WordPress is the CMS (content management system) with the largest amount of installations in the world.
Being the biggest means having an amazing developer ecosystem that contributes to the extensibility of the open web.
It also means that website security is of paramount importance when using WordPress because the software accounts for the majority of vulnerable websites on the internet.
In other words, the same thing that makes WordPress awesome (third party plugins and themes), also makes it a huge target for hackers and attackers, and hacks can be an expensive problem.
With a price tag like that, WordPress security is incredibly important whether you run your own ecommerce WordPress website or build sites for others.
Fortunately, the developers that work on the core of WordPress have gone to great lengths to maintain a secure piece of software.
In this article, I’ll walk you through extra security measures you can take to minimize the risk of attack. We’ll also take a look at some plugins that are specifically designed to help mitigate security risks and keep customer data out of harm’s way.
WordPress Security Tips You Can Implement Right Now
Creating a more secure WordPress website doesn’t have to take a long time, but you’ll want to know what to look for as you’re securing your site.
Here are some hard-hitting quick things you can do as you start to focus on WordPress security basics.
1. Secure your site with SSL.
SSL (secure socket layer) is a protocol that helps encrypt and secure communications to and from your ecommerce website.
This protocol also helps to secure any private information your customers send to your website and/or payment processors.
And of course, it protects you from snoopers trying to grab your administrator username and password as you login to administer your WordPress ecommerce site.
SSL is so important for website and WordPress security that web browsers like Google Chrome show warnings for websites that aren’t encrypted using a secure certificate.
And, when it comes to search rankings, SSL is also a search indicator that helps determine how high a website will appear in Google search listings.
Whereas SSL used to be an option, now it’s required in order to have a fully available and secure website on the internet.
2. Tighten up passwords.
Setting and following a password policy for your users is more important than simply having one secure password.
After all, it’s possible that in the future you’ll give admin access to vendors, partners, or clients, and any of those user accounts could be used to compromise the entire website and steal information.
Nowadays it’s not enough that a password is difficult to guess.
As hacks of large institutions and other websites have become more common (and databases of stolen passwords are shared on the dark web), reusing a password on your site is an easy way for a would-be hacker to find their way into the private parts of your ecommerce website.
As for how to create a secure password, WordPress security threats are changing all the time, and so are password best practices.
Krebs is a great resource for learning the dos and don’ts of strong password creation.
3. Limit permissions when needed.
Think of access to your backend website as a need-to-know sorta thing.
The security of your website ultimately depends on how the people that have access to the system exercise their access. Think about each type of user that needs access to your website and consider what type of access they need.
Customers need to know information about products and services (usually publicly available information) but don’t need to know what the backend of the website looks like or how to access your hosting account.
Editors need to know how to access your website to edit posts and draft new items but don’t need to know how your ecommerce website is configured or how to access your hosting account.
Administrators probably need the most access, but some administrators might only need access for a short time while they troubleshoot an issue or work on a special project.
Consider the fact that even you might want to give up administrative access after delivering a website to a client if your contract ends with that delivery.
Pick and document an access policy and how you’ll limit permissions (and the length of time a user will have their assigned access) for each type of user.
And always remember, once a user stops performing work on the website, their user profile should be removed completely and their associated content should be moved to another user.
4. Keep WordPress updated.
Back when content management systems were first being built, it was difficult to keep a website up-to-date.
There were manual actions that needed to be performed, technical modifications, and changes in the software that often broke older versions of third-party code.
These days, WordPress has evolved into one of the most updateable content management systems in the world. Because software with vulnerabilities is often the cause of WordPress security issues, keeping WordPress core software and related plugins and themes updated is key to winning the fight against would-be hackers.
While it might seem scary, consider auto-updating plugins and WordPress minor software versions to keep your ecommerce website in perfect shape.
An error caused by an update is usually always better than an error caused by a hacked site.
If you don’t prefer to auto-update your ecommerce website, create a regular update schedule where updates are tested and applied on a regular interval (weekly or monthly). Also, include an exception for critical updates that might need to be made quickly to avoid catastrophic security issues.
5. Make sure your hosting is secure.
If your hosting isn’t secure, all other attempts at keeping your website software secure might be for not.
Large providers like WPEngine, GoDaddy, and LiquidWeb are focused on WordPress security and take care to secure customer hosting accounts, their servers, and hosting user accounts.
If you’re working with an ecommerce website on a smaller or self-hosted provider, consider moving the site to a larger provider if the specifications of the site don’t require extremely specialized hosting. Often larger providers have more resources to dedicate to network and software security.
6. Backup your site.
No WordPress security measure is better than having a clean backup of your website. If your website suffers an attack, having a backup will make it much easier to recover your hard work, and usually will save you from having to build a new site from scratch.
As you decide where and how often you’ll backup your website, make sure to consider keeping your backup off-site (backed up somewhere other than your website or web host) so you can restore it easily if something goes wrong.
There are a ton of services that help ease the process of automating backups. Here are a few products that make off-site backups simple!
- Rewind.io – Automated backups with the ability to restore your store to a particular moment in time (and the service is designed to work with BigCommerce)
- ManageWP – Daily off-site automated backups for your website files to many popular backup services including Google Drive and DropBox.
- BackupBuddy – Another great solution for off-site automated backups for your website files that work seamlessly with services like BackupBuddy Stash, Amazon S3, Google Drive, and Dropbox.
7. Secure your WordPress admin.
While a savvy hacker can probably figure out where the admin area of your website is, it’ll be tougher to hack if you take some basic precautions to validate that it’s a human attempting to login.
Consider making it harder for hackers by limiting the number of login attempts and adding a CAPTCHA to the login form itself.
These are both tactics that make it harder for a robot to gain access and give you extra time to notice continuous access by a suspicious third party.
8. Add two-factor authentication.
It’s a good idea to use two-factor authentication any time the option is available (a quick crash course on 2FA). It’s the same technology used by banks and online shopping websites, and it’s something that should be implemented on your website too.
The idea behind two-factor authentication is that gaining access to a resource will require two things — something you know and something you have.
For instance, if you’re required to enter a unique number via text/SMS in addition to your administrator password to access a website, you need to have access to your mobile phone.
That’s something a hacker wouldn’t likely have, so it’d be almost impossible for a hacker to gain access to your website using the two-factor login process.
Two-factor authentication also gives you piece of mind knowing that if your password isn’t strong enough, there’s another line of defense against hack attempts.
BigCommerce for WordPress: An Ecommerce Vault
Every once in a while, a plugin or solution is developed for WordPress that solves multiple pain points on the journey to creating an awesome ecommerce site.
Not only does the BigCommerce for WordPress plugin enhance WordPress security, it also offloads processing and makes store management faster and easier.
1. BigCommerce is your commerce backend.
Store management is way easier with BigCommerce for WordPress especially if you manage multiple stores.
From one single control panel, you can manage your catalog, orders, and shipping all behind a securely managed account and login infrastructure.
2. Update catalogs and orders from our side.
Management doesn’t just include running reports and viewing product information. With the BigCommerce WordPress plugin you can also edit and update orders and catalogs directly from the BigCommerce interface.
3. Get expert support.
Occasionally, the unexpected happens, and that’s when it’s time to call in the ecommerce experts.
Luckily, BigCommerce provides expert support to help implement and maintain BigCommerce within WordPress.
4. Enhanced ecommerce security and peace of mind.
BigCommerce for WordPress can increase conversion and security with BigCommerce’s fully-embedded checkout. Our plugin delivers a fast, responsive checkout to improve user experience while reducing the burden of PCI compliance.
Security Only Plugins for any WordPress Ecommerce Site
Since WordPress security is such an important part of maintaining a healthy ecommerce website, many developers have helped to create both free and paid solutions for building security best practices into your website.
1. Sucuri Security
Think WordPress security is just about defending your website from would-be attackers?
Implementing Sucuri Security can also lead to performance gains via their CDN (content delivery network).
CDNs are a great way to increase the speed of your website, especially to those located further away from where your site is hosted.
Running your website through Sucuri’s servers also means catching hack attempts before they cause a problem using their WAF (web application firewall) technology.
The WAF can even help keep zero day vulnerabilities from impacting your website. And here’s the best part — if Sucuri detects a compromise while continuously monitoring your website, they also offer unlimited malware removals so you don’t have to worry about cleaning an infected site.
2. iThemes Security
iThemes Security is a broad spectrum WordPress security solution that adds brute force protection, password enforcement, and bad user lockouts (just to name a few features) to your website.
In all, there are over 30 ways that iThemes security works to keep your WordPress ecommerce website safe from hackers.
Jetpack security features help to keep bad people out (brute force protection) and spam away (spam protection).
The plugin also offers other security essentials like managed plugin updates, downtime monitoring, and automated backups.
While these features might seem basic, these are some of the most effective changes that you can implement on your ecommerce website right now to mitigate most attacks.
4. BBQ: Block Bad Queries
Often, before an attack, a hacker will attempt to understand how a website is vulnerable before going in for the kill.
These “probes” are executed using URL requests against a vulnerable website.
Normally the requests aren’t a big deal, but why give a hacker extra information about your website?
BBQ keeps away nasty attackers that aim to probe or compromise your website by silently rejecting these URL requests.
5. My Private Site
If you’re looking for content security, My Private Site will help you lock down your entire website so that only members with a login and password can view content or products.
This is the perfect solution for a simple membership site or a website where products, services, and/or content should only be available to a limited, verified audience.
6. The GDPR Framework
While not directly related to thwarting attacks, GDPR is a policy that addresses how customer and visitor information is collected and retained.
With a ton of great features, the GDPR Framework plugin will help put you on the road to full GDPR compliance in no time.
Making Customers Feel More Secure
Part of WordPress security is about helping customers feel more secure. Informed customers know the difference between a secure and insecure website, and conversion rates will benefit from having a more secure site.
Here are some ways to help make sure your customer’s journey through your website is as secure and provides as much consent and visibility as possible.
1. Stay GDPR compliant.
While the European Union is the entity that enacted the General Data Protection Regulation (GDPR), it’s important for all ecommerce websites around the globe to consider implementing GDPR to both comply with European Union law, and provide the greatest security and privacy benefits to users.
2. Tell customers what you’re tracking.
Nobody likes to have personal information collected without their consent.
It’s important that as a user moves through your ecommerce website that you tell them when you’re collecting their information and how the information will be used.
GDPR regulations go even further by requiring a user to opt into collection of data if the data is in-fact being collected, so working towards implementing a similar opt-in would be a great goal.
3. Limit session recording capabilities.
When running an ecommerce website, it’s critical to know how people are interacting with your products and content, and what actions (or groups of actions) lead to sales. As you’re mining your site for information, it’s a good idea to only keep information that’s required for analysis.
As information gets more personal (such as address and payment information during checkout), look closely at whether or not the information needs to be stored for analysis.
If the information isn’t needed to form a meaningful conclusion about user interactions, discontinue recording user information.
It’s also advisable to create a policy to automatically purge information that is no longer actionable after a set period of time.
4. Use strong payment systems.
Industry-recognized secure payment systems should always be used when taking payments online.
Companies like Stripe and PayPal expend enormous resources creating systems that keep information flowing through only encrypted channels and that handle information according to payment industry best practices.
5. If you have user accounts, enable some security measures.
Strong passwords, CAPTCHA, and two-factor authentication are all important ways to secure administrator access, and those same measures should be taken to secure user accounts as well.
It’s a huge deal if a user’s account is compromised, and not all users consider the same things when thinking about how to secure their online accounts.
Help your users find their way to a more secure experience on your website by requiring stronger passwords and two-factor authentication.
Here are 4 appointments to put in your calendar that will increase the security of your ecommerce WordPress website in no time.
In the next day: Install and enable an offsite backup plugin.
Tomorrow: Make sure plugins, themes, and core WordPress files are up-to-date.
In the next week: Enable one of the security plugins referenced in this article.
In the next month: Review and implement GDPR regulations.