One unfortunate reality we have found over years of dealing with vulnerabilities in WordPress plugins is that often plugins that extend WooCommerce are incredibly insecure. Hackers are well aware of this and we are seeing that they are finding and targeting unfixed vulnerabilities in those plugins. While most hackers are looking to do things like put spam pages on websites, hackers with other interests could do things like getting data stored on the website about your customers or change the price of products.
WooCommerce itself increases the risk of insecure plugins, whether they extend WooCommerce functionality or not, as customers have access to WordPress accounts and often vulnerabilities in other plugins are only exploitable by those logged in to WordPress.
The company behind company WooCommerce, Automattic, doesn’t seem to be too interested in working on addressing the insecurity of those plugins, as they don’t even insure the security of plugins that WooCommerce installs. We would be interested in partnering with them if they get interested in improving the security of the WooCommerce ecosystem.
We offer a couple of solutions that can help to keep your WooCommerce website protected against those threats. With our main service you get alerted right away if there are publicly known vulnerabilities in the plugins you use, many of which we only are the ones that discovered since we do extensive monitoring to keep or ahead of hackers, and you can suggest/vote for the plugins you use to get a security review from us to spot vulnerabilities before hackers do. For those with a larger budget you can order security reviews of WordPress plugins you use, which helps to improve the security of your website and everyone else’s that is using it.