I’m worried about my WooCommerce store security

You can call it anxiety or doubts instilled bcz of the talks about how web is insecure generally and if someone invests time in building something for themselves, it's criticality challenging to make sure it remains secured.

I have currently installed Cloudflare security plugin. But I'm still worried and not sleeping well.

What do you all suggest I should do to make sure everything is tightly secured?

5 Comments
  1. If your store is local, you could use Cloudflare rules to block or redirect visitors from countries which you’re not interested in or which send a lot of bad traffic.

    In the paid Cloudflare plans, you also have a better WAF.

    Wordfence also has a good reputation as a security plugin. Wordfence runs on your server, while Cloudflare is a proxy between the server and visitors. So, they could work together. 

  2. If you do this alone, we can eliminate insider threats from the start.

    Next make sure that:

    * Your Linux host is hardened up to CIS benchmark (i.e. changed ssh port, no remote root login, no remote password auth)
    * Enable AppArmor/SELinux on your Linux server
    * Monitor critical OS files for modifications
    * Do daily security scans + report any findings to your email
    * You force HTTP->HTTPS redirects
    * Make sure you update/patch all critical vulnerabilities timely (Linux, Apache/Nginx/DB, WordPress + Plug-ins)
    * You have WAF module (owasp-modsecurity) in your Apache enabled
    * Make sure you have strong password-policy for all users
    * Add second factor authentication to your store (especially high. priv. accounts)
    * You do off-site encrypted backups
    * You have DDoS protection enabled (check if your DNS zone on CloudFlare doesn’t have un-necessary pass-through records enabled)
    * Your SSL certificate is always valid/up-to-date (add some monitoring)
    * You rely on trusted DNS provider for making outgoing connections (Payment, Email) from your server
    * Your hosting provider have IT security certification (ISO27000, PCI DSS etc.)
    * Use separate browser (or VM) when accessing your store as admin
    * Run weekly external security scans

    PS: If paranoid – you can even encrypt your DB (or the whole filesystem)

  3. Everyone so far has good suggestions about server security, updates, backups etc. I would add, educate your store admins about email security, phishing and how stores get scammed with stolen credit cards and looking out for biog or unusual orders. Consider 2fa for the store admins. Recaptcha / turnstile at checkout and login. Check what security optuions the payment providers offer other than the default settings. Send products in a way that requires a signature on delivery as proof it arrived, offer express, parcel insurance.

  4. Make sure to keep everything up-to-date, use strong passwords and 2FA, backup regularly, use Wordfence, use SSL, monitor your site for unusual activities and you can also hire a professional for a security audit

 

This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer