Is WordPress Safe for eCommerce Websites?

Is WordPress Safe for eCommerce Websites?

Is WordPress secure for eCommerce? Is WooCommerce Safe? Should you be concerned about WordPress eCommerce security and WooCommerce security? Read on to find out…

WordPress was not initially built for eCommerce, so if you’re reading this, you have every right to feel concerned. After all, running an eCommerce business involves loads of responsibilities and risks that could lead to safety and security issues, including:

  • Handling customers’ personal info (i.e. storing contact details and credit card data).
  • Making sure that payment processing is handled securely.
  • Avoiding and detecting potential fraud methods.
  • Making sure that orders are received and processed correctly, and delivered safely to customers.
  • Meeting online safety and web security standards.
  • Complying with various business and consumer protection laws and other legal requirements and guidelines.

In this post, we’ll address common safety and security concerns about using WordPress for eCommerce and look at whether WooCommerce is a safe and secure eCommerce platform for growing your business online.

WordPress icon with security padlock
WordPress eCommerce security is something you should be concerned about, so let’s address your concerns.

Is WordPress Safe for eCommerce?

One common concern many people have about WordPress is how secure the WordPress platform is in general? If WordPress is free and all of its code is available to anyone and everyone, how does WordPress handle security concerns like fixing bugs that can lead to security vulnerabilities and exploitation by malicious users?

We have addressed this issue extensively on this site, from asking the question “Is WordPress Secure?” ourselves, to providing in-depth WordPress security guidesWordPress security checklists, basic WordPress security tipsoverlooked ways to secure WordPress and all the things you should do to secure and harden a WordPress site.

Reading the above should put your mind at ease if you’re concerned about WordPress security in general. However, if you’re specifically concerned over the question, “How safe is WordPress for eCommerce?”, let’s take a quick look at what we do know about using WordPress for eCommerce sites.

In order to sell anything on your website, you will need to use a theme and plugins to tap into this functionality (or code it from scratch). But just because WordPress on its own is not eCommerce-ready doesn’t make it any less of a great (and smart) choice to build your online store with.

That said, there are a number of concerns eCommerce companies might have when considering whether or not to use WordPress to build their online store. A few of them being:

  • Limits on how big the store can get (i.e. the number of products).
  • Limited functionality and features.
  • And, of course, whether or not the platform itself is secure enough.

We’ve already seen that there are a number of WordPress plugins (and not just WooCommerce) capable of handling the capacity concern.

In 2014, firas80 submitted that same exact question (and some answers based on research) to the WPMU DEV forum. firas80 and other members who responded all seemed to say the same thing: no eCommerce platform is going to be 100% safe. What matters are the precautions you take to secure it and also remain in compliance with PCI data security regulations.

Quora is another place where you’ll find people wondering about this question often. It was brought up back in 2015 and again in 2017. Developers who have used WordPress to build eCommerce sites typically only have good things to say about it. Regarding WordPress security, the consensus is that you adhere to security best practices to keep all parties safe.

It’s not surprising, though, that the question of WordPress as a viable and safe eCommerce platform arises time and time again. Running a business online is scary stuff. Add to that the monetization aspect where you need to ensure that customers can make secure payments, that you actually receive payments, and that hackers don’t find a way through in the meantime, and no wonder it’s a concern.

For the most part, however, WordPress has security well covered with:

  • SSL certificate integration
  • Security plugins like Defender
  • Well-vetted WordPress themes
  • Well-vetted plugins (like WooCommerce, Easy Digital Downloads, etc.)
  • Secure payment gateway integration
  • Stringent password and other login requirements

Most of these are tools you add to your WordPress installation to secure your online store. What does the WordPress project team (those in charge of securing the core) do to actually ensure that WordPress is and remains a safe platform for eCommerce sites? There are two key responsibilities they assume:

  1. They regularly roll out minor releases with patches as security issues are detected on the platform.
  2. They (and the volunteer theme review team) carefully vet every new theme and plugin submitted to the repository. When security issues are detected, they then work directly with developers to clean up and fix the underlying problem and consequently release an update to users.

The rest is then up to you. In other words, keeping a WordPress site secure is the responsibility of the website owner. All the security measures in the world aren’t going to protect your WordPress site if you create a weak admin password and hand it out to everybody.

Is WooCommerce Safe And Secure?

WooCommerce WordPress eCommerce Plugin
WooCommerce WordPress eCommerce Plugin

WooCommerce is an open-source eCommerce plugin for WordPress that is owned by Automattic, the parent company of WordPress. This means that the entire WooCommerce ecosystem adheres to the same principles of WordPress when it comes to security.

This is reflected in its popularity with small to large-sized online merchants using WordPress. According to Wappalizer, a company that identifies market leaders in various technologies, WooCommerce has over 40% share of the eCommerce platform market.

eCommerce market share graph
WooCommerce is the market leader in eCommerce platforms. Source: Wappalizer.com

You don’t have to use WooCommerce. There are WooCommerce alternatives, but these are finding it harder to compete, given the dominance of the market leader.

Now that we have touched on some of the things that WordPress and its community of developers do to make sure that  WordPress (with WooCommerce installed) is safe and secure for eCommerce, the next area we should look at are the things that you can and should do to safeguard your eCommerce business and the safety of your customers.

What Can You Do to Better Secure WordPress for Your eCommerce Site?

Okay, so this is where you come into the equation and play a crucial role. WordPress will do whatever is in its power to secure the core and vet any third-party integrations you might use. However, if you’re building and running an eCommerce site, there’s much more work to be done.

Here is what you can do to better secure WordPress for your eCommerce site:

1. PCI Compliance
Understand all the ins and outs of PCI compliance in eCommerce.

2. Web Hosting
Use web hosting that supports an eCommerce website. This means absolutely no shared hosting plan. VPS or dedicated servers are the way to go. And if you’re really concerned about security or getting hacked, some hosting services (like our very own dedicated WordPress hosting) even provide a security cleanup service after your site has been hacked that will quickly restore your site and get your store up and running again so you don’t miss out on sales.

3. Content Delivery Network
Add a CDN to improve speed and an extra layer of security.

4. SSL Certificate
Get an SSL certificate to help provide extra protection for your customers’ transactions.

5. eCommerce Platform
Even if your host and WordPress installation are secured, it’s still important to find an eCommerce plugin that will provide your users with a safe place to make a purchase. This all starts by choosing a secure eCommerce plugin.

These are the eCommerce plugins most known for their security and PCI compliance:

  • WooCommerce is always a smart choice as described earlier.
  • For the sale of digital products, Easy Digital Downloads is the platform you’ll want to use. It syncs with secure file storage tools like Amazon Web Services and Dropbox, adding an additional level of security to your site.

Also, don’t forget to use reliable eCommerce plugins to extend the functionality of your store with advanced or enhanced features. Check out some examples of plugins and extensions for WooCommerce.

6. Payment Gateway
Create an even more secure checkout process for your customers by using payment gateways known for providing robust security. If you’re concerned or worried about security, you might even want to move your shopping cart and gateway offsite.

7. Order Management Software
Store all sensitive customer information (basically, anything customers input during the checkout process) in a secured CRM or order management software (like QuickBooks), not in the WordPress database.

8. Transaction Monitoring
Pay close attention to any transactions that come through your online store… in or out. Payment fraud might not seem like it poses a security risk to you, but your visitors won’t be happy to see they were hacked and that no one on your end noticed anything was amiss.

One way to prevent this type of threat is to require users to input their card’s Card Verification Value (CVV) number. Depending on your store size, you might also need to invest in anti-fraud security services.

9. Security Plugin
Use a WordPress security plugin to reinforce your site’s security. These plugins can take care of everything for you, from installing a firewall to managing anti-malware and monitoring spam. In addition, they’ll help you put extra security precautions in place in the admin area.

10. Backup Plugin
Don’t forget that a security plugin always needs a reliable backup plugin to support it. You can use a plugin like Snapshot to backup and store all your WordPress and Multisite backups, or get automated site backups with a managed WordPress hosting service.

11. UGC
Be careful about what user-generated content (including reviews, ratings, and blog comments) you allow to be added to your site.

12. Core Updates
Keep your WordPress core up-to-date. Logging in at least once a day will ensure that you know when these are required so you can take care of updates manually. If you don’t want to perform manual updates, then consider using a tool like Automate from WPMU DEV to run core updates safely and securely for you.

13. Plugin and Theme Updates
Keep all plugins and themes updated as well. Again, consider using Automate from WPMU DEV to simplify this process and The Hub (also from WPMU DEV) to manage all your plugins and themes from one central location (especially if you plan to run multiple WordPress sites for eCommerce or other uses).

14. Integrations Review
Check the quality of your themes and plugins. You should also do regular sweeps of your plugin and theme stash and deactivate or delete anything that you are no longer using.

15. Online Scanner
Check your WordPress site for vulnerabilities using an online scanner. Among other things, this will let you know if there are issues with your code or the third-party integrations you’ve added to your site.

To help you remember each of these steps when securing your eCommerce site, make sure you integrate a security checklist into your process.

Proof that WordPress Is Safe for eCommerce

Look, it’s easy to talk about how “secure” WordPress is for eCommerce, but these are just words. How can I actually show you that this platform is safe enough for you to conduct monetary transactions online with WordPress?

Probably the easiest way to do this is to share with you a number of successful eCommerce sites that currently run on WordPress. Whether they sell digital or physical products, these websites demonstrate just how reliable a platform WordPress is for running an eCommerce enterprise.

ISC

ISCsales.com website

ISC is an industrial products supplier offering customers the option of purchasing or requesting quotes online from an online catalog featuring over 17,000 industrial and commercial products. Customers can browse customer reviews, share product pages with their social network, and purchase items securely online using all major credit cards or Paypal.

SpeedShred

SpeedShred.za website

SpeedShred provides a 12-week men’s fitness and nutrition program with meal plans and training and exercise workouts. All purchases are made and processed right on their website with an easy one-page checkout form that offers coupon discounts and a secure credit card payment process.

BoardShorts.com

Boardshorts.com website

The BoardShorts website sells a variety of men’s and women’s board shorts online. The checkout process is clearly laid out, using three breadcrumbs to guide the user through each step. You’ll also see the Authorize.net safety seal which adds extra assurance for visitors worried about safely making their purchases.

Edible Blossoms

EdibleBlossoms.co.uk website

Edible Blossoms is a UK-based online store, much like Edible Arrangements in the U.S. You can order a variety of fruity arrangements and complete the purchase via a WooCommerce-enabled checkout.

Laughing Squid

LaughingSquid.us website

Laughing Squid is an interesting company as it is part art, culture, and technology blog and part web hosting. Obviously, our focus here is the web hosting side of the business, as that’s the part that requires eCommerce functionality. The site provides customers with a straight-forward hosting order form and accepts three different types of credit card payment.

NGINX

NGINX.com website

Much like WordPress, NGINX is an open-source platform that helps power the web through server technology, load balancing equipment, and more. So, it’s not all surprising to see that they’ve used WordPress to build out their shopping cart page where they collect credit card, debit card, and PayPal payments for their services and products.

OptinMonster

OptinMonster website

No discussion about conversion optimization would be complete without discussing OptinMonster. Apparently, no discussion about using WordPress to sell your services would be complete without mentioning them either. The checkout process is easy and comes with a number of trust marks like Norton Secured and McAfee Secure clearly visible as you’re about to make your purchase.

Rotimatic

Rotimatic

For anyone who has ever wanted to make their own rotis (a type of flatbread), there is the Rotimatic. This website is a great example of what an eCommerce company can do with the right WordPress tools (including WooCommerce) to sell their unique product online.

Wakami Global

Wakami Global

Wakami Global’s mission is to empower women living in rural areas of Guatemala by giving them jobs and, in turn, selling their products online. Perhaps the nicest part about how they’ve set up the eCommerce part of the site is that they give customers the option to purchase using Amazon Pay. Of course, this is not to say that they don’t trust WooCommerce or their payment gateway; they’re simply giving customers options in case there are any concerns about security.

WooCommerce

WooCommerce

WooCommerce itself uses WordPress–specifically, their own WooCommerce eCommerce software–to process sales on their own website. They’ve chosen to use Stripe to power their payment gateway. They’ve also enclosed a note at checkout ensuring that customers are aware that payments are processed over their secure SSL connection.

So… Is WordPress Good For eCommerce?

Hopefully, this post has helped to ease your concerns and any fears you may have about WordPress (and WooCommerce) being safe for eCommerce. We’ve shown you that WordPress is safe for eCommerce. A WordPress eCommerce site, however, will only be as secure as you make it. While the WordPress security team can work day and night to detect and patch security issues in the core, they can’t force you to keep plugins up-to-date or require all users to abide by better login practices.

What we invite you to do now, is to discover for yourself just how good WordPress can be for eCommerce. By combining the versatility, flexibility, and ease of use of the WordPress platform with the almost unlimited possibilities that WooCommerce provides through a wide range of plugins, add-ons, extensions, and developer support for eCommerce stores, there is no reason why you shouldn’t grow a successful and profitable business online with complete peace of mind.

Before you build your eCommerce site, make sure to read our comprehensive guide to planning an eCommerce store with WordPress and keep our ultimate WordPress security checklist on hand. Every website you build–eCommerce or otherwise–deserves to be properly secured against threats and this guide will help provide the defense and security your sites need. Additionally, consider hosting your eCommerce site securely.

Take the necessary steps and precautions to protect your website and you, your team, and your customers will all be able to sleep soundly at night while your business keeps ticking over.

Tags:
Martin Aranovitch
Martin Aranovitch Martin believes that we can all live sustainably in a WordPress-centric digital universe and spends most of his time taking copious notes and creating epic tutorials to prove his theory. Before joining WPMU DEV, Martin authored many WordPress guides and courses for beginners.
Brenda Barron
Brenda Barron Brenda Barron is a freelance writer from Southern California. She specializes in WordPress, tech, business and founded WP Theme Roundups. When not writing all the things, she's spending time with her family.
Over to you: Which tools have you used to secure your site? What challenges did you face with securing it? What were your concerns prior to reading this article, and did our post help to address these? Please let us know your thoughts in the comments section below.