Cybersecurity is a big deal, and if you’re not paying attention, it can come back to haunt you.
You may be thinking, “Who, me?” Yes, you.
While there probably isn’t a crew of expert hackers trying to steal your data or net millions of dollars in credit card information (you’re not Target, after all) the vast majority of hackers do want to use your server to send spam emails, which is the number one reason for hacking smaller sites.
That’s why it’s super important to make sure your WooCommerce site is fully secure. But before you shrug your shoulders believing that WordPress has you covered already, think again…
Why It’s Easy to Overlook Security
Don’t get us wrong, WordPress is a killer platform, and we wouldn’t be in business if we didn’t see its inherent value. While its biggest draw is that it handles a lot of the work for you, it’s also easy to assume that WordPress is handling all of your security concerns.
Sure, you might install Akismet to protect against those pesky spammers, but when is the last time you really looked at how easy your site is to hack? We’re not putting words in your mouth here, but probably never, right?
What WordPress/WooCommerce Does Protect Against
Well the good news is that you’re not totally screwed, because like we said, WordPress does protect you against some things. For example:
- WooThemes for WooCommerce frequently works with WordPress security professionals who audit their work, frequently checking for vulnerabilities
- WordPress can use SSL certification (through your hosting service) to create safer shopping experiences
- There are various plugins that will help protect your site further
- Latest version releases come with built-in security features against most major threats
What It Doesn’t Protect Against
Here’s the bad news. Less than three years ago, 73% of the popular sites using WordPress were considered “vulnerable” to cyber attacks. In fact, of the 10 most vulnerable plugins, five were commercial plugins available for purchase, and one of them was an honest to goodness security plugin.
Which is why you need to be extra vigilant. Here’s what WordPress or even our beloved WooCommerce might not protect against:
- You forgetting to keep your theme, plugins, and version of WordPress up-to-date
- You downloading plugins from an unreputable or untested source
- You using “admin” as a username
- You not changing your passwords often or using weak passwords
- You configuring your file directories the wrong way
- You forgetting to backup your site on a regular basis
Actually, come to think of it, human error seems to be a common theme here. But if we’re honest, forgetting to update to the latest version of WordPress the second it comes out isn’t going to topple your e-commerce empire. Rather, the biggest thing that you’re not safeguarded against on that list is weak passwords. Here’s why…
Why Passwords Are Your Biggest Risk
Have you ever watched a hacker movie or literally any episode of a detective show ever made? There’s always that one character that is (thankfully) working for the good guys who can guess the password on a suspect’s computer simply by knowing what the person’s dog’s name is or their birthday.
We may giggle at it in retrospect, but people are notoriously bad at picking passwords. In fact, 21% of people use passwords over 10 years old, 47% of people use passwords at least five years old, and 73% of all online accounts are guarded by duplicate passwords.
While it may seem like no big deal to you, we should remind you that you’re running an e-commerce business built on thousands of user generated passwords, and if a hacker gets access to one, he gets access to them all.
Your mission, therefore, if you choose to accept it, is to not only create secure passwords for yourself and your team, but also do everything in your power to encourage your customers to do the same.
What Secure Passwords Look Like
We’re not trying to scare you, but the fact is that hackers are getting smarter, and hacking technology has significantly improved in the last few years. You’ll have to go above and beyond to create a truly secure password. Here’s what a secure password includes:
- Avoiding “dictionary words” (common words), anniversaries, and birthdays
- Including a mix of capitals, lowercase, numbers, and symbols
- Prioritizing length – long passwords are less likely to be hacked
- Generating random passwords whenever possible
- Creating unique passwords for each account and site
We know that the last one is a tough one, because remembering random strings of letters and numbers over multiple accounts and profiles is genuinely hard, but the more random the password can be, the safer it is from hackers. The best approach is to use a dicelist to generate a completely random password (here’s a good one, and this one too) that’s less likely to be hacked.
If you manage multiple WordPress/WooCommerce sites or you have a larger team that all need access to your site, consider using a service like ManageWP. It’s also extremely important to have a good host for your WordPress site, as we’ve mentioned before.
How to Incorporate Secure Passwords Into WooCommerce
Okay, now for the good news. Since the release of WooCommerce version 2.5, secure password strength indicators are built in to the system. Whenever a new account is being created, a popup will appear and hassle the user (not really) until the password meets certain standards.
But the creation of the password is still up to you and your customers. That’s why it’s a good idea to remind them using text and microcopy around your forms and landing pages about the importance of creating secure passwords.
You can also do a few other things to make sure your site is safe from even the laziest of passwords:
1. Enable two-factor authentication (2FA) on every account. Just because your admin account has an amazing hacker-proof password doesn’t mean all of your accounts do. 2FA relies on a second step, like sending a text to a smartphone, to authenticate a password, which makes it helpful against potential threats.
2. Limit brute force login attempts with Jetpack Protect. One thing can be said about hackers is that they never really give up if they want something. Thankfully, Jetpack’s security features – Jetpack Protect, for instance – allows you to limit the number of times that someone can unsuccessfully login to your site. And if you’re worried about forgetful customers getting locked out, you can also whitelist IP addresses.
3. Use (trusted) security plugins to scan your site. As long as the plugin is from a trusted source (look for good reviews from users and that it’s verified with your version of WordPress – and frequently updated), you shouldn’t have to worry too much, just make sure to keep it updated and implement the other security measures. Don’t just rely on a plugin.
We’re not saying that your passwords need to be a version of the chess game from War Games in order to be successful, but they do need a level of complexity more than adding your birth year to your favorite child’s initials.
Make sure your admin accounts (which shouldn’t be called “admin” as a username) and each individual account associated with your site have complex and lengthy passwords. Encourage your users in as many ways as possible to beef up their passwords, too.
Finally, it’s okay to trust WordPress to do their job, but you can’t forget to stay vigilant on your end. Not to say that hackers are lurking behind every bush, but hey, if Hollywood is anything to go by, crazier things have happened.