WP Ghost With WooCommerce Ecommerce Security | Guide

WooCommerce stores handle customer accounts, payment data, and order information, making them high-value targets for bots and attackers. WP Ghost provides a complete security layer for WooCommerce with dedicated brute force protection on the WooCommerce login form, anti-spam filtering for registrations and reviews, secure customer redirects, 8G firewall rules, security headers, and optional country blocking. This guide walks through each security layer step by step.

Why WooCommerce Sites Need Extra Protection

WooCommerce stores face targeted attacks that standard WordPress sites don’t: credential stuffing on the /my-account/ login page, fake account creation to exploit promotions or post spam reviews, price-scraping bots that overload product pages, fake cart bots that hold inventory, payment page scanners probing for checkout vulnerabilities, and automated vulnerability exploitation through known WooCommerce plugin flaws. WP Ghost addresses each of these with WooCommerce-specific features that integrate directly with WooCommerce’s login, registration, and checkout flows.

Step 1: Enable WooCommerce Brute Force Protection

WP Ghost includes a dedicated WooCommerce integration that adds brute force protection directly to the WooCommerce login form at /my-account/.

1. Go to WP Ghost > Brute Force > WooCommerce.
2. Switch ON the WooCommerce Support option.
3. Click Save.

This activates brute force protection on the WooCommerce login form, attack throttling (rate limiting failed attempts), bot blocking on the /my-account/ path, and protection for WooCommerce customer authentication. Bots can no longer attempt thousands of password combinations against customer accounts.

Step 2: Activate Anti-Spam Protection

With WooCommerce Support enabled, extend protection to cover fake account creation, spam product reviews, and spam orders by enabling reCAPTCHA on registration and comment forms.

1. Go to WP Ghost > Brute Force > Settings.
2. Enable Comment Form Protection and Sign Up Form Protection.
3. Click Save.

Comment Form Protection adds reCAPTCHA to product review forms, preventing fake reviews. Sign Up Form Protection adds reCAPTCHA to WooCommerce registration, blocking automated fake account creation.

Step 3: Configure Customer Login and Logout Redirects

Secure redirects improve both customer experience and security. WP Ghost lets you configure role-based redirects so WooCommerce customers go to the right page after login and logout.

1. Go to WP Ghost > Tweaks > Redirects.
2. Enable Do Login & Logout Redirects.
3. Click the User Role tab and select Customer.
4. Set the Login Redirect URL to /my-account to bring customers to their WooCommerce dashboard after login.
5. Set the Logout Redirect URL to / to send customers to the homepage after logout.
6. Click Save.

Redirect tips for WooCommerce: Customer role redirects take priority over default redirects. Make sure the /my-account page is published and set as the WooCommerce Account page in WooCommerce > Settings > Accounts. Test both login and logout flows in an incognito browser after saving.

Step 4: Enable 8G Firewall

WooCommerce stores attract price-scraping bots, fake cart bots, payment page scanners, and vulnerability exploitation bots. The 8G Firewall blocks these attacks at the server level before WordPress loads.

1. Go to WP Ghost > Firewall.
2. Switch on Firewall Against Script Injection.
3. Select 8G Firewall from Firewall Strength.
4. Click Save.

The 8G Firewall protects product pages, checkout, cart, and account pages against SQL injection, script injection, directory traversal, and other server-level attacks.

Step 5: Activate Security Headers

Security headers protect against checkout form hijacking, session hijacking, XSS attacks on product and checkout pages, and clickjacking on payment forms.

1. Go to WP Ghost > Firewall > Header Security.
2. Enable the recommended headers: X-Frame-Options, X-XSS-Protection, Strict-Transport-Security (HSTS), and Content-Security-Policy (if your checkout and payment gateway allow it).
3. Click Save.

Test Content-Security-Policy carefully on WooCommerce. CSP can block external scripts used by payment gateways (Stripe, PayPal, etc.). Enable CSP and test the entire checkout flow including payment. If checkout breaks, adjust the CSP policy to allow your payment gateway’s domains, or disable CSP until you’ve configured the correct directives. See Content-Security-Policy (CSP) for configuration details.

Step 6: Country Blocking (Optional)

If your store only ships to specific countries, blocking access from regions outside your delivery zone significantly reduces bot traffic and attack attempts.

1. Go to WP Ghost > Firewall > Country Blocking.
2. Block countries outside your shipping and delivery zones.
3. Click Save.

Country Blocking is a Premium feature. If you sell internationally, skip this step or block only countries where you have zero customers and high attack volume. Check your security logs to identify which regions generate the most malicious traffic.

Frequently Asked Questions

Do I also need to change WordPress paths for WooCommerce?

Yes. Path security (Safe Mode or Ghost Mode at WP Ghost > Change Paths) is the foundation of WP Ghost’s protection and works alongside everything in this guide. WP Ghost is fully compatible with WooCommerce, and path changes don’t affect WooCommerce product pages, cart, checkout, or my-account functionality. See the Change WordPress Paths guide.

Will brute force protection or reCAPTCHA affect the WooCommerce checkout?

No. Brute force protection applies to the login form, registration form, and comment/review forms. It doesn’t add reCAPTCHA to the checkout page. Customers can complete purchases without any additional verification steps at checkout.

CSP is blocking my payment gateway. What should I do?

Content-Security-Policy restricts which external domains can load scripts on your site. Payment gateways like Stripe, PayPal, and Square load JavaScript from their own domains. Add your payment gateway’s domain to the CSP script-src directive. For example, for Stripe, add js.stripe.com. See the CSP guide for configuration details. If unsure, disable CSP until you’ve identified the correct domains.

Can I enable all these settings on an existing WooCommerce store?

Yes. All settings can be applied to existing stores at any time. Enable one feature at a time and test your store after each change: verify login, registration, product pages, add-to-cart, checkout, and payment. This way you can identify which setting caused an issue if something breaks. For emergency recovery, see the emergency disable guide.

Does WP Ghost modify WordPress core files?

No. WP Ghost integrates with WooCommerce through WordPress hooks and filters. No WooCommerce or WordPress core files are modified. Deactivating WP Ghost restores all defaults instantly.

Related Tutorials

Complete your WooCommerce security setup:

• Change WordPress Paths – Core path security (compatible with WooCommerce).
• Brute Force Protection – Full guide covering all reCAPTCHA options and protected forms.
• Content-Security-Policy (CSP) – Configure CSP for payment gateway compatibility.
• Two-Factor Authentication – Add 2FA for admin and shop manager accounts.
• Redirect Logged Users to Dashboard – Role-based redirect configuration.