins, Wordfence is always the first one to mention. The plugin has scored 4.9 stars out of 5. When choosing security plugin, Wordfence with such an impressive result deserves your attention. 

All In One WP Security & Firewall

This is an easy to use, robust and reliable WordPress security plugin. It reduces security risk by verifying vulnerability, eliminating it and implementing the latest recommended practices and methods of protecting WordPress. The plugin is 100% free.