DevPress

Security Tips for WooCommerce

Image

Devin Price

·

Image

There’s a few important security measures I would recommend for any WooCommerce website based on the experiences I’ve had at Universal Yums and running other ecommerce websites.

Two Factor Authentication

Most WordPress and WooCommerce breaches start with compromised credentials. Attackers gain access through weak passwords, reused credentials from other sites, or phishing schemes.

The best way to prevent this is through two factor authentication. For WordPress sites, I recommend the Two-Factor plugin. It’s free, actively maintained by WordPress Core contributors, and supports methods like email, time-based one-time passwords (TOTP) via apps like Authy or Google Authenticator, and backup codes.

At Universal Yums, we require anyone with elevated permissions to have 2FA enabled before we upgrade their role from “Contributor”. We also have custom code that prevents 2FA from being disabled once it is set.

Proper Role Scoping

If you have a team that manages different aspects of the WooCommerce website, it’s important to assign the proper role and permissions for what they need to manage. WooCommerce adds a “Shop Manager” role out of the box, which has broad access to orders, products, coupons, and WooCommerce settings. For many teams, this is more access than most users need.

 At Universal Yums, we have custom roles tailored to what each team actually needs:

  • Customer Experience needs to edit orders and subscriptions, but doesn’t need manage_woocommerce or access to payment gateway settings.
  • Marketing needs to edit certain site options and forms, but doesn’t need user management capabilities.

This limits what an attacker can do with a compromised account. It also helps prevent unintended mistakes, like a customer support team member accidentally setting the payment processor to sandbox mode.

A few practical tips:

  1. Audit existing roles – Use a plugin like User Role Editor to see exactly what capabilities each role has.
  2. Create specific roles – Rather than giving everyone Shop Manager, create roles like “Order Manager” or “Product Editor” with only the capabilities required.
  3. Remove manage_options where possible – This capability grants access to WordPress Settings screens and is often given unnecessarily. Users can still read/write options programmatically on custom admin pages without it.
  4. Be careful with unfiltered_html – This allows users to save raw HTML including scripts. Only give this to users who genuinely need it for embedding content.
  5. Review capabilities periodically – As your team and tools change, permissions often become stale. What someone needed a year ago may not match their current responsibilities.

Monitor Role Changes

Even with proper role scoping, you need visibility into when privileges change. At Universal Yums, we send a Slack alert to our engineering channel whenever a user’s role changes to anything other than “customer” or “subscriber.” This catches both legitimate promotions (so the team knows who has access) and potential attacks (an attacker who compromises an admin account and tries to elevate another account).

Magic Login Links

I like using Magic Links (email or SMS) as the default way for customers to access their WooCommerce account. It reduces purchase friction and also has security benefits. We use Magic Login Pro by Handy Plugins for this functionality.

When a new customer makes a purchase at Universal Yums, we automatically create an account for them in the background (with secure password) since most customers need an account to manage their subscription. When a customer returns to log in or make a new purchase, we offer magic links as the default login method. We also generate magic links for email notifications when a renewal payment fails, so a customer can quickly pay without login friction.

Unfortunately, we know that some customer still share passwords between sites. Every time there is a big password breach, we see attackers attempting logins with the breached credentials. Using Magic Links as the default helps prevent these types of attacks from succeeding since it would require the attacker to also have control of the email account.

Disable xmlrpc.php to Prevent Brute Force Attacks

The xmlrpc.php endpoint is a legacy part of WordPress that allows remote publishing and pingbacks—but it’s also a target for attackers. Using system.multicall, an attacker can attempt hundreds of password guesses in a single request, effectively bypassing normal login rate limits.

Most WooCommerce sites don’t need XML-RPC at all, since the REST API has replaced it. Disabling it removes an unnecessary attack surface with no downside for most setups.

Add this to a small must-use plugin or your theme’s functions.php to disable:

// Disable XML-RPC to prevent brute-force login attacks.
add_filter( 'xmlrpc_enabled', '__return_false' );

Cloudflare Protection

A CDN like Cloudflare adds a security layer before traffic even reaches your server. At Universal Yums, we use Cloudflare rules to have managed challenges on /wp-login.php and /wp-admin/*. This also allows us to limit access by specific rules like country or IP address- helping to prevent automated brute force attempts to the admin area.

Comments

One response to “Security Tips for WooCommerce”

  1. Andrew Avatar
    Andrew

    Excellent point on disabling xmlrpc.php. it’s an often-overlooked legacy vulnerability that can easily bypass standard rate limits. At Algorithm Shift, we focus on this kind of technical optimization and automated security workflows to ensure e-commerce sites stay resilient without adding manual overhead. Proper role scoping is definitely the best first line of defense!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *