These days a lot of companies are concerned with security and that also includes securing their WordPress & wooCommerce sites.
While we are not experts in security and do not advertise our services as such, there are a number of good practices we implement with pretty much all the WordPress sites we create.
Here are some of them (the list is not by any means comprehensive):
1. Install WordFence & configure it to cut access from IP addresses from exotic geographies
Acting as an end-point firewall and application layer malware scanner, WordFence is one of the most popular security plug-ins on the market. It has a variety of features but the main ones are identifying and blocking malicious traffic both at the IP level and at the application level, defending against brute force attacks, enforcing strong passwords, checking files integrity, auditing plug-ins.
The paid version of this plug-in offers extra features such as real time malware signatures updates, manually blocking traffic coming from certain regions etc.
2. Change admin login username & password
Admin is the default username on WP’s console. Change that to a custom username you create and make sure that user has admin rights. Also set the admin password to a strong password that is impossible to guess. Change that password once a month as part of your routine security audit.
3. Change default admin path to login
The default path to your web admin console is http://yourdomainname.com/wp-admin or https://yourdomainname.com/wp-admin. Change the default wp-admin to folder to a custom folder that is hard / impossible to guess.
4. Update all the plug-ins to their latest versions
WordPress will notify you when there are new versions of plug-ins available. Make sure you update all your plug-ins to their latest versions. Do not install un-necessary plug-ins to open doors into the system. Routinely do plug-ins audits. When you install a plug-in make sure you do your online research so it comes from a reputable source (there are a lot of plug-ins out there and a lot of them are unsupported and risky). Do not install plug-ins from unknown / undocumented sources.
5. Update WP to it’s latest stable version
Always keep WordPress to its latest stable version. We generally define that as the last released production version prior to the current betas or release candidates. At the time of this blog that is WordPress 5.0.3.
6. Audit SQL injections penetrations
A SQL injection is a code injection technique used by hackers against data driven applications. It is quite popular in web applications but definitely preventible. The technique basically consists in inserting extra undesired SQL statement through front end fields of the web interface and having the executed on the back-end.
For any competent web developer it is relatively straightforward to prevent SQL injections by implementing strict verification mechanisms on front end fields, by using prepared statements and stored procedures. Check with your web developer for more details.
7. Install a SSL certificate
A SSL certificate is a great way to secure the traffic between your site and its potential visitors. SSL certificates implement a protocol called https (which stands for secure http). This data communication protocol basically encrypts the traffic going to and coming from your website making taping into sensitive information (like usernames, passwords, credit card numbers etc.) virtually impossible. For under $100 you can purchase one of these SSL certificates from an issuing authority. Most of your cloud hosting companies out there will offer one and will also help you install it. As of a couple of years ago, having a SSL certificate installed also helps with your site’s SEO.
One extra word on PCI compliance. On all the modern e-commerce solutions PCI compliance became pretty much standard lately. Without getting into details here as it is not the objective of this blog, please keep in mind that implementing PCI compliance involves a dual set of operations: standard security operations (things like secure your site, install SSL certificates, avoid processing credit card transactions on your site & pass the transaction processing to PCI compliant companies etc.) and manual day-to-day procedures (which you have to train your internal staff on doing).