Is WordPress safe? Is WooCommerce secure? These are the two questions I field a lot when first discussing how we build our websites. It’s great that this question comes up. It’s really important. Taking ecommerce security seriously is something that often comes after the fact.
[notice]UPDATE: This article was first written in 2012. A lot has happened since then, so the whole article has been amended to ensure accuracy.[/notice]
These articles never end with a yes or no. If only things were that simple. The answer is a yes, but. I’ll be going through the but.
Expect the best. Prepare for the worst. Capitalize on what comes.
A quick word on Open Source Security
Windows is the most targeted OS. Android the most targeted mobile platform. WordPress is attacked in the same way. It’s big and successful. Over 23% of the web uses WordPress. That’s a lot of sites.
Therefore the chances of finding someone with lax security measures is all the more easier. It doesn’t mean it is more vulnerable as a platform. The malicious hackers are just playing a game of scale. Playing the odds.
Open Source is not insecure because the codebase is freely available. The opposite is true. Because it is in the public domain, vulnerabilities are patched at a significantly higher rate than Closed Source alternatives.
WooThemes work closely with WordPress security professionals Sucuri who audit their work. They check and plug vulnerabilities. You can read more about the security updates here.. It’s been given the green light. The code is secure.
Likewise WordPress is constantly and thoroughly checked.
Making your site secure
The code is safe, but if you don’t follow best practices you increase the security risk. Here are the main considerations you should check when going through your checklist:
- Secure Hosting
- Update Core and Plugins
- PCI Compliance
- SSL Certificate
- WordPress Security
Good hosting is your first line of defence. Blocking out the automatic bots that crawl the internet looking for vulnerabilities to capitalise on.
There are a number of WordPress hosts that will implement defensive security measures to keep your site safe. We use WP Engine for our clients and can’t recommend it enough.
Make sure you consider regular updates to your site plugins and core files. If there are any bugs then they are patched quickly. Make sure you are updated to keep your site safe.
If you are taking payment on your site then you must be PCI compliant. If you use a HOP (Hosted Order Page) then the payment is taken on the payment providers website and the liability is massively reduced. If you are taking card details on your own checkout then you are required to have more measures in place to secure your site.
HTTPS / SSL
If you are taking payment on your checkout then the PCI compliance will require you to have an SSL certificate. This means the site is loaded over HTTPS and the traffic is encrypted. Customers are also aware that this is used to encrypt data and it has the added benefit of building trust (and increasing sales!) with your visitors.
We have written a guide on setting up WooCommerce SSL on WP Engine here.
There are some quick wins to harden your security within WordPress, such as not using admin as a username, using strong passwords, limiting logins and much more.
WooThemes have a good guide here which run through suggested measures.
In this instance, make sure you have regular backups. In case your site goes down, you can be confident in restoring a saved version of your site.
Prepare for the worst.