Why Security Matters in WooCommerce
In 2023, ecommerce sites experienced a 40% increase in targeted attacks. WooCommerce stores, being popular targets, need robust security measures beyond basic WordPress hardening.
1. Advanced Authentication Security
Implement 2FA with Recovery Codes
function implement_2fa_authentication() {
if (!class_exists('RobThree\\Auth\\TwoFactorAuth')) {
require_once 'vendor/autoload.php';
}
$tfa = new RobThree\Auth\TwoFactorAuth('WooStore');
$secret = $tfa->createSecret();
// Generate recovery codes
$recovery_codes = array_map(function() {
return bin2hex(random_bytes(8));
}, range(1, 8));
return [
'secret' => $secret,
'qr_code' => $tfa->getQRCodeImageAsDataUri('Store', $secret),
'recovery_codes' => $recovery_codes
];
}2. Enhanced Payment Security
PCI Compliance Implementation
function secure_payment_fields() {
// Remove sensitive data from logs
add_filter('woocommerce_logging_payment_fields', function($fields) {
unset($fields['card_number']);
unset($fields['card_cvc']);
return $fields;
});
// Implement field encryption
add_filter('woocommerce_payment_fields', function($fields) {
foreach ($fields as &$field) {
if (in_array($field['id'], ['card-number', 'card-cvc'])) {
$field['custom_attributes']['data-encrypt'] = 'true';
}
}
return $fields;
});
}3. Advanced XSS Protection
Content Security Policy Implementation
function implement_csp_headers() {
$csp = array(
"default-src 'self'",
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https:",
"connect-src 'self' https://api.stripe.com",
"frame-src 'self' https://js.stripe.com",
"form-action 'self'",
"frame-ancestors 'none'"
);
header("Content-Security-Policy: " . implode('; ', $csp));
}
add_action('send_headers', 'implement_csp_headers');4. Database Security Hardening
Implement Prepared Statements
function get_secure_order_data($order_id) {
global $wpdb;
$query = $wpdb->prepare("
SELECT * FROM {$wpdb->prefix}wc_order_stats
WHERE order_id = %d
AND status NOT IN ('trash', 'refunded')
", $order_id);
return $wpdb->get_row($query);
}5. File Upload Security
Secure Media Handling
function secure_product_uploads($upload) {
// Validate file type
$allowed_types = ['jpg', 'jpeg', 'png', 'webp'];
$file_type = strtolower(pathinfo($upload['name'], PATHINFO_EXTENSION));
if (!in_array($file_type, $allowed_types)) {
return new WP_Error('invalid_file', 'Invalid file type');
}
// Scan for malware
if (function_exists('cl_file_scan')) {
$scan_result = cl_file_scan($upload['tmp_name']);
if (!$scan_result->is_safe) {
return new WP_Error('malware_detected', 'File appears to be malicious');
}
}
return $upload;
}
add_filter('wp_handle_upload_prefilter', 'secure_product_uploads');6. API Security
JWT Implementation for REST API
function secure_api_endpoints() {
add_filter('rest_authentication_errors', function($result) {
if (true === $result || is_wp_error($result)) {
return $result;
}
if (!is_user_logged_in()) {
return new WP_Error(
'rest_not_logged_in',
'You are not currently logged in.',
['status' => 401]
);
}
return $result;
});
}
function generate_jwt_token($user_id) {
$secret_key = defined('JWT_AUTH_SECRET_KEY') ? JWT_AUTH_SECRET_KEY : false;
if (!$secret_key) {
return new WP_Error('jwt_missing_secret', 'JWT secret key is not defined');
}
$issuedAt = time();
$expire = $issuedAt + (DAY_IN_SECONDS * 7);
$token = array(
'iss' => get_bloginfo('url'),
'iat' => $issuedAt,
'nbf' => $issuedAt,
'exp' => $expire,
'data' => array(
'user' => array(
'id' => $user_id
)
)
);
return JWT::encode($token, $secret_key);
}7. Session Security
Secure Session Management
function enhance_session_security() {
// Regenerate session ID periodically
add_action('wp_login', function() {
if (session_status() === PHP_SESSION_ACTIVE) {
session_regenerate_id(true);
}
});
// Set secure session cookies
add_filter('woocommerce_session_cookie_secure', '__return_true');
add_filter('woocommerce_cookie_secure', '__return_true');
// Implement session fixation protection
add_action('init', function() {
if (!is_user_logged_in() && isset($_COOKIE[WC_COOKIE])) {
unset($_COOKIE[WC_COOKIE]);
setcookie(WC_COOKIE, '', time() - 3600, COOKIEPATH, COOKIE_DOMAIN);
}
});
}Security Monitoring Implementation
Set Up Security Logging
function setup_security_monitoring() {
// Monitor failed login attempts
add_action('wp_login_failed', function($username) {
$ip = $_SERVER['REMOTE_ADDR'];
error_log(sprintf(
'Failed login attempt for user %s from IP %s',
$username,
$ip
));
// Check for brute force attempts
$attempts = get_transient('login_attempts_' . $ip) ?: 0;
if ($attempts > 5) {
wp_insert_post([
'post_type' => 'security_log',
'post_title' => 'Possible Brute Force Attack',
'post_content' => sprintf(
'Multiple failed login attempts from IP %s',
$ip
),
'post_status' => 'publish'
]);
}
set_transient('login_attempts_' . $ip, ++$attempts, HOUR_IN_SECONDS);
});
}Conclusion
Security is an ongoing process that requires regular updates and monitoring. Implement these measures in stages, test thoroughly, and maintain regular security audits to ensure your WooCommerce store remains protected against evolving threats.