WordPress Security

How to Fix Common WooCommerce Security Issues?

Updated on: July 26, 2021

How to Fix Common WooCommerce Security Issues?

Is your website an important marketing platform for your business? Do you like it as an elite commercial? The WordPress WooCommerce security vulnerability is a sensitive issue that is important to take into account?

It is said that the majority of these systems are vulnerable to the attacks of the first apprentice hacker. Yet they can also protect themselves very well.

The WooCommerce security issues are not to be taken lightly. Being hacked can happen to anyone and these tips will help you to limit potential damage. When everything is working properly, you must take preventive action!

Secure WooCommerce Login Page

Everyone knows where to connect to a WooCommerce store. So, hackers are always trying to enter through the front door.

www.mywoocommercestore.com/wp-login.php or www.mywoocommercestore.com/wp-admin/.

Why not change the address of this entry page? Nobody has to know it, except you, your web developer, your agency.

1. Block Intrusion Attempts

Blocking any repeated login attempts on your store will save you big problems. If hackers try to enter your e-commerce store, you will be automatically notified and they will be blocked immediately.

Many WordPressers prefer to use Astra Security extension. You can set different options to indicate from when to estimate that a connection attempt is a nuisance intrusion test. It is then the IP address of the hacker which is banned during x time (x = you can choose the duration in the administration of the plugin).

2. Use Email to Login

By default, a user is asked to enter his username to login. However, using an email address rather than a username is much safer. Why?

  • Usernames are often common (without being pejorative) and, therefore, easier to guess
  • An email address can only be used by one user

The Email Login Auth extension force you to connect with a user email address. The store becomes operational as soon as it is installed. You just need to configure the basic settings!

3. Rename Login Page

It is always by the address login.php or wp-admin that one can connect. But that can easily be changed. Changing this address (URL) is important because hackers know it better than any other.

So far, if you have followed everything, we have seen how to reduce the number of attempts to access your administration and require the indication of your email address. Now replace your login address. This will already block 99% of all hacking attempts.

Thus, only someone who knows the exact URL by which one can connect will actually be able to do it better. Once again, the iThemes Security extension helps you to adapt this address. For example:

  • Change login.php to my-new-login
  • Change wp-admin to my-new-admin

Secure WooCommerce Dashboard

For any hacker, what brings the most enjoyment is to be able to get into the admin area of a store, because it is the best-protected part. Tackling the toughest is a real challenge. When he succeeds, the hacker gets a real sense of victory. And of course, he has the opportunity to create real problems.

Here’s how to protect yourself.

1. Protect wp-admin Directory

This folder is the heart of your store. If a file of it is damaged, your store will be completely out of order.

You can only allow access to this wp-admin folder with a password. Thus, to access your admin, you will have to resort to two passwords. The first protects access to your login page and the second to your admin area.

You can use AskApache Password Protect extension to protect the admin of your store. It will automatically generate a .htpasswd file and will take back the passwords.

2. Install SSL Certificates

Installing an SSL certificate will ensure that you encrypt the information flowing between the browser and the server. This prevents the hacker from getting into your conversations and transactions.

Hosting your WooCommerce store with an SSL certificate is very common today. You can buy this certificate from an accredited body but the few hosting providers like Cloudways offers it free to you.

The SSL certificate also impacts your SEO on Google. Google is increasingly taking this criterion into consideration when ranking its results. This will bring you more visitors and potential customers. Now, who does not want it?

3. Secure Store Accounts

If different authors can intervene in your store, everyone has access to your admin panel. This can make your store more vulnerable if they use passwords a bit too much.

The Force Strong Passwords extension requires the introduction of secure passwords. Your registrants/authors/managers will not be able to use “standard” words. This is a precautionary measure that protects you and is really worth installing if you have a collaborative store.

Secure WooCommerce Database

All information on the WooCommerce store is stored in your database. It is essential to protect it. Here are different ways to secure it.

1. Change the Prefix of Tables

As you probably know, the default prefix of tables in WordPress’ WooCommerce store is wp- . I strongly recommend that you modify this prefix with something unique.

If you use the usual prefix, you will be more vulnerable to unwanted SQL injections. You can already warn of these attacks by changing your prefix wp- into something like sr-, mg-, pr-, etc.

If you have already installed your store and, therefore, its database, there are extensions to adapt your prefix. 

Be sure to backup your database beforehand to avoid data loss.

2. Back Up WooCommerce Store

It does not matter whether your store is already secure or not. Scheduling a regular backup of your store is probably the best antidote. This will save you a lot of trouble if one day your store is in trouble.

I know, we only care about it when problems have already appeared. I also made the mistake of not backing up my store. But after bad experiences, I schedule automatic backups.

If you have a backup of WooCommerce store, you can easily and quickly reinstall it. Many extensions can do this.

3. Password for Database

It is important to use a complex password for your database. This is not a word you need to memorize yourself. Do not hesitate to use any type of characters:

  • Lowercase and uppercase
  • Numbers and letters
  • Special characters

Secure Hosting Configuration

The majority of the hosts can claim to provide a well-secured space. But you can go even further.

1. Protect wp-config.php File

wp-config.php file contains essential information. This is also the most important file of your WooCommerce store, even if your visitors do not see it. Protecting your website means protecting your business!

It is difficult for a hacker to attack WooCommerce store if wp-config.php file is not accessible to him and that can easily be put in place. Just move this file to a higher level than the root of your store.

You will tell me: how could the server find this file if it is at a level higher than your WooCommerce root? The configuration of WooCommerce takes this file into consideration in the first priority.

2. Prevent Editing of Certain Files

If a user has access rights to your WooCommerce admin, he can edit any file on your store, including extensions and themes.

However, if you prevent editing of these files, even if a hacker accesses your dashboard, he will not be able to edit any files.

So, to prevent editing files, add this line at the end of your wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

3. Configure Files Permission

Granting bad permissions to a folder can be dramatic, especially if your store is hosted on shared space.

If this is your case, changing the permission of your files and folders is important to secure your hosting. For records, indicate the 755 permission, and for your files, 644.

You can do this through your FTP space.

4. Prevent Viewing the Content Records

If you create a new folder and do not add an index.html file, your visitors will be able to directly find all the contents of your folder.

For example, if you create a folder called secure, a hacker will find all the contents of this folder simply by typing the URL www.mywoocommercestore.com/secure/. It will not need any password to access it. Take the test!

You can avoid this risk by adding this line in your .htaccess file:

Options All -Indexes

Secure WooCommerce Themes and Extensions

Themes and extensions are the ingredients for customizing your WooCommerce store. Unfortunately, they too can experience security problems. Discover how to protect them well.

1. Make Regular Updates

All good software is regularly updated. The team of developers improves functionality, performance, and ensures that any security breaches are blocked. WooCommerce is especially frequently updated. It is sometimes vital to quickly update your WooCommerce to avoid any intrusion.

Forgetting to keep your themes and extensions up to date can bring you real problems. The majority of hackers attack store that does not keep their them up to date. They exploit already discovered WooCommerce vulnerabilities and that could be easily solved.

Keeping your store up to date will save you a lot of trouble. Do not deprive yourself!

2. Remove Version Number

You can easily find the version number of your WooCommerce store. It appears from the beginning of your source code.

To hide it, simply add the following code in your functions.php file.

function remove_version_info() {

    return '';


add_filter('the_generator', 'remove_version_info');

The problem is that if a hacker knows what your version is, he will attack you more easily.


If you are new to WooCommerce, you may have found a lot of new things here. But, they are really worth a look. The above-mentioned security tips for a WooCommerce store is a good start to start! Indeed, it is possible to go much further to improve the security level of your store.

You are free to offer us your finds and other hacks via comments!

Tags: , ,

Saud Razzak

Saud Razzak is the WordPress Community Manager at Cloudways - A Managed WooCommerce Hosting Platform. He is responsible for creating buzz, spread knowledge, and educate the people about WordPress in the Community around the globe. In his free time, he likes to play cricket and learn new things on the Internet. You can email him at [email protected]
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
2 years ago

My woocommerce store is hacked on every 3rd or 4th day after reinstalling. it returns wrong password at first and later access to wp-admin is not possible. what could be the problem hacked site or hacked hosting?

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany