Plugin Security
WordPress Security for WooCommerce Stores
WooCommerce stores handle sensitive payment and customer data. Learn essential security measures for protecting your online store and maintaining PCI compliance.
S
Sarah Chen
9 min read
2,375 views
WooCommerce powers millions of online stores, making it a prime target for attackers. With payment data, customer information, and business-critical operations at stake, WooCommerce security requires extra attention beyond standard WordPress hardening.
WooCommerce Security Priorities
- Payment data - PCI DSS compliance required
- Customer information - Personal and address data
- Order history - Transaction records
- Admin access - Store management capabilities
- Inventory data - Business-critical information
PCI DSS Compliance
Never Store Card Data
// Always use payment gateways that handle card data
// Never store full card numbers in your database
// Acceptable: Tokenized payment methods
function use_tokenized_payments() {
// Stripe, PayPal, Square handle PCI compliance
// They return tokens, not card numbers
// Store only:
$safe_payment_data = array(
'transaction_id' => $gateway_response['id'],
'last_four' => $gateway_response['card_last4'],
'card_brand' => $gateway_response['card_brand'],
'payment_date' => current_time('mysql')
// Never store full card number, CVV, or expiry
);
}
// Remove any accidentally stored card data
function audit_for_card_data() {
global $wpdb;
// Search for potential card number patterns
$results = $wpdb->get_results(
"SELECT meta_id, meta_key, meta_value
FROM {$wpdb->postmeta}
WHERE meta_value REGEXP '[0-9]{13,19}'
AND meta_key NOT LIKE '%phone%'"
);
if (!empty($results)) {
// Alert administrator
wp_mail(get_option('admin_email'),
'URGENT: Potential card data found',
'Please review and remove any card data immediately.');
}
}Checkout Security
Force HTTPS for Checkout
// Force SSL for WooCommerce pages
add_action('template_redirect', function() {
if (!is_ssl() && (is_checkout() || is_account_page() || is_cart())) {
wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301);
exit;
}
});
// WooCommerce setting
add_filter('woocommerce_force_ssl_checkout', '__return_true');Secure Checkout Forms
// Add additional checkout security
function secure_woocommerce_checkout() {
// Rate limit checkout attempts
$ip = wpfs_get_client_ip();
$key = 'checkout_attempts_' . md5($ip);
$attempts = get_transient($key) ?: 0;
if ($attempts > 10) { // 10 attempts per hour
wc_add_notice('Too many checkout attempts. Please try again later.', 'error');
return;
}
set_transient($key, $attempts + 1, HOUR_IN_SECONDS);
}
add_action('woocommerce_before_checkout_process', 'secure_woocommerce_checkout');
// Validate checkout nonce
function validate_checkout_nonce() {
if (!wp_verify_nonce($_POST['woocommerce-process-checkout-nonce'], 'woocommerce-process_checkout')) {
wc_add_notice('Security verification failed. Please refresh and try again.', 'error');
return false;
}
return true;
}
add_filter('woocommerce_checkout_process', 'validate_checkout_nonce');Customer Account Security
// Strengthen WooCommerce passwords
function woocommerce_password_strength($strength) {
return 3; // Require strong passwords (0=weak, 3=strong)
}
add_filter('woocommerce_min_password_strength', 'woocommerce_password_strength');
// Add login rate limiting for customers
function limit_customer_login_attempts($user, $username, $password) {
if (is_wp_error($user)) {
return $user;
}
$ip = wpfs_get_client_ip();
$failed = get_transient('failed_login_' . md5($ip . $username));
if ($failed >= 5) {
return new WP_Error(
'too_many_attempts',
'Too many failed login attempts. Please try again in 30 minutes.'
);
}
return $user;
}
add_filter('authenticate', 'limit_customer_login_attempts', 30, 3);
// Secure customer data access
function restrict_customer_data_access($query) {
if (!is_admin() && is_user_logged_in()) {
// Customers can only view their own orders
if ($query->get('post_type') === 'shop_order') {
$query->set('author', get_current_user_id());
}
}
}
add_action('pre_get_posts', 'restrict_customer_data_access');Admin Security
// Restrict shop manager capabilities
function secure_shop_manager_role() {
$role = get_role('shop_manager');
// Remove potentially dangerous capabilities
$role->remove_cap('unfiltered_html');
$role->remove_cap('edit_theme_options');
$role->remove_cap('manage_options');
}
add_action('init', 'secure_shop_manager_role');
// Log all order status changes
function log_order_status_changes($order_id, $old_status, $new_status) {
$log = array(
'order_id' => $order_id,
'old_status' => $old_status,
'new_status' => $new_status,
'user_id' => get_current_user_id(),
'timestamp' => current_time('mysql'),
'ip_address' => wpfs_get_client_ip()
);
// Store in custom log table
global $wpdb;
$wpdb->insert($wpdb->prefix . 'wc_order_audit_log', $log);
}
add_action('woocommerce_order_status_changed', 'log_order_status_changes', 10, 3);Plugin Security
- Keep WooCommerce and extensions updated
- Only use extensions from trusted sources
- Review plugin permissions before installation
- Remove unused extensions
Security Checklist
- [ ] SSL certificate active on all pages
- [ ] PCI-compliant payment gateway
- [ ] Strong password requirements
- [ ] Login rate limiting enabled
- [ ] Admin 2FA enabled
- [ ] Order audit logging active
- [ ] Regular security scans
- [ ] Backups configured and tested
Conclusion
WooCommerce stores require enhanced security to protect customer data and maintain compliance. Use PCI-compliant payment gateways, enforce HTTPS, implement rate limiting, and maintain comprehensive audit logs.
S
Written by Sarah Chen
WP Folder Shield Team
