How to fix passive scan only on WooCommerce

Steps for WooCommerce

1. Create a staging site using your host's staging tool (e.g. WP Engine, Kinsta, SiteGround all offer one-click staging) or duplicate the site manually to a subdomain (e.g. staging.yourstore.com).
2. Block the staging site from search engines (WordPress Admin → Settings → Reading → 'Discourage search engines') and restrict access by IP or HTTP Basic Auth so DAST traffic stays private.
3. Download and install OWASP ZAP on your local machine or a test server. Set the target to your staging URL.
4. Configure an authenticated scan: in ZAP go to Tools → Options → Authentication, supply a WooCommerce test-customer login, and record the session so ZAP can scan the cart, checkout, and My Account pages.
5. Run 'Active Scan'. Pay special attention to WooCommerce REST API endpoints (/wp-json/wc/v3/) and any custom plugins. Remediate findings before deploying to production.
6. Consider adding a WordPress security plugin (e.g. Wordfence, Patchstack) to your production site for ongoing monitoring between DAST runs.

What is passive scan only?

Automated security scanners that check your live store passively — inspecting HTTP headers, TLS certificates, cookies, and DNS records — can only see what is publicly visible without logging in or submitting forms. They cannot detect deeper vulnerabilities like SQL injection, broken authentication, insecure API endpoints, or business-logic flaws. Dynamic Application Security Testing (DAST) tools, such as OWASP ZAP, actively probe a running copy of your application the way a real attacker would — sending crafted requests, testing login flows, and fuzzing inputs — to surface vulnerabilities a passive scan will never find. Running DAST against a staging environment (never your live store) gives you a much more complete security picture before code reaches customers.

Security misconfigurations and undetected vulnerabilities are the #5 risk on the OWASP Top Ten and are a leading cause of data breaches in ecommerce — exposing customer payment data, personal information, and admin credentials. A breach can result in PCI-DSS non-compliance fines, chargebacks, loss of payment-processor accounts, and severe reputational damage that directly destroys revenue. Relying solely on passive header checks leaves entire attack surfaces — checkout flows, account login, coupon logic, admin APIs — completely untested. Adding even a basic DAST scan to your pre-release checklist dramatically reduces the chance of shipping a critical vulnerability to production.

See the complete Passive scan only guide for every platform and the full background.