Analysis paralysis is common in WooCommerce security. With different plugins, services, and solutions available, keeping your websites secure can feel overwhelming. This often leaves security gaps, as uncovered by our annual WordPress security survey.
When BobWP reached out to see if we had anything we’d like to share for the new blog, I couldn’t wait to share our survey findings with Do the Woo’s audience. There are valuable insights and lessons to be learned, which I believe administrators and website owners running WooCommerce can use to protect their sites, users, and customers.
The good news is that, in most cases, these gaps present low-hanging fruit that can drastically improve site security with minimal effort. In this article, we’ll go through our findings, why these are important, and what you can do to address any security shortcomings for a much safer and more secure WooCommerce website.
What is the Melapress WordPress Security Survey?
Melapress’ WordPress security survey is a yearly survey that aims to understand how administrators and website owners view and manage WordPress security. For the past two years, we have run two editions of the survey – online and in person at World Camp Europe, which we sponsor. Both online and in-person surveys have exactly the same questions. Answers are collected and analyzed as a group.
Here are the most important tips for WooCommerce security that the survey uncovered:
Tip #1: Use password policies to empower customers to own their security
What the survey showed us
Weak passwords remain a priority, with 37% of survey respondents indicating this to be one of their primary security concerns. And with good reason – in many ways, passwords act as the first line of defense against intruders. They protect users’ accounts from illegitimate access, ensuring data remains secure. Unfortunately, however, many users tend to choose passwords that are easy to remember – and as such easy to crack.
Although password policies would address concerns, only 59% of those listing weak passwords as a primary concern implement such policies. We’ve also seen a decrease in the implementation of password policies from last year, with the figure sliding from 75% to just 52%.
Why this is important
In most cases, attacks are not specifically targeted. Many bad actors take advantage of lax security to breach websites, akin to casting a wide fishing net. This makes it more likely for attackers to move on to softer targets if your website presents a serious challenge – it is simply not worth the effort if there are websites that are easier to breach. As such, we need to use every tool at our disposal to its maximum effectiveness – including passwords.
First line of defense
Brute force attacks remain a favorite tool in bad actors’ toolboxes. Such attacks are simple and effective – more so thanks to advancements in technology, which make password cracking a walk in the park. The best line of defense? A complex password. Adding a few characters increases the time it takes to crack passwords manyfold. Add a password expiration policy, and you’re now in formidable shape to keep attackers at bay.
Shared responsibility
In the next section we will discuss the importance of training the team. For any website to be secure, everyone must do their part, and the first step in doing so is ensuring everyone is using a strong password. While you can excuse less stringent requirements for accounts with limited access, some form of password policy will keep accounts more secure and protected.
How to implement password policies best practices
One way WooCommerce administrators can ensure users are using strong, secure passwords is through policies. Through policies, administrators can set minimum requirements users must meet when setting their passwords. While verbally encouraging users to adopt a more security-focused approach when setting passwords helps, a plugin such as Melapress Login Security makes the job much easier.
And here are some tips for the best results for passwords when using a plugin:
- Make sure passwords include a healthy mix of uppercase and lowercase letters, numbers, and special characters
- Disallow password recycling
- Passwords should expire, lowering the risk of leaked passwords being used in a breach
Tip #2: Train the team to ensure everyone follows best practices
What the survey showed us
Having the best security plugins and processes in place is important. However, good WooCommerce security requires everyone to be on board with the program. It’s no secret that security can affect usability, so getting everyone on the same page with the why and the how ensures less friction and, ultimately, compliance.
The vast majority of security survey respondents do train their team members with 79% doing so. The results speak for themselves – those who do not train their team are 30% more likely to experience a breach. If there was ever a business case to invest in user education, this is it.
Why this is important
It’s critical for any team to be able to pull in the same direction. Whether it’s business goals (such as revenue, sales), or security, ensuring everyone is on the same page and following the same rules increases the team’s effectiveness. Getting your team’s buy-in is critical to your success. This also has the added benefit of compounding the efficacy, ensuring a higher ROI (Return on Investment).
Security breaches can be very expensive – fines, reputational loss, loss of business add up very fast. Taking the time to train your team might seem like an additional expense – and it is – but invariably, it turns out to be money well spent.
This reminds me of a little anecdote an old dear boss used to tell the team:
Financial controller: Why are we investing so much money in training employees? What if they leave? We would have wasted so much money and time!
CEO: What if we don’t invest in training them, and they stay?
Security is as strong as the weakest link
A 2014 IBM study on cyber security identified human error as a contributing factor in 95% of security breaches. This astronomical figure shouldn’t come as a surprise to anyone who has ever managed an IT infrastructure. Nevertheless, it is a worrying statistic that is not wholly outside of our control.
Training team members on best security practices go a long way in instilling a culture of personal responsibility and awareness. Conveying basic awareness principles through policies or informal training goes a long way in ensuring your team is taking appropriate steps to keep your website secure.
Additional line of defense
When your team members practice vigilance against threats to your websites, you effectively have an additional line of defense safeguarding your WooCommerce store. An extra pair of eyes, or a few of them at that, can help you spot things you might have otherwise missed.
How to implement team training best practices
Training should be customized to your needs, ensuring that users can understand and implement what they learn in training. Try to hold frequent sessions and include helpful FAQs or knowledge-base documents users can refer to when in doubt.
- Team training should be accessible and relevant to users’ jobs and tasks
- Include FAQs or knowledge-base posts users can refer to at any time
If you have a small business, sitting with your team and explaining security best practices might be enough. Do make sure you prepare a document you can send to the team so that they can reference it whenever in doubt or need a refresher.
If you have a larger team, you might want to consider something more formal. While you can still design a training course that covers the basics yourself, you can also refer to online courses that also cover important topics such as cyber awareness, phishing, and cyber hygiene among others.
Thanks to our sponsor…
Kinsta: Offering a high-performance hosting platform with managed WordPress hosting, powered by Google Cloud, ensuring fast load times and robust security.
Tip #3: Use 2FA to secure user and admin accounts
What the survey showed us
2FA adoption has continued its upward trajectory, increasing from 66% in 2023 to 70% in 2024. However, the survey unveiled an imbalance between respondents concerned about compliance and 2FA implementation. In fact, only 42% of those concerned about compliance install 2FA.
This is especially noteworthy as WooCommerce sites typically need to adhere to more stringent security requirements. While some might argue that 2FA’s impact on user experience is too great a burden, 2FA has advanced greatly since its early days. Plugins with features such as customizable wizards, trusted devices, and multiple 2FA methods make 2FA implementation a breeze.
Why this is important
2FA is important for various reasons. It has proven itself to be a formidable security measure. It is very cost-effective, easy to use and manage, and, more often than not, a compliance requirement.
Security
By requiring a second authentication, 2FA effectively acts as a second door to your WooCommerce user accounts. This second authentication is wholly separate from the username and password combination. As such, even if passwords get compromised, bad actors will still be unable to log in.
This helps protect against compromised passwords, whether from brute force attacks or successful phishing attempts.
Compliance
2FA is viewed favorably by security standards and regulations. With hefty penalties waiting for those who do not comply, adding 2FA to your WooCommerce store goes a long way in showing your commitment to customer security and privacy.
Of course, complying with regulations such as GDPR or standards such as PCI DSS does not start and stop with 2FA. However, it is definitely a solid step in the right direction.
How to implement 2FA best practices
- 2FA should be made mandatory for all users. However, special attention should be given to those user accounts that enjoy privileged access.
- 2FA methods such as push notifications and OTP tend to be more secure than SMS, however any 2FA is still better than no 2FA.
- Implementing 2FA backup methods ensures less administrative overhead and user frustration
Implementing 2FA
Our own WP 2FA plugin makes it very easy to offer your WooCommerce customers 2FA. The free version of the plugin comes with all of the functionality you need to add 2FA to your sites, while the premium edition comes with additional bells and whistles, such as additional 2FA methods, white labeling, and one-click WooCommerce integration, among other features.
- Step 1: Download and install WP 2FA
- Step 2: Activate the plugin and follow the setup wizard
- Step 3: Configure 2FA for your account
Other noteworthy takeaways
WooCommerce security best practices span across the entire gamut. 2FA, passwords, and team training go a long way in improving security. However, there are other areas that require equal attention, as uncovered by the Melapress survey:
Updates
Keeping everything up to date (WordPress, plugins, themes, PHP) goes a long way in minimizing risks that arise from vulnerabilities. An updates policy, regardless of whether you prefer to install in a staging environment first or enable auto-updates, can help you maintain consistency and your site safe.
The survey showed that only 30% of those who are concerned about a security issue with a plugin or theme enable auto-updates. While highly-customized enhancements might benefit from testing updates in a staging environment, a quick turn-around can definitely help you improve your security posture.
Breach recovery plan
Breaches happen – this is a fact of life. And sometimes, despite following all of the best security practices, some idiot will still manage to weasel their way through. This is why it remains important to have a breach recovery plan in place. With 72% of respondents answering they’ve suffered at least one security breach, the last thing you want is to be operating in full panic mode, which often makes things worse rather than better.
More WordPress security statics
Interested in learning more statistics from the Melapress survey? Find all of the nuggets, insights, and valuable takeaways in the WordPress security survey statistics blog post.
This is a guest post from Joel Barbara at Melapress.
Leave a Reply