# 20 WooCommerce security tips 2026 checklist

**Store / client:** _________________________  
**Gateway:** Stripe / PayPal / other  
**REST API active:** yes / no  
**Audit date:** _________________________

---

## Phase 0 — Warning signs (5 min)

- [ ] Declined payments spike in Stripe/PayPal without real sales
- [ ] Micro-amount orders ($0–5) with disposable emails
- [ ] `POST /wp-json/wc/v3/orders` spikes in logs
- [ ] Customer accounts created in loops overnight
- [ ] Acquirer email or merchant account restriction

If 2+ checked → prioritize tips **1, 2, 4, 14** this week.

---

## Tips 1–5 — REST API and card testing

- [ ] **1** — Rate limit WooCommerce REST (card_testing preset or WARL)
- [ ] **2** — Revoke unused API keys / read-only when possible
- [ ] **3** — Documented ERP / headless IP allowlist
- [ ] **4** — Enable 3-D Secure / Stripe Radar
- [ ] **5** — Monitor HTTP 429 log for 7 days post-config

---

## Tips 6–10 — Access and attack surface

- [ ] **6** — Forced HTTPS + host HSTS
- [ ] **7** — Limit wp-admin login attempts
- [ ] **8** — Disable file editor (`DISALLOW_FILE_EDIT`)
- [ ] **9** — Disable XML-RPC if unused
- [ ] **10** — WooCommerce + plugins updated (HPOS compatible)

---

## Tips 11–15 — Stack hygiene

- [ ] **11** — Zombie plugin audit (Plugin Usage Detector)
- [ ] **12** — `WP_DEBUG` off in production
- [ ] **13** — Staging API keys ≠ production
- [ ] **14** — Stripe « declined » alerts configured
- [ ] **15** — CAPTCHA on registration / checkout if account spam

---

## Tips 16–20 — Agency and incident

- [ ] **16** — Block disposable emails if relevant
- [ ] **17** — WooCommerce webhook secrets verified
- [ ] **18** — Minimal user roles (not 5 admins)
- [ ] **19** — Printed card testing incident runbook
- [ ] **20** — Debug Tracker on staging for reproduction

---

## Post-audit validation

- [ ] REST `curl` test → 429 after threshold (staging)
- [ ] Real customer checkout OK
- [ ] ERP / headless still works (allowlist)
- [ ] JSON config export saved

Article: <https://volade.com/en/blog/20-astuces-securite-woocommerce-2026>
