It’s every small business owner’s worst nightmare: your WooCommerce website is hacked, sensitive customer information might be compromised, and you’re worried about losing your online store.
Although WooCommerce is great (and generally safe), it’s still susceptible to vulnerabilities that could make your website a target for hackers.
We’re sure you have tons of questions and concerns – and most importantly – you want to get this resolved ASAP!
In this guide, we’ll cover everything you need to know if you think your WooCommerce site is hacked, including:
- 7 Signs That Your WooCommerce Store Has Been Hacked
- “How Might This Impact My Website/Business?”
- “Are My Customers at Risk?”
- 5-Step Action Plan for a Hacked WooCommerce Website
- “Should I Tell My Customers?”
- “Why Did My WooCommerce Store Get Hacked?”
- “3 Common Methods Used to Hack WooCommerce Websites”
- “How Can I Prevent WooCommerce Hacks Going Forward?”
- Most Recent WooCommerce-Related Vulnerabilities
- Additional Cybersecurity Resources
So, how can you tell if your store has been hacked in the first place?
7 Signs That Your WooCommerce Store Has Been Hacked
If you’re not 100% sure that your WooCommerce store has been hacked, let’s figure that out first.
Here are some common signs of a hacked WooCommerce site. If any of these apply to you, your site might be infected.
This is not a comprehensive list! If you’re still unsure, please reach out to us and we’d be happy to take a look.
1. Strange Redirects
This is one of the most common signs of a hacked WooCommerce website.
In this case, your website is redirecting some or all of your users to websites containing scams, spam advertising, explicit imagery, or other malicious content.
Here are a few examples of what these websites might look like:
These redirect hacks can work in a few different ways.
For example, some malicious scripts will only steal a portion of your users, such as those on mobile devices or visitors coming from Google Search.
This type of hack may also try to hide from existing users. This means it could be stealing all your new users, but your existing users (you and your customers) won’t realize what’s going on.
Here is a redirect hack in action:
Without a malware scanning system in place, this hack may exist for 1-2 months before you realize it is happening. By that time, you’ve already lost many new customers
Daily malware scanning is essential to detect these hacks immediately and minimize damage.
Did You Know? A redirect hack on one of our side projects sparked our interest in website security years ago.
2. Decrease in Website Traffic or Sales
If your website traffic has dropped unexpectedly, this could be a sign of a malware infection on your WooCommerce website.
This is a symptom of the redirect hack mentioned previously. If your users are being stolen and redirected to other websites, you’ll notice a drop in your traffic statistics. We’ve personally used this method to identify hacked websites when no malware scanning system was in place.
If you’re not monitoring your website traffic closely (and not scanning for malware), these hacks can go undetected for a very long time! If your WooCommerce sales make up a significant portion of your revenue, this could literally kill your business.
Keep in mind that it’s normal for traffic to fluctuate for some types of businesses, so you shouldn’t immediately assume that your WooCommerce site is hacked based on your traffic stats. However, you should make sure you are investigating any suspicious traffic drops.
3. Plugins or Files That You Didn’t Add
Most WooCommerce sites are using quite a few plugins to help extend the functionality of the platform.
You may install new plugins for various reasons, such as creating subscription products, accepting alternative payment methods, or improving your user experience.
However, if you’re noticing new plugins that you did not install yourself, these could’ve been installed by an unauthorized user to take advantage of your website in some way.
When you notice an unfamiliar plugin, ask yourself:
- Is there anyone else on your team that may have installed the unfamiliar plugin?
- Is it possible that you installed the plugin yourself, then forgot about it?
4. Unfamiliar Advertisements or Popups
Some businesses generate their revenue purely by running display advertisements across their webpages. However, most WooCommerce businesses are focused on selling their own products – not running advertisements for other products and services.
If you (or your customers) are seeing advertisements for other products and services on your own WooCommerce website, these could have been placed by a hacker or malicious bot.
In this case, the goal of the hacker is to generate revenue for themselves when your users click on their advertisements. These advertisements may show directly within your webpage’s content or as a popup.
5. Unfamiliar Administrator Accounts
Your WooCommerce website runs on WordPress. WordPress lets you to add multiple “administrator” accounts. This allows you to have different individuals working on the website simultaneously.
Granting administrator rights to your website is a big deal! Administrators have full control of your content, users, and everything else within your WordPress environment.
For this reason, hackers may try to gain administrator access to your site so they can take full control over it.
You should keep track of the administrator accounts registered on your site. If there are any unfamiliar or missing administrators, you should investigate the situation immediately.
- Have any of my staff added new administrators recently?
- Was someone incorrectly assigned the “administrator” role?
Hacked site or setting misconfiguration?
There is a setting within WordPress that determines what role is assigned to new users when they register. The default user role in WordPress is “Subscriber”. Subscribers can’t do much!
If the default role is accidentally set to “Administrator”, any new registered users will automatically have full control of the website.
To access this setting:
- Navigate to your WordPress dashboard and click “Settings” > “General”
- Under “New User Default Role”, make sure this is NOT set to “Administrator”.
We’ve seen this happen before!
If you’ve confirmed that your default user role is set properly, then unfortunately a hacker might have infiltrated your site and created their own administrator account.
If you’re 100% sure that the administrator is unauthorized, delete the user and take action to clean and protect your files. Be sure to create a backup before doing this!
6. Notifications in Web Browsers
Some WooCommerce malware will try to trick users by authorizing notifications in their web browser.
Here is an example:
When the user allows these notifications, notifications can be sent directly to the user even if they’re not on the website anymore. If the user clicks these notifications, they may be directed to a scam website or prompted to download a file. Your users may have their devices hacked if they click on these scam notifications.
7. Unexpected Drop in Performance
A drop in performance is not always a result of a hack. There are plenty of reasons why your performance may drop, such as changes to your website configuration or hosting plan.
However, if you’re unable to figure out why your site’s performance has dropped, you should run a scan for malware.
The performance drop could be caused by brute force attacks or malicious scripts stealing your server’s resources.
“How Might This Impact My Website/Business?”
If you think your WooCommerce site is hacked, your mind is probably racing with all sorts of questions and concerns.
Most importantly, how might this impact your business overall?
Let’s talk about a few common ways a website hack could impact your business.
Your Website Vistors Could Be Stolen
As a WooCommerce store, you rely on website traffic to generate revenue. If no one is visiting your website, you’re not making money.
A hacked website might be stealing your visitors using redirects or popup ads, so this means you’ll have fewer people placing orders on your website.
If your business sells products exclusively online, this could obliterate your income overnight!
Also, if you’re driving traffic to your website using ads, you’re wasting your marketing dollars.
Not only that, but each person that is redirected to a scam while your website is hacked will lose trust in your business.
Your Customer Information Is at Risk
One of your biggest concerns may be your customers’ data.
WooCommerce stores data for each customer that places an order through your site, so what information is at risk?
The good news is that your customers’ credit card information is not stored within WooCommerce by default. This means that a hacker wouldn’t find a database filled with credit card numbers.
However, it’s possible that a hacker could be stealing credit card information for new purchases by skimming this information when new purchases are made. This is one of the reasons why it’s very important to detect a hack immediately.
Even though WooCommerce doesn’t store credit card information, it may store some other information about your customers, such as their:
- Phone number
- Email address
- IP address
Although this information isn’t as sensitive as credit card information, the hacker still might be able to do some damage to your customers.
You May Lose Your Search Rankings
Some WooCommerce sites rely on search engines, such as Google or Bing, to drive traffic to their site.
Web traffic is the lifeblood of WooCommerce stores. Without traffic, there are no sales.
If your website is hacked, search engines will eventually flag your site as malicious. You’ll be placed on a blacklist which will directly affect your rankings within these search engines.
After all, Google doesn’t want to send searchers to a malicious website.
Luckily, you can inform these blacklists once your website is clean so you can start ranking again (we’ll talk more about blacklists later in this article). But unfortunately, it’s possible there could be some unrecoverable damage if your site was deemed malicious for too long.
If you’re scanning for malware daily and addressing hacks as soon as they occur, these search engines may never even know that your site was hacked. Quick detection and response times can solve this problem!
Quick Tip: If there are any security issues impacting your visibility in the Google Search results, you can find the details in your Google Search Console account under “Security & Manual Actions” > “Security Issues”.
Your Customers May Lose Trust in You
In some cases, your customers may notice your website is hacked before you do. Some forms of malware may even try to hide from the webmaster.
When your customers start noticing strange redirects, scam advertising, and other suspicious activity, they immediately lose trust in your brand and business.
If someone doesn’t trust your website, they won’t punch in their credit card number.
Whether they’re new customers or repeat purchasers, they’ll be less likely to buy from you if your cybersecurity isn’t up to par.
You’ve worked so hard to build a reputation with your customers, so why risk losing it?
You Could Lose Sales
This is already obvious and a result of the other points we discussed.
With less website traffic, you’re going to have a decrease in your online sales. Some businesses sell both in-person and online, but if you’re selling your products solely through your WooCommerce store, this could seriously affect your cash flow (at least temporarily).
As we also discussed, your customers will start losing trust in you. Over time, your reputation will go downhill and people will stop buying from you. Website security is essential to maintain a long-term, good reputation as a WooCommerce store.
Finally, your sales could also be affected if the hack tampers with your orders or active subscriptions. If you’re selling a subscription product, what if a hacker canceled all those recurring payments? It might be difficult to convince all those customers to resubscribe.
If your WooCommerce store generates significant revenue for your business: what are you doing to protect that income?
“Are My Customers at Risk?”
The impact on your customers will vary greatly depending on the type of hack.
For example, if your site was experiencing a redirect hack, some of your customers may have been scammed by a malicious website they were redirected to. Or perhaps they were prompted to download a file that infected their computer or phone.
Although most people are tech-savvy enough to identify a malicious website or popup, scams are becoming increasingly clever and difficult to detect.
As we mentioned before, a hacker could get access to personal information about your customers. They may use this information to target your customers with email spam, telephone scams, or junk mail.
5-Step Action Plan for a Hacked WooCommerce Website
Alright, you think your WooCommerce site is hacked…
This is a complex situation, especially if this is your first time experiencing a hack.
To help guide you through the situation, we’ve created a 5-step guide for you to follow.
Start by scanning your website for malware using an automated tool such as Sucuri SiteCheck.
PLEASE NOTE: Sucuri SiteCheck is a remote scanning tool and does not provide a full malware scan of your website files. Contact us for a full, in-depth scan.
You should also manually check for malware by:
- Verifying the integrity of your core WordPress files
- Checking recently modified files
- Investigating any other files that look suspicious
Once you’ve scanned your website and identified malicious files and code, it’s time to start cleaning it up!
Be sure to backup your website before you start removing files and code. It’s possible you might break something.
Since cleaning a hacked website is an advanced process, we won’t go into the full process in this post. However, you can follow this malware cleaning guide.
Too much on your plate?
Our U.S.-based team will scan, clean, and protect your WooCommerce website for only $79 per month.
Once you’ve cleaned your WooCommerce site from malware, it’s a good idea to take another full backup. Be sure to categorize this backup as the “post-cleanup backup”.
To protect your site post-cleanup, we recommend these security measures:
- Update all plugins, themes, extensions, WordPress core, and other website software – Outdated software is a leading cause of malware infections
- Generate new secret keys in wp-config.php – All users will be logged out from their active sessions
- Reset all your personal passwords – You may want to encourage your users to reset their passwords too
- Implement hardening measures – This blocks common exploits and points of entry so it’s more difficult for hackers to infiltrate your site
- Set up a firewall – This will block suspicious traffic requests
- Scan your files regularly – When you’re scanning for malware automatically, you’ll be notified immediately when hacked files are detected (daily scanning is recommended)
We’ll talk more about protecting your WooCommerce website towards the end of this article.
Now that your WooCommerce website is cleaned and protected, pause and take a deep breath!
The hardest part is over, but we’re not quite done yet.
There are two primary groups that you’ll want to inform:
- Malware blacklists
- Your customers
Malware blacklists keep track of malicious websites so users can be warned before accessing a malicious site. If your website was hacked for long enough, these blacklists will identify your website as malicious.
You’ll want to let these blacklists know that your site is clean and no longer malicious.
Each blacklist has a different protocol for submitting a correction.
You should also think about informing your customers about the hack.
If customer data might’ve been compromised during the hack, you should let them know about it. There may also be federal or state requirements for data breach disclosures. We’ll talk more about informing your customers later in this article.
Now that you have the situation under control, take a few steps back and review everything.
- Is my site monitored and protected going forward?
- How can I adapt my processes to respond more efficiently to these situations?
- Do I have people on my team (either employees or a third-party company) to monitor and respond to these situations?
- Do I need to replace missing pages, content, or functionality that were removed or broken during the hack?
“Should I Tell My Customers?”
You may feel like you’re in a tough position when deciding whether or not to inform your customers about the incident.
You don’t want to scare them away, but you also want to make sure your customers are safe.
There isn’t a simple answer to this question since it will depend on how the hack impacted your site. If you’re not sure, we think transparency is key.
Here’s what WooCommerce says about informing customers:
“Whether you alert your customers is ultimately up to you. Your obligations to notify customers or reset things like passwords will vary depending on details like your site infrastructure, where you and your customers are geographically located, what data your site is collecting, and whether or not your site has been compromised.”Beau Lebens, WooCommerce.com
Also, you’ll want to consider any state or federal disclosure requirements for data breaches. You may be required by law to inform your customers while following specific guidelines.
Learn more about data breach notifications laws here: https://www.itgovernanceusa.com/data-breach-notification-laws
“Why Did My WooCommerce Store Get Hacked?”
Website security may be a completely new topic for you, so we understand that you may be wondering why someone was able to hack your website in the first place.
Let’s discuss some of the most common reasons why WooCommerce websites are hacked.
You Aren’t Keeping Plugins and Themes Up-to-Date
Outdated software is the leading cause of malware infections. If your WordPress plugins or themes are outdated, your website might be a huge target.
Why is this the case?
When new security vulnerabilities are detected, software developers will release new versions of their software to fix these flaws in their code. Hackers will start targeting sites that have not yet installed these security patches.
If you’re not staying up to date with the latest software releases, your plugins and themes may allow attackers to infiltrate your WooCommerce site.
Did You Know? Our website security and maintenance plans include managed plugin/theme updates, full website security, and tons of other features. All work is performed by our fully U.S.-based team of experts!
Your Passwords Aren’t Strong Enough
If you’re setting weak passwords, it’s easier for hackers to guess your login credentials using brute force attacking.
Once a hacker knows your passwords, they can easily lock you out and take full control over your website!
You’re Using Neglected Plugins or Themes
We already mentioned that staying up to date with the latest software releases from developers is important to keep your site secure… but what if the developer isn’t prioritizing security?
Unfortunately, some developers don’t patch their plugins to address the latest security vulnerabilities. This leaves your site vulnerable to attacks.
As a large, trusted platform, WooCommerce developers are great at keeping the official WooCommerce plugins updated. However, there are plenty of third-party WooCommerce plugins that are not developed by the WooCommerce team.
It’s important to research the developer before you install a plugin. Make sure they’ve released security patches in the past and update their plugin frequently.
You’re Using Shared Hosting
If your website is using shared hosting, it’s sharing a server with many other websites. Shared hosting is typically the cheapest form of hosting, so it’s very popular.
Although it’s popular, it can cause some security issues.
If any website on the shared server allows malware into the server, your website is at an increased risk of attack.
Virtual private servers (VPS) and dedicated hosting are more secure alternatives to shared hosting. They also have better performance but tend to be a bit more expensive.
You Were Tricked by Social Engineering
Social engineering is when a hacker attempts to gain access to your website using persuasion, trickery, or pretending to be someone else.
Phishing is a great example of social engineering, in which someone pretends to be a reputable company or individual to convince a victim to hand over personal, confidential, and/or sensitive information.
3 Common Methods Used to Hack WooCommerce Websites
There are a few common methods that hackers will use to infiltrate a WooCommerce store.
We’re going to keep things super simple so even “non-techies” can learn, but we recommend learning more about these topics if they sound interesting to you.
Here are common methods that hackers use to infiltrate your WooCommerce site.
1. Cross-Site Scripting (XSS)
Cross-site scripting, often abbreviated as “XSS”, is an attack in which malicious scripts are injected into a website to target the users of that website.
If a trusted website experiences an XSS attack, the hacker can use the website to execute malicious code against its users.
Learn more about cross-site scripting here: https://owasp.org/www-community/attacks/xss/
2. Brute Force Attack
A brute force attack is pretty easy to understand.
During a brute force attack, the hacker (usually with the assistance of a bot) will try numerous username and password configurations in an attempt to guess your login credentials.
This is why it is important to set strong passwords!
Learn more about brute force attacks here: https://www.kaspersky.com/resource-center/definitions/brute-force-attack
3. SQL Injection
SQL stands for “Structured Query Language”. It’s a programming language used to manage and interact with databases.
A successful SQL injection allows an unauthorized user to add, delete, or modify your databases. They might steal sensitive customer information or compromise your data.
Learn more about SQL injection here: https://kinsta.com/blog/sql-injection/
“How Can I Prevent WooCommerce Hacks Going Forward?”
As we mentioned in our 5-step action plan, you’ll want to take action to protect your website after a hack. Now that you’ve been hacked, it’s very likely that you’ll be targeted again.
Let’s go over some basic ways to help prevent future hacks on your WooCommerce site.
Update Your Plugins, Themes, and WordPress Core Frequently
As we mentioned before, outdated plugins are a leading cause of malware infections.
You’ll want to make sure you stay up to date with the latest security patches from your plugin developers.
We recommend updating your plugins every 1-2 weeks. You should stick to a consistent website maintenance schedule so the security and functionality of your WooCommerce site are always up to par.
Be sure to backup your website and follow other standard protocols when updating your website software.
Install a Website Firewall
A firewall is a well-known security measure used to protect computer systems from malicious activity.
Installing a firewall on your WooCommerce site will block malicious traffic requests and discourage hackers from tampering with your site.
Run Daily Malware Scans
Malware can be difficult to detect with the naked eye. There are lots of unprotected websites that remain hacked for months before someone notices.
When you’re using an automated malware scanning tool, you’ll be notified immediately when malware is detected on your website. This allows you to act before people notice your site is hacked (including search engines).
Track File Changes and Other WordPress Activity
Suspicious changes to your WooCommerce site should always be investigated.
You can implement a logging system to track any changes to files, pages, and settings. When you notice something unfamiliar in these logs, you can determine the source of the change.
This is also a great way to keep track of employees or freelancers working on your WooCommerce site to make sure they’re not tampering with it outside of scope.
Block PHP Execution
The folders in your WooCommerce site are writeable by default. This allows you to upload photos, install plugins, and make other changes to your website.
However, hackers may try to exploit this by uploading and running malicious scripts on writeable folders.
Blocking PHP execution in untrusted folders will minimize the ability for malicious scripts to run within your website.
Disable the WordPress File Editor
WordPress has a feature that allows file editing of your themes and plugins directly within the administrator dashboard.
This can be very convenient at times, but it also opens another security risk.
If someone has administrator access to your site, they can view and edit your files. They can easily crash your website, install malicious code, and compromise your site in various ways.
Taking off-site backups is important to minimize damage if someone is tampering with your files. This means your files and databases are backed up to an entirely separate server so a hacker cannot access or delete them.
Be Cautious When Granting Administrator Access
It’s common to invite freelancers and employees to work on your website’s marketing, design, and functionality. However, you should be cautious when granting people access to your website.
Best practices for granting individuals access to your WooCommerce site:
- Create a separate account for them; do not give them your own login
- If you give them FTP/SFTP credentials, reset them once you’re done working with them
- Don’t send passwords through email or text message
- Delete their account when you are done working with them
Avoid Untrustworthy or Infrequently Updated Plugins
You should think twice before installing a plugin on your WooCommerce site.
Unfortunately, some developers don’t stay up to date with the latest security practices. This means there are lots of plugins that could expose your site to vulnerabilities and exploits.
Before installing a plugin, take a few minutes to do some research and check how often the developer releases new updates.
Take Automatic Off-Site Backups
This doesn’t really “prevent” hacks, but it will keep your files and databases safe if your website is compromised.
It’s important to take automatic and off-site backups of all your files and databases.
Automatic means your files and databases are automatically saved on a scheduled basis (daily, weekly, biweekly, etc.).
Off-site means your files and databases are saved to an entirely different server so hackers cannot access your backups.
Most Recent WooCommerce-Related Vulnerabilities (Last Updated on 11-22-2022)
Remember how we mentioned it was important to keep your site up to date with the latest software updates? Below are the most recent WooCommerce-related plugin and theme vulnerabilities that you should be aware of:
WOOF – Products Filter for WooCommerce < 1.3.2 – Admin+ PHP Object Injection
EAN for WooCommerce < 4.4.3 – Contributor+ Stored XSS
Event Manager and Tickets Selling Plugin for WooCommerce < 3.8.0 – Contributor+ Stored XSS
Membership For WooCommerce < 2.1.7 – Unauthenticated Arbitrary File Upload
WooCommerce Chained Products < 2.12.0 – Unauthenticated Arbitrary Options Update to ‘no’
Booster for WooCommerce – Multiple CSRF
Product Slider for WooCommerce < 2.6.4 – Contributor+ Stored XSS in Shortcode
Conditional Payment Methods for WooCommerce <= 1.0 – Admin+ SQLi
If you’re running any of these on your site, make sure they’re updated to the latest version.
Additional Cybersecurity Resources
As a business owner, understanding cybersecurity helps you to protect your business and customers.
To help you move forward, here are some recommended cybersecurity resources for small business owners.
- Cybersecurity Guide for the U.S. Small Business Administration (SBA):
- Data Breach Notification Laws:
- AnonymousFox: Protecting Your WordPress Site:
- Understanding Different Types of Malware:
Having a hacked WooCommerce site is a scary situation that many small business owners may find themselves in. Yet, it doesn’t have to spell disaster for you or your business.
Thankfully, there are plenty of actions you can take to not only fix—but also prevent—a hacked website. Start by following the steps we’ve outlined within this guide, and if in doubt, reach out to us for help.
Our fully U.S.-based team of security technicians can scan, clean, and protect your WooCommerce website for only $49 per month. This means you can leave your site security to us, while you concentrate on doing what you do best!