The popular WooCommerce plugin for WordPress is free and easy to use. Because of this, it’s one of the most popular e-commerce plugins available, with over 5 million installations. You can sell just about anything online, which also makes it easily accessible and targeted by hackers.
Ben Martin and Willem de Groot, researchers with Sanguine network security, found a new attack that specifically targets site owners with WooCommerce installed.
“Naturally, WooCommerce and other WordPress-based ecommerce websites have been targeted before, but this has typically been limited to modifications of payment details within the plugin settings. For example, forwarding payments to the attacker’s PayPal email instead of the legitimate website owner. Seeing a dedicated credit card swiping malware within WordPress is something fairly new,” Martin stated of the discovery.
If you use WooCommerce to handle online transactions, Martin and his team recommend disabling direct file editing for wp-admin by adding the following network security line to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
While this patch won’t offer 100%, bullet-proof protection, it will make your site more secure and harder for the hackers to attack.