The 5 security holes almost every WooCommerce store has

Most WooCommerce stores aren't at risk from a genius hacker — they're at risk from five boring, standard mistakes. And unlike a blog, real money is on the line here: a compromised store doesn't just lose revenue, it exposes customer data, full order histories and — worst case — payment-gateway keys, with GDPR and PCI consequences.

The good news: it's almost always the same five holes. Here they are — each with a 30-second check and the fix.

1. Dead & outdated extensions

The risk: Around 60% of store hacks start in an outdated plugin. On WooCommerce the danger rarely sits in the core (well-maintained) — it's the third-party extensions: payment, shipping, marketing. Even a deactivated plugin still sits on the server with exploitable code.

Check: Plugins screen → any inactive or months-old, un-updated extensions?

Fix: Fully uninstall what you don't use (not just deactivate); put the rest on auto-update.

2. Over-permissioned REST API keys

The risk: WooCommerce exposes your products and orders via the REST API. Stores often have old, forgotten keys with Read/Write scope when a tool only needs to read — a leaked key is then an open door to customer data.

Check: WooCommerce → Settings → Advanced → REST API: old keys or unnecessary write scope?

Fix: Least-privilege ("Read" wherever possible), delete unused keys, HTTPS only, disable unused endpoints.

3. Public debug.log

The risk: If WP_DEBUG_LOG points at a web-reachable path, your debug.log ends up at yourshop.com/wp-content/debug.log — and on a live store that file happily contains order data, customer emails, paths, even gateway API keys.

Check: Open yourshop.com/wp-content/debug.log in a browser — does a file load?

Fix: Turn WP_DEBUG_LOG off, or write the log outside the web root; block the file with a server rule.

4. Exposed database

The risk: The DB holds every customer address and every order (GDPR/PCI). If MySQL port 3306 is reachable from outside, or you're still on the default wp_ prefix, the bar for SQL-injection and brute-force drops sharply.

Check: Is port 3306 open externally? Is the DB still on the wp_ prefix?

Fix: Bind the DB to localhost only, firewall in front, a custom table prefix + fresh security keys/salts.

5. No admin hardening

The risk: CVE-2026-3589 — a CSRF flaw in WooCommerce (5.4.0–10.5.2) let unauthenticated attackers create an admin account. Without updates, 2FA and login rate-limiting, a full store takeover (orders, refunds, payouts, customer data) is only a matter of time.

Check: WooCommerce up to date? 2FA on? Login attempts limited? XML-RPC still open?

Fix: Update to ≥ 10.5.3, 2FA for every admin, login rate-limit, disable XML-RPC.

---

None of these holes needs an expensive security plugin — just 30 minutes and the right order. But on a store with real orders, "later" is the wrong time.

Want the next build & audit guides — with every gotcha? Subscribe to the "Built with AI" newsletter and don't miss one.

Prefer done-for-you? If you'd rather I secure your store (audit, hardening, migration to your own server, custom plugins & MCP connectors) instead of DIY: drop me a line — it's what I do day to day.