WooCommerce security is a partnership between a hosting provider and a hosting client. The client is responsible for updating their store and taking care which plugins and themes they install. But that’s only part of the work involved in keeping a WooCommerce store safe.
A hosting provider and their platform play a pivotal role, but what exactly does a hosting provider do to make sure attacks against a store are repelled?
Security All The Way Down
A WooCommerce store depends on a stack of software and hardware that is almost entirely hidden from view. WooCommerce hosting clients update WooCommerce and its plugins and themes, but they don’t — and usually can’t — update the software or hardware that WooCommerce depends on. That is the responsibility of the hosting provider, and some providers don’t take it seriously.
To give you an idea of the software a WooCommerce store may depend on, here’s a partial list: MySQL, PHP, Apache or Nginx, the Linux kernel, dozens of software libraries and tools that are part of the Linux operating system, ancillary network services such as SSH and FTP, caching software like Varnish or Redis, cloud software including a container management platform, orchestration tools, and more.
Bugs in any of this software can cause a software vulnerability. The web hosting provider has to understand the risks and act to mitigate them by designing a secure platform and keeping software up-to-date.
The goal of web security is to make it as hard as possible for an attacker to breach the network and steal data and resources. Keeping software up-to-date is part of that, but a great WooCommerce hosting provider also deploys tools that block attacks before they get anywhere near WooCommerce.
Firewalls are the network’s first line of defense. Nexcess provides two types of firewalls on WooCommerce accounts: a packet-filtering firewall that blocks potentially dangerous connections and a web application firewall (WAF). The WAF, which is called ModSecurity, stops attacks that are directed against WordPress and WooCommerce. It can filter many common types of attack, including brute-force attacks, cross-site scripting attacks, and SQL injection attacks.
WooCommerce hosting clients who use a dedicated server or a cluster of servers sometimes need to allow a developer or other professional to access their hosting environment.
Traditionally, access is granted by creating an FTP account for the developer. They may also need to access the server using tools that rely on an HTTP connection. Neither protocol is secure by default: they don’t encrypt data as it travels over the internet. That’s why Nexcess provides OpenVPN protection for dedicated and clustered hosting clients.
It might not seem as if customer support is an important part of WooCommerce security. But if your WooCommerce site has a security issue or you have a security question, you need someone to turn to, someone who understands the problem and knows how to fix it. You don’t want to wait hours or days for a response to a vital security question, so round-the-clock support from professionals who respond quickly makes a big difference.
When you choose a WordPress or WooCommerce hosting provider, make sure they prioritize security and have the expertise to build a platform that can keep WooCommerce stores safe.