Summary
Protect your WooCommerce customers with two-factor authentication, strong password policies, session management, and suspicious activity monitoring. Essential for ecommerce sites handling payment information and order data.
Prerequisites
- ✅ Attributes User Access Pro installed
- ✅ WooCommerce integrated (see previous article)
- ✅ Email configured for 2FA codes
- ✅ SSL certificate installed (HTTPS required)
Step 1: Enable 2FA for Customer Accounts
- Go to Users → Attributes User Access → Security
- Navigate to Two-Factor Authentication section
- Enable 2FA for Customer role:
- ☑️ Enable for “Customer” role
- Choose: Required, Optional, or Recommended
- Select 2FA method: Email or Authenticator App
- Configure grace period (e.g., 7 days to set up)
- Save settings
Recommended 2FA Settings for Ecommerce
| Setting | Recommendation | Reason |
|---|---|---|
| 2FA Requirement | Optional with strong encouragement | Balance security with user experience |
| 2FA Method | Email codes | Most accessible for customers |
| Remember Device | 30 days | Reduce friction for repeat customers |
| Backup Codes | Enabled | Account recovery option |
| Force for High-Value Orders | Orders > $500 | Extra protection for large purchases |
Step 2: Configure Password Policies
Enforce strong passwords for customer accounts:
Password Requirements
- ✅ Minimum 8 characters (recommend 12+)
- ✅ Require uppercase and lowercase letters
- ✅ Require at least one number
- ✅ Require special character
- ✅ Block common passwords (password123, welcome, etc.)
- ✅ Prevent reuse of last 5 passwords
Password Expiration
// For high-security ecommerce sites
Password Expiration: 90 days
Warning Before Expiration: 14 days
Grace Period After Expiration: 7 days
// For standard ecommerce
Password Expiration: Disabled (optional only)
Encourage periodic password changes via email
Step 3: Enable Session Management
Control how customer sessions are handled:
Session Security Settings
- Session Timeout – Auto-logout after inactivity
- During checkout: 60 minutes
- General browsing: 7 days with “Remember Me”
- Concurrent Sessions – Limit devices per account
- Allow 3 concurrent sessions maximum
- Show active sessions in My Account
- Allow customers to terminate sessions
- Force Re-authentication – Require login for sensitive actions
- Changing email address
- Updating payment methods
- Viewing order history with payment details
Step 4: IP Blocking & Whitelisting
Protect against unauthorized access attempts:
Configure IP-Based Security
- Enable Suspicious Activity Monitoring
- Configure auto-block rules:
- Block IP after 5 failed login attempts
- Block duration: 30 minutes (escalating)
- Notify admin of blocked IPs
- Whitelist trusted IPs (optional):
- Company offices
- Known customer VPNs
- Partner organizations
Step 5: Add Security to My Account Page
Give customers control over their account security:
Add Security Dashboard
Create custom endpoint in WooCommerce My Account:
// Add Security tab to My Account
add_filter('woocommerce_account_menu_items', function($items) {
$items['security'] = 'Security Settings';
return $items;
}, 10, 1);
// Display security options
add_action('woocommerce_account_security_endpoint', function() {
echo do_shortcode('[attrua_security_settings]');
});
Security Features for Customers
- 🔐 Enable/configure 2FA
- 🔑 Change password with strength meter
- 📱 View active sessions and devices
- 🔒 Terminate other sessions
- 📧 Update recovery email
- 📜 View login history
- 🚨 Report suspicious activity
Step 6: Monitor Suspicious Activity
Set up alerts for unusual customer account behavior:
Activity Monitoring Rules
| Trigger Event | Action |
|---|---|
| Login from new country | Send email verification code |
| Multiple failed logins | Temporary account lock + email alert |
| Password change | Email confirmation to old address |
| Email address change | Verify via link to both addresses |
| Large order (>$1000) | Require 2FA re-authentication |
| Shipping address change | Flag for review on next order |
Step 7: Audit Logging for Customer Actions
Track important customer account activities:
Logged Events
- ✅ Login/logout events with IP and device info
- ✅ Failed login attempts
- ✅ Password changes
- ✅ Email address updates
- ✅ 2FA enable/disable
- ✅ Billing/shipping address changes
- ✅ Payment method updates
- ✅ Account deletion requests
// View audit logs for specific customer
Users → Attributes User Access → Audit Log
Filter by: User ID, Date Range, Event Type
Export: CSV download for compliance
Best Practices for Ecommerce Security
- ✅ Make 2FA optional but strongly encouraged – Avoid forcing it on first-time customers
- ✅ Use email-based 2FA for accessibility – Most customers already have email access
- ✅ Implement “Remember This Device” – Reduce friction for regular customers
- ✅ Show security indicators – Display “Secure Account” badges for 2FA users
- ✅ Offer incentives for security – Small discount or loyalty points for enabling 2FA
- ✅ Clear communication – Explain why security features protect their data
- ✅ Easy recovery process – Don’t lock customers out of their accounts
- ✅ Monitor for fraud patterns – Use activity logs to identify compromised accounts
Troubleshooting
❌ Customers Locked Out After 2FA
- Provide backup codes during 2FA setup
- Offer admin-assisted account recovery
- Add phone verification as backup option
- Document recovery process clearly
❌ Too Many Security Emails
- Consolidate notifications into daily digest
- Allow customers to customize alert preferences
- Only send for truly suspicious activity
- Use in-account notifications instead of email
❌ Customers Abandoning Checkout Due to Security
- Don’t require 2FA at checkout (only for account access)
- Allow guest checkout to bypass authentication
- Show security as optional feature, not barrier
- Test conversion rates before/after security changes
Need Help?
Contact our support team for security assistance:
- 📧 Email: support@attributeswp.com
- 💬 Live Chat: Available on our website
- 📚 Documentation: docs.attributeswp.com