WooCommerce stores handle customer data, payment tokens, and login credentials — making them a high-value target for attackers. This guide covers seven practical hardening steps that close the most common attack vectors, from keeping plugins updated to configuring a Web Application Firewall.
Outdated software is the number-one cause of compromised WooCommerce stores. Enable auto-updates for WordPress core (minor releases) and for any plugin that does not modify critical business logic. For plugins you cannot auto-update — payment gateways, custom integrations — set a calendar reminder to review and update them weekly. Always take a backup before applying updates.
Weak passwords and single-factor logins are a gift to brute-force bots. Require every admin and shop-manager account to use a password of at least 16 characters. Install a two-factor authentication (2FA) plugin and enforce it for all users with access to the WordPress admin panel. Disable XML-RPC if you do not use the WordPress mobile app or Jetpack — XML-RPC is a common brute-force vector.
Add these lines to your wp-config.php: disable the plugin and theme file editor with DISALLOW_FILE_EDIT, force SSL for login and admin with FORCE_SSL_ADMIN, and change the default table prefix from wp_ to something unique. Move wp-config.php one directory above the web root if your host supports it — this prevents the file from being served if PHP processing fails.
An SSL certificate encrypts data between the customer's browser and your server. Most hosts include a free Let's Encrypt certificate. Once installed, go to Settings → General and change both URLs to https://. Then install a plugin like Really Simple SSL to handle mixed-content redirects and set the HSTS header. Your entire site must load over HTTPS — not just the checkout page.
A Web Application Firewall (WAF) sits between your visitors and your site, blocking SQL injection, cross-site scripting, and known attack patterns before they reach WordPress. Install a security plugin that includes a WAF, malware scanner, and login-protection module. Configure the firewall in "learning mode" for the first week so it maps your normal traffic before switching to full blocking.
If your store is compromised, a clean backup is the fastest path to recovery. Schedule daily database backups and weekly full-site backups (files + database). Store backups off-site — not on the same server as your store. Use a backup plugin that supports one-click restore and encrypts the backup files. Test a restore at least once: a backup you have never restored is a backup you do not have.
Install a file-integrity monitoring plugin that compares your core WordPress files against the official checksums and alerts you when a file has been modified. Combine this with a scheduled malware scanner that runs daily. If you receive an alert, take the site offline immediately, restore from a clean backup, and change all passwords — do not try to "clean" a compromised site while it is still live.
WAF + malware scanner + login protection in one plugin. Free tier covers the essentials; Premium adds real-time threat intelligence.
The most popular WordPress backup plugin. Scheduled backups to cloud storage with one-click restore.