Author picture Fongang Rodrique

How to Secure and Verify WooCommerce Webhooks with Hookdeck

Published · Updated

Webhook security and verification are critical components in assuring the security and integrity of your data transmission. WooCommerce allows shop owners to receive webhook notifications when specified events occur, such as when an order is created.

If your webhooks are not properly secured, they can be vulnerable to security threats such as fraud, replay attacks, man-in-the-middle attacks, and unauthorized access. Learn more about webhook security here.

As a developer or user, dealing with each platform’s webhook security implementation often leads to a lot of maintenance issues, especially having to add and manage new providers. Hookdeck removes this layer of complexity by letting you manage all of them using Integrations, and then you only have to implement Hookdeck’s signature verification on your server(s).

This article provides a step-by-step guide on how to set up and configure your WooCommerce webhooks manually and with Hookdeck. By the end of this article, you will have a comprehensive understanding of how Hookdeck can help secure your WooCommerce webhooks and protect you from potential security threats.

Securing and verify gif

How to manually secure WooCommerce webhooks

To manually secure your WooCommerce webhooks, you are required to perform the following steps:

  1. On your WordPress dashboard, navigate to WooCommerce > Settings > Advanced > Webhooks and Create a new webhook.
  2. Specify the Secret and Save the webhook.
  3. Store the secret created securely as an environmental variable in your application.
  4. Receive HMAC-signed payload, with the signature included in the x-wc-webhook-signature header field.
  5. Calculate the HMAC signature using SHA256 function and the binary representation of the payload and HMAC key.
  6. Encode the outcome with base64-encode to get the result.
  7. Compare the calculated signature with the x-wc-webhook-signature received in the notification.

If they match, it confirms that the notification was sent by WooCommerce and was not modified during transmission.

Learn more about WooCommerce webhooks here.

Verifying your webhooks this way guarantees security. However, these steps can present a whole new set of challenges, including implementation difficulties, compatibility issues, maintenance, and the possibility of errors throughout the validation process.

How to secure and verify WooCommerce webhooks with Hookdeck

To verify your WooCommerce webhook with Hookdeck:

  1. Create a Hookdeck connection with WooCommerce as the source and your application as the destination.
  2. Create or select an existing WooCommerce webhook you wish to secure.
  3. Set a Secret and copy it.
  4. From your Hookdeck dashboard, navigate to Source Integrations.
  5. Select WooCommerce from the list of platforms.

WooCommerce Source Integration

  1. Fill in the Webhook Signing Secret as the secret set above.
    1. Integration Label: WooCommerce
    2. Features: Check Enable verification
    3. Webhook Signing Secret: Enter your WooCommerce Secret
    4. Attached Source: Select WooCommerce
  2. Click Confirm.

WooCommerce confirm

You can select multiple sources and secure them at once.

You now see the WooCommerce integration at the top of the integration page and a green shield on the connection page.

How to validate WooCommerce security source integration

When you navigate to the Request tab, you will see legitimate requests from WooCommerce are received successfully with a 200 status code while any request without the matching secret is flagged with Failed verification and doesn’t make it to your destination.

Validate WooCommerce

Hookdeck can be used to centralize your webhook security and verification, making it easy for you to only sign Hookdeck on your server. See the guide here.

In this article, I’ve demonstrated why it is important to secure and verify WooCommerce webhooks, how manual verification can be complicated to handle, and the ease of implementation with Hookdeck.

By leveraging Hookdeck's automated verification process, you can be confident that you are accurately receiving and responding to WooCommerce webhook events without having to manually perform the time-consuming and complex steps involved in manual verification.

In conclusion, using Hookdeck simplifies and streamlines the process of verifying WooCommerce webhooks, making it easier and more secure for you to integrate quickly.