Locking Down WooCommerce: A Security Checklist That Actually Works

WooCommerce powers a huge chunk of the web's online stores, which makes it a constant target. Attackers aren't trying to break your store specifically — they're scanning millions of sites for known weaknesses and hitting whatever responds. If you run or build WooCommerce sites, you need a defence that holds up against automated attacks, card skimming scripts, and credential stuffing.

This is a practical checklist of what actually matters, in roughly the order you should tackle it.

1. Get the foundations right: hosting, PHP, and updates

Most compromised WooCommerce sites I've seen weren't hacked through clever exploits — they were running outdated PHP, an abandoned plugin, or shared hosting with no isolation.

• PHP 8.1 or newer. Older versions stop receiving security patches. Check via Tools → Site Health in WordPress admin.
• Managed WordPress or VPS hosting with proper account isolation. Avoid cheap shared hosts where one infected neighbour can compromise your site.
• Automatic minor updates for WordPress core, and a weekly manual check for plugin and theme updates. Test on staging first if you have one.
• Audit your plugins ruthlessly. Delete anything you don't use. Each plugin is a potential attack surface — and abandoned plugins (no updates in 12+ months) should be replaced.

WooCommerce-specific updates

WooCommerce often ships security releases that don't make front-page news. Subscribe to the WooCommerce developer blog or follow @WooCommerce for advisories. Major version jumps (e.g. 8.x to 9.x) sometimes deprecate older payment gateway plugins — check compatibility before updating in production.

2. Force HTTPS everywhere — and verify the configuration

SSL isn't just about the padlock. WooCommerce handles payment data and login sessions, so a single mixed-content warning can spook customers and a weak TLS configuration can fail PCI DSS requirements.

1. Install a certificate from Let's Encrypt or your host. Free is fine — paid EV certs offer no real security advantage.
2. Force HTTPS site-wide. In wp-config.php set define('FORCE_SSL_ADMIN', true);.
3. Enable HSTS with a long max-age once you're confident HTTPS is stable: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
4. Disable TLS 1.0 and 1.1 at the server level. Only TLS 1.2 and 1.3 should be active.

You can verify your full TLS posture, certificate chain, and HSTS configuration in seconds with a WebSentry scan — it'll also flag if your subdomains (like checkout. or cdn.) are missing the same protection.

3. Harden security headers

Headers are one of the cheapest, highest-impact defences for an ecommerce site. They protect against XSS, clickjacking, and supply-chain attacks against your payment pages.

The headers that matter for WooCommerce

• Content-Security-Policy (CSP) — the single biggest defence against card skimmers like Magecart. Start in report-only mode, then enforce.
• X-Frame-Options: SAMEORIGIN — prevents your checkout being embedded in a malicious iframe.
• X-Content-Type-Options: nosniff — stops MIME confusion attacks.
• Referrer-Policy: strict-origin-when-cross-origin — avoids leaking checkout URLs to third parties.
• Permissions-Policy — disable APIs you don't use (camera, microphone, geolocation).

Building a CSP for WooCommerce is fiddly because of payment iframes (Stripe, PayPal) and tracking scripts. Use report-only mode for two weeks, collect violation reports, then tighten.

4. Lock down the admin and customer accounts

Credential stuffing is the most common attack against WooCommerce. Attackers buy leaked email/password combos and try them against /wp-login.php and /my-account/.

• Rename the admin login URL with a plugin like WPS Hide Login. It won't stop a determined attacker but cuts bot traffic by 90%+.
• Enforce 2FA for all admin and shop manager accounts. Wordfence, Two-Factor, or miniOrange all work.
• Rate-limit login attempts at the WAF or plugin level (Limit Login Attempts Reloaded is solid).
• Disable XML-RPC unless you specifically need it — it's a common brute-force vector.
• Require strong passwords for customers via a plugin or custom validation. A breached customer account can be used to commit refund fraud.

Database and file permissions

Set files to 644, directories to 755, and wp-config.php to 600. Block PHP execution in /wp-content/uploads/ via your web server config — this single rule blocks most webshell uploads.

5. Protect the checkout from skimmers

Card skimming (Magecart) is the defining ecommerce threat of the last five years. Attackers inject JavaScript that copies card details as customers type them. Defences:

• Use hosted payment fields (Stripe Elements, PayPal hosted fields) rather than processing cards directly. Iframes are isolated from the parent page's JS.
• Subresource Integrity (SRI) on every third-party script you load on checkout pages.
• CSP with a strict script-src whitelist. No 'unsafe-inline' on checkout.
• Monitor file integrity. Plugins like Wordfence or external tools alert you when core or plugin files change unexpectedly.

6. DNS, CORS, and cookies

These are the areas site owners often miss because they're invisible from the front end.

• DNSSEC if your registrar supports it, to prevent DNS hijacking.
• CAA records restricting which CAs can issue certificates for your domain.
• SPF, DKIM, and DMARC for transactional emails (order confirmations, password resets). Without these, your emails go to spam and attackers can spoof your domain.
• Cookies: session and cart cookies should have Secure, HttpOnly, and SameSite=Lax at minimum. WooCommerce sets reasonable defaults but plugins often override them.
• CORS: if you've enabled the WooCommerce REST API, lock down Access-Control-Allow-Origin to your specific frontend domain — never *.

7. Backups and incident readiness

Assume you'll be breached eventually. The difference between a bad week and an extinction event is your ability to recover.

• Daily automated backups stored off-site (UpdraftPlus to S3, Jetpack VaultPress, or your host's solution).
• Test a restore quarterly. Backups you've never tested don't exist.
• Keep at least 30 days of retention — many breaches aren't detected for weeks.
• Document your incident response: who do you call, who do you notify (customers, card processor, regulators under GDPR/CCPA), and how do you take the site offline cleanly.

8. Make security monitoring continuous, not annual

A WooCommerce site changes constantly — new plugins, theme tweaks, payment gateway updates. Each change can quietly break a header, weaken a CSP, or expose an endpoint. A one-off audit is worth far less than a recurring check.

Run a free WebSentry scan against your store at websentry.dev to get an A–F grade across SSL, headers, CSP, cookies, DNS, and CORS — and use it as a regular checkpoint every time you push a significant change to production.