1How do you enforce strong authentication?
Enable WordPress two-factor authentication for admins and shop managers via plugins like WP 2FA or miniOrange. Require passkeys or hardware keys for high-risk accounts. Limit login attempts, enforce unique passwords with Password Policy Manager, and disable XML-RPC if unused.
Document an onboarding checklist that includes MFA enrollment before granting dashboard access.
2What firewall and malware protections should be active?
Deploy Wordfence, Sucuri, or Cloudflare WAF with WooCommerce-specific rulesets. Enable rate limiting, block XML-RPC brute-force attempts, and monitor file integrity. Automate daily malware scans with email/SMS alerts, and quarantine suspicious files on staging for review.
Use Cloudflare Turnstile on login and checkout forms to reduce bot traffic without hurting UX.
3How do you secure payment gateways?
Use native Stripe/PayPal plugins with webhooks secured via secret keys, enforce TLS 1.3, and enable 3D Secure 2. Restrict API keys to least privilege, rotate them quarterly, and log webhook responses for auditing. Validate callbacks to prevent spoofing.
Create synthetic test cards per gateway and schedule monthly transaction fire drills.
4How do you prevent SQL injection and sanitize data?
Follow WordPress Coding Standards: use prepared statements with `$wpdb->prepare`, sanitize inputs via `sanitize_text_field`, and escape outputs with `esc_html`. Review third-party plugins for unsanitized `$_POST` usage. Run WPScan or Patchstack to catch known CVEs.
Add static analysis (PHPStan, Psalm) to CI pipelines for custom code to catch unsanitized queries.
5How do you maintain GDPR compliance?
Provide consent management, log opt-ins, and honor data deletion/export requests via WooCommerce’s privacy tools. Encrypt backups, minimize stored PII, and document data retention schedules. Update privacy policies when enabling new marketing pixels.
Run quarterly compliance drills where you respond to mock data access requests end-to-end.