WooCommerce powers a significant share of global ecommerce, which makes it a high-value target. Attackers do not discriminate by store size: automated scanners probe every public WordPress installation looking for outdated plugins, weak credentials, and misconfigured servers around the clock. The good news is that the vast majority of compromises are preventable with disciplined, layered controls.
This checklist is organized by layer — from the platform itself out to the network edge — so you can work through it systematically, assign owners, and track remediation. Each item is grounded in widely accepted best practices; nothing here requires exotic tooling or enterprise budgets.
Vilee LLC combines deep technical expertise in WordPress/WooCommerce development with AI-powered automation to operate 520+ profitable online businesses at scale.
1. Platform Hardening
The single most effective security control for WordPress and WooCommerce is keeping every software component current. The majority of successful attacks exploit publicly known vulnerabilities that already have patches available.
- Update WordPress core immediately when a security release is published. Enable auto-updates for minor releases at minimum.
- Keep WooCommerce current. Subscribe to the WooCommerce changelog and stage-test major version updates before deploying to production.
- Audit every installed plugin and theme. Remove anything inactive or unmaintained. Each unused plugin is an attack surface with zero business value.
- Run PHP 8.2 or newer. Older PHP branches reach end-of-life and no longer receive security patches. Verify your host supports the latest stable release.
- Review plugin provenance. Install plugins only from the official WordPress repository or vendors with a published security policy and a responsible disclosure program.
- Disable the built-in theme and plugin editor in production (see File & Server section below). Automated plugin updates are fine; live code editing in the browser is not.
2. Access Control
Credential-based attacks — brute force, credential stuffing, phishing — remain among the most common vectors against WordPress stores. Strong identity controls are non-negotiable.
- Enforce strong, unique passwords for all administrator and shop manager accounts. A password manager removes the friction. Minimum 16 characters, no dictionary words.
- Enable two-factor authentication (2FA) for every account with elevated privileges. TOTP apps (Authy, Google Authenticator) are well-supported via plugins such as WP 2FA or Wordfence Login Security.
- Apply least-privilege roles. A content editor does not need Shop Manager capabilities. A developer should work under a dedicated role, not the primary admin account.
- Rename or relocate
/wp-login.phpwith a plugin such as WPS Hide Login, or restrict access to known IP ranges via your WAF or Nginx/Apache config. - Block or password-protect
/wp-adminat the server level for IP ranges that should never need it (e.g., the public internet if your team has fixed IPs). - Disable XML-RPC if you are not using Jetpack or another service that requires it. XML-RPC is a frequent target for brute-force amplification attacks.
- Audit user accounts quarterly. Remove dormant accounts, rotate credentials for service accounts, and verify no unauthorized admin-level users exist.
3. File & Server Security
Server misconfiguration turns a minor vulnerability into a full compromise. These controls are fast to implement and rarely require downtime.
- Set correct file permissions: directories at
755, files at644, andwp-config.phpat440or400. Never use777on any file or directory. - Lock down
wp-config.php. Move it one directory above the web root if your host allows, or deny access via.htaccess/ Nginx location rules. - Add
define('DISALLOW_FILE_EDIT', true);towp-config.php. This removes the Appearance > Editor and Plugins > Editor from the admin UI, preventing in-browser code modification even if an admin account is compromised. - Use SFTP or SSH keys for file transfers. Disable plain FTP entirely. Passwords in plain FTP are transmitted in the clear and can be intercepted on shared network segments.
- Restrict access to sensitive paths (
/wp-content/uploads/,/xmlrpc.php,readme.html,license.txt) at the web-server level. Thereadme.htmldiscloses the WordPress version; remove or block it. - Keep the server OS and web-server packages patched on the same cadence as application code. A vulnerable OpenSSL or Nginx build can undermine every application-layer control.
4. Edge & Network Protection
Putting a hardened edge in front of your origin server deflects a large volume of automated attacks before they ever touch WordPress.
- Route all traffic through Cloudflare or an equivalent WAF/CDN. Cloudflare’s free tier already provides DDoS mitigation and basic WAF rules; the Pro tier adds the OWASP core rule set and bot management.
- Enable rate limiting on
/wp-login.php,/wp-json/, and the checkout endpoint. Aggressive rate limits on authentication endpoints stop credential-stuffing campaigns cold. - Enable bot management. Block known bad-bot user-agent strings and ASNs associated with scanning infrastructure. Cloudflare Bot Management or similar tools do this automatically with manageable false-positive rates.
- Enforce HTTPS everywhere with an automatic HTTP-to-HTTPS redirect. Obtain a certificate from Let’s Encrypt (free) or your host’s certificate authority.
- Set HSTS (HTTP Strict Transport Security) with a
max-ageof at least one year. Consider submitting your domain to the HSTS preload list once you are confident in your HTTPS configuration. - Configure a Content Security Policy (CSP) header to restrict which scripts, stylesheets, and frames may load on your pages. CSP significantly reduces the blast radius of an XSS vulnerability.
- Block direct access to your origin IP. If all legitimate traffic arrives via Cloudflare, firewall rules that drop connections from non-Cloudflare IPs to ports 80/443 ensure attackers cannot bypass your WAF.
5. Application-Layer Security
Even with a WAF at the edge, application-layer monitoring catches threats that slip through and detects post-compromise activity early.
- Install a reputable security plugin. Wordfence, Solid Security (formerly iThemes Security), or Sucuri Security all provide malware scanning, a server-side firewall, and login monitoring. Pick one and configure it fully rather than running multiple overlapping plugins.
- Schedule automated malware scans at least daily. Review alerts promptly — a compromised file left in place for days allows attackers to establish persistence.
- Secure the REST API. Disable unauthenticated access to REST API endpoints that expose user data (
/wp-json/wp/v2/usersbeing the classic example). WooCommerce’s own REST API should require API keys with minimum necessary scopes. - Sanitize and validate all input. If you maintain custom plugins or themes, audit every
$_POST,$_GET, and$_REQUESThandler for SQL injection, XSS, and CSRF vulnerabilities. Use WordPress nonces for all form submissions. - Verify plugin and theme integrity. Some security plugins can compare installed file checksums against the official repository. Unexpected diffs in core or plugin files are a red flag.
6. Payments & PCI Compliance
WooCommerce stores that accept card payments must meet PCI DSS requirements. The fastest route to compliance — and the lowest cardholder-data risk — is to never touch raw card data at all.
- Use a PCI-validated payment gateway such as Stripe, Braintree, or PayPal that handles card data entirely within its own PCI-compliant environment. Your checkout page collects card details in an iframe or redirect hosted by the processor.
- Never store full card numbers, CVVs, or track data on your server or in your database under any circumstances. Tokenization by the payment gateway is the correct pattern.
- Keep the entire checkout flow on HTTPS. Mixed-content warnings on the checkout page erode customer trust and may indicate a configuration problem that browsers will eventually block anyway.
- Aim for SAQ-A scope. By redirecting or iframing all card-data entry to a PCI-certified processor, you reduce your PCI Self-Assessment Questionnaire scope to SAQ-A, the simplest tier with the fewest controls to document.
- Review your payment gateway’s fraud tools. Stripe Radar, PayPal’s risk engine, and similar tools can block high-risk transactions before they settle, reducing chargebacks and protecting your merchant account standing.
7. Data Protection & Backups
A reliable backup is the last line of defense against ransomware, accidental deletion, and catastrophic failures. It is only useful if it has been tested.
- Automate daily full backups of both the database and all files. Plugins such as UpdraftPlus, BackupBuddy, or WP Migrate DB Pro can push backups to off-server destinations automatically.
- Store backups off-server in a separate cloud account (S3, Google Cloud Storage, Backblaze B2). A backup stored only on the same server it came from is lost in the same incident.
- Test restores on a quarterly schedule. A backup you have never restored is a backup you cannot trust. Document the restore procedure so any team member can execute it under pressure.
- Use a staging environment for all changes. Deploy plugin updates, theme modifications, and code changes to staging first. Verify functionality, then push to production. This practice prevents the class of outages that come from updating 15 plugins at once on a live store.
- Encrypt backups at rest when they contain customer PII or order data. Most cloud storage providers offer server-side encryption; enable it.
8. Monitoring & Incident Response
Controls reduce risk; monitoring detects when controls fail. Knowing within minutes that something is wrong is dramatically better than discovering a breach days later in a customer complaint.
- Enable file-integrity monitoring (FIM). Most security plugins include FIM. Any unexpected change to a core, plugin, or theme file triggers an alert and should be investigated before assuming it is benign.
- Maintain a WordPress audit log. Plugins such as WP Activity Log record user logins, role changes, post edits, plugin activations, and settings changes with timestamps and IP addresses. This log is essential during incident investigation.
- Set up uptime and performance alerting. Tools like Better Uptime, UptimeRobot, or Cloudflare Health Checks notify you within a minute of a site going down — which can be the first signal of an active attack or a broken update.
- Write an incident runbook before you need it. Document: who to call, how to put the site in maintenance mode, how to restore from backup, how to rotate all credentials, and how to notify affected customers. Practice the runbook annually.
- Monitor failed login attempts and unusual order patterns. A spike in failed logins, a sudden burst of new user registrations, or an unusual volume of coupon redemptions can each indicate an automated attack in progress.
Risk Summary Table
| Risk | Control | Priority |
|---|---|---|
| Exploited outdated plugin/theme | Automated updates + unused plugin removal | Critical |
| Credential brute force / stuffing | Strong passwords + 2FA + login-page restriction | Critical |
| Malicious file upload / web shell | Correct file permissions + FIM + malware scanning | High |
| DDoS / volumetric attack | Cloudflare / WAF + rate limiting | High |
| Man-in-the-middle on checkout | HTTPS everywhere + HSTS + hosted payment fields | High |
| Cardholder data exposure | PCI-validated gateway + tokenization (SAQ-A scope) | Critical |
| Ransomware / data destruction | Automated off-server backups + tested restores | High |
| Undetected compromise | File integrity monitoring + audit log + alerting | High |
| Privilege escalation via REST API | Authenticated-only API endpoints + scoped API keys | Medium |
| Supply chain (malicious plugin) | Install from verified sources only + checksum verification | Medium |
Putting It Into Practice
A checklist is only as useful as the process behind it. Assign a named owner to each section, schedule a review cadence (monthly for access control and updates; quarterly for backups, penetration testing scope, and PCI documentation), and track open items in your project management system. Security is not a one-time configuration task — it is an ongoing operational discipline.
If your team needs to accelerate this work or lacks in-house WordPress security expertise, explore our services — Vilee LLC’s engineering teams have hardened WooCommerce environments across hundreds of stores in multiple regulatory jurisdictions. You can also review how we approach security as part of our broader platform operations, or contact us directly to discuss a security engagement for your store.
Frequently Asked Questions
How often should I run through the WooCommerce security checklist?
A full review should happen at least quarterly. However, some items demand more frequent attention: plugin and core updates should be applied within days of release (immediately for security releases), access control audits should happen monthly, and backup integrity checks should run automatically every day with a manual restore test each quarter. Treat the checklist as a living operational document, not a one-time setup task.
Do I need a paid security plugin, or is a free option sufficient?
The free tiers of Wordfence and Solid Security cover the essential controls for most stores: malware scanning, a server-side firewall, login protection, and file-integrity monitoring. Paid tiers add real-time threat intelligence feeds, faster malware signature updates, and priority support — which matter more as your store grows in transaction volume or handles higher-value orders. Start with a well-configured free tier and upgrade based on your risk profile, not marketing pressure.
What is SAQ-A and why does it matter for WooCommerce stores?
SAQ-A is the simplest tier of the PCI DSS Self-Assessment Questionnaire. You qualify for it when your checkout page uses a fully hosted payment form provided by a PCI-certified processor — meaning card data never passes through or touches your server. This dramatically reduces the number of controls you must document and the audit burden on your team. Most modern WooCommerce payment gateways (Stripe, Braintree, PayPal) support SAQ-A-eligible integrations. If your integration does not qualify for SAQ-A, consult a Qualified Security Assessor to determine your correct SAQ type.
