Is WordPress Safe for eCommerce Websites?
WordPress was not initially built for eCommerce. In order to sell anything on your website, you will need to use a theme and plugins to tap into this functionality (or code it from scratch). But just because WordPress on its own is not eCommerce-ready doesn’t make it any less of a great (and smart) choice to build your online store with.
That said, there are a number of concerns eCommerce companies might have when considering whether or not to use WordPress to build their online store. A few of them being:
- Limits on how big the store (i.e. number of products) can get.
- Limited functionality and features.
- And, of course, whether or not the platform itself is secure enough.
We’ve already seen that there are a number of WordPress plugins (and not just WooCommerce) capable of handling the capacity concern.
However, if you’re still concerned over the question, “How safe is WordPress for eCommerce?”, then let’s take quick look at what we do know to help put your mind at ease.
Is WordPress Safe for eCommerce?
In 2014, firas80 submitted that same exact question (and some answers based on research) to the WPMU DEV forum. firas80 and other members who responded all seemed to say the same thing: no eCommerce platform is going to be 100% safe. What matters are the precautions you take to secure it and also remain in compliance with PCI data security regulations.
Quora is another place where you’ll find people wondering about this question often. It was brought up back in 2015 and again in 2017. Developers who have used WordPress to build eCommerce sites typically only have good things to say about it. Regarding WordPress security, the consensus is that you adhere to security best practices to keep all parties safe.
It’s not surprising, though, that the question of WordPress as a viable and safe eCommerce platform arises time and time again. Running a business online is scary stuff. Add to that the monetization aspect where you need to ensure that customers can make secure payments, that you actually receive payments, and that hackers don’t find a way through in the meantime, and no wonder it’s a concern.
For the most part, however, WordPress has security well covered with:
- SSL certificate integration
- Security plugins like Defender
- Well-vetted WordPress themes
- Well-vetted plugins (like WooCommerce, Easy Digital Downloads, etc.)
- Secure payment gateway integration
- Stringent password and other login requirements
But most of these are tools you add to your WordPress installation to secure your online store. What does the WordPress project team (those in charge of securing the core) do to actually ensure that WordPress is anr remains a safe platform for eCommerce sites? There are two key responsibilities they assume:
- They regularly roll out minor releases with patches as security issues are detected on the platform.
- They (and the volunteer theme review team) carefully vet every new theme and plugin submitted to the repository. When security issues are detected, they then work directly with developers to clean up and fix the underlying problem and consequently release an update to users.
The rest is then up to you. In other words, keeping a WordPress site secure is the responsibility of the website owner. All the security messures in the world aren’t going to protect your WordPress site if you create a weak admin password and give it out to everybody.
What Can You Do to Better Secure WordPress for Your eCommerce Site?
Okay, so this is where you come into the equation and play a crucial role. WordPress will do whatever is in its power to secure the core and vet any third-party integrations you might use. However, if you’re building and running an eCommerce site, there’s much more work to be done.
Here is what you can do to better secure WordPress for your eCommerce site:
1. PCI Compliance
Understand all the ins and outs of PCI compliance in eCommerce.
2. Web Hosting
Use web hosting that supports an eCommerce website. This means absolutely no shared hosting plan. VPS or dedicated servers are the way to go. And if you’re really concerned about security or getting hacked, some hosting services (like our very own dedicated WordPress hosting) even provide a security cleanup service after your site has been hacked that will quickly restore your site and get your store up and running again so you don’t miss out on sales.
3. Content Delivery Network
Add a CDN to improve speed and an extra layer of security.
4. SSL Certificate
Get an SSL certificate to help provide extra protection for your customers’ transactions.
5. eCommerce Platform
Even if your host and WordPress installation are secured, it’s still important to find an eCommerce plugin that will provide your users with a safe place to make a purchase. This all starts by choosing a secure eCommerce plugin.
These are the eCommerce plugins most known for their security and PCI compliance:
- WooCommerce, of course, is always a smart choice as it’s made by Automattic, WordPress’ parent company.
- For the sale of digital products, Easy Digital Downloads is the platform you’ll want to use. It syncs with secure file storage tools like Amazon Web Services and Dropbox, adding an additional level of security to your site.
Also, don’t forget to use reliable eCommerce plugins to extend the functionality of your store with advanced or enhanced features. Here are some examples of plugins and extensions you can use for WooCommerce.
6. Payment Gateway
Create an even more secure checkout process for your customers by using payment gateways known for providing robust security. If you’re concerned or worried about security, you might even want to move your shopping cart and gateway offsite.
7. Order Management Software
Store all sensitive customer information (basically, anything customers input during the checkout process) in a secured CRM or order management software (like QuickBooks), not in the WordPress database.
8. Transaction Monitoring
Pay close attention to any transactions that come through your online store… in or out. Payment fraud might not seem like it poses a security risk to you, but your visitors sure as heck won’t be happy to see they were hacked and that no one on your end noticed anything was amiss.
One way to prevent this type of threat is to require users to input their card’s Card Verification Value (CVV) number. Depending on your store size, you might also need to invest in anti-fraud security services.
9. Security Plugin
Use a WordPress security plugin to reinforce your site’s security. These plugins can take care of everything for you, from installing a firewall to managing anti-malware and monitoring spam. In addition, they’ll help you put extra security precautions in place in the admin area.
10. Backup Plugin
Don’t forget that a security plugin always needs a reliable backup plugin to support it. You can use a plugin like Snapshot to backup and store all your WordPress and Multisite backups, or get automated site backups with a managed WordPress hosting service.
Be careful about what user-generated content (including reviews, ratings, and blog comments) you allow to be added to your site.
12. Core Updates
Keep your WordPress core up-to-date. Even if you’re not comfortable automating all these upgrades, logging in at least once a day will ensure that you know when these are required so you can take care of updates manually.
13. Plugin and Theme Updates
Keep all plugins and themes updated as well. You can use Automate from WPMU DEV to simplify this process.
14. Integrations Review
Check the quality of your themes and plugins. You should also do regular sweeps of your plugin and theme stash and deactivate or delete anything that you are no longer using.
15. Online Scanner
Check your WordPress site for vulnerabilities using an online scanner. Among other things, this will let you know if there are issues with your code or the third-party integrations you’ve added to your site.
To help you remember each of these steps when securing your eCommerce site, make sure you integrate a security checklist into your process.
Proof that WordPress Is Safe for eCommerce
Look, it’s easy to talk about how “secure” WordPress is for eCommerce, but these are just words. How can I actually show you that this platform is safe enough for you to conduct monetary transactions onlne with WordPress?
Probably the easiest way to do this is to share with you a number of successful eCommerce sites that currently run on WordPress. Whether they sell digital or physical products, these websites demonstrate just how reliable a platform WordPress is for running an eCommerce enterprise.
ISC is an industrial products supplier offering customers the option of purchasing or requesting quotes online from an online catalog featuring over 17,000 industrial and commercial products. Customers can browse customers reviews, share product pages with their social network, and purchase items securely online using all major credit cards or Paypal.
SpeedShred provides a 12-week men’s fitness and nutrition program with meal plans and training and exercise workouts. All purchases are made and processed right on their website with an easy one-page checkout form that offers coupon discounts and a secure credit card payment process.
The BoardShorts website sells a variety of men’s and women’s board shorts online. The checkout process is clearly laid out, using three breadcrumbs to guide the user through each step. You’ll also see the Authorize.net safety seal which adds extra assurance for visitors worried about safely making their purchases.
Edible Blossoms is a UK-based online store, much like Edible Arrangements in the U.S. You can order a variety of fruity arrangements and complete the purchase via a WooCommerce-enabled checkout.
Laughing Squid is an interesting company as it is part art, culture, and technology blog and part web hosting. Obviously, our focus here is the web hosting side of the business, as that’s the part which requires eCommerce functionality. The site provides customers with a straight-forward hosting order form and accepts three different types of credit card payment.
Much like WordPress, NGINX is an open source platform that helps power the web through server technology, load balancing equipment, and more. So, it’s not all surprising to see that they’ve used WordPress to build out their shopping cart page where they collect credit card, debit card, and PayPal payments for their services and products.
No discussion about conversion optimization would be complete without discussing OptinMonster. Apparently, no discussion about using WordPress to sell your services would be complete without mentioning them either. The checkout process is easy and comes with a number of trust marks like Norton Secured and McAfee Secure clearly visible as you’re about to make your purchase.
For anyone who has ever wanted to make their own rotis (a type of flatbread), there is the Rotimatic. This website is a great example of what an eCommerce company can do with the right WordPress tools (including WooCommerce) to sell their unique product online.
Wakami Global’s mission is to empower women living in rural areas of Guatemala by giving them jobs and, in turn, selling their products online. Perhaps the nicest part about how they’ve set up the eCommerce part of the site is that they give customers the option to purchase using Amazon Pay. Of course, this is not to say that they don’t trust WooCommerce or their payment gateway; they’re simply giving customers options in case there are any concerns about security.
Of course, WooCommerce uses WordPress–specifically, their own WooCommerce eCommerce software–to process sales on their own website. They’ve chosen to use Stripe to power their payment gateway. They’ve also enclosed a note at checkout ensuring that customers are aware that payments are processed over their secure SSL connection.
Of course, a WordPress eCommerce site will only be as secure as you make it. While the WordPress security team can work day and night to detect and patch security issues in the core, they can’t force you to keep plugins up-to-date or require all users to abide by better login practices.
If you’re not already doing so, keep our Ultimate WordPress Security Checklist on hand. Every website you build–eCommerce or otherwise–deserves to be properly secured against threats and this guide will help provide the defense and security your sites need.