Is WordPress Safe for eCommerce Websites?

WordPress is not inherently built for eCommerce. In order to sell anything on your website, you need to use a theme and a series of plugins in order to tap into that functionality (or you need to code it all from scratch). But just because WordPress on its own is not eCommerce-ready doesn’t make it any less of a good (or smart) choice to build your online store with.

That said, there are a number of concerns eCommerce companies might have when considering whether or not to use WordPress to build their online store. A few of them being:

  • Limits on how big the store (i.e. number of products) can get.
  • Limited functionality and features.
  • And, of course, whether or not the platform itself is secure enough.

We’ve already seen that there are a number of WordPress plugins (and not just WooCommerce) capable of handling the capacity concern.

However, if you’re still concerned over the question, “How safe is WordPress for eCommerce?”, then let’s take quick look at what we do know to help put your mind at ease.

Is WordPress Safe for eCommerce?

In 2014, firas80 submitted that same exact question (and some answers based on research) to the WPMU DEV forum. firas80 and other members who responded all seemed to say the same thing: no eCommerce platform is going to be 100% safe. What matters are the precautions you take to secure it and also remain in compliance with PCI data security regulations.

Quora is another place where you’ll find people wondering about this question often. It was brought up back in 2015 and again in 2017. Developers who have used WordPress to build eCommerce sites have nothing but good things to say about it. They simply suggest that you adhere to security best practices as you would otherwise do if you want to keep all parties safe.

It’s not surprising, though, that this question about WordPress’s viability as a safe eCommerce platform arises time and time again. Running a business online is scary stuff. Add to that the monetization aspect where you need to ensure that customers can make secure payments, that you actually receive payments, and that hackers don’t find a way through in the meantime, and no wonder it’s a concern.

For the most part, however, WordPress has security well covered with:

But most of those are tools you need to add onto your WordPress installation in order to secure your online store. What does the WordPress project team (those in charge of securing the core) do to actually ensure that WordPress is a safe platform for eCommerce sites? There are two key responsibilities they assume:

  1. They regularly roll out minor releases with patches as security issues are detected on the platform.
  2. They and the volunteer theme review team carefully vet every new theme and plugin submitted to the repository. When security issues are detected, they then work directly with developers to clean up the underlying problem and consequently release an update to users.

The rest is then up to you.

What Can You Do to Better Secure WordPress for Your eCommerce Site?

Okay, so this is where you come into the equation. WordPress will do whatever is in its power to secure the core and vet third-party integrations you might use. However, if you’re building and running an eCommerce site, there’s much more work to be done.

Here is what you can do to better secure WordPress for your eCommerce site:

1. PCI Compliance
Understand all the ins and outs of PCI compliance in eCommerce.

2. Web Hosting
Use web hosting that supports an eCommerce website. This means absolutely no shared hosting plan. VPS or dedicated servers are the way to go.

3. Content Delivery Network
Add a CDN to improve speed and an extra layer of security.

4. SSL Certificate
Get an SSL certificate to help provide extra protection for your customers’ transactions.

5. eCommerce Platform
Even if your host and WordPress installation are secured, it’s still important to find an eCommerce plugin that will provide your users with a safe place to make a purchase. This all starts by choosing a secure eCommerce plugin.

These are the eCommerce plugins most known for their security and PCI compliance:

  • MarketPress integrates with 15 of the most well-known and secure payment gateways. And because it’s part of the WPMU DEV family of plugins, it works beautifully with the Defender plugin.
  • WooCommerce, of course, is always a smart choice as it’s made by Automattic.
  • For the sale of digital products, Easy Digital Downloads is the platform you’ll want to use. It syncs with secure file storage tools like Amazon Web Services and Dropbox, adding an additional level of security to your site.

Also, don’t forget to use reliable eCommerce plugins when adding advanced functionality to your store. Here are some examples of ones you can use for WooCommerce.

6. Payment Gateway
Create an even more secure checkout process for your customers by using payment gateways known for their security. You might even want to move your shopping cart and gateway off of your site if you’re nervous about security.

7. Order Management Software
Store all sensitive customer information (basically, anything they input during the checkout process) in a secured CRM or order management software (like QuickBooks) and not in WordPress.

8. Transaction Monitoring
Pay close attention to any transactions that come in or out through your online store. Payment fraud might not seem like it poses a security risk to you, but your visitors sure as heck won’t be happy to see they were hacked and no one on your side noticed anything was amiss.

One way to prevent this type of threat is by requiring that users input their card’s Card Verification Value (CVV) number. Depending on the size of your store, you might also need to invest in anti-fraud security services.

9. Security Plugin
Use a WordPress security plugin to reinforce your site’s security. These plugins can take care of everything from installing a firewall to managing anti-malware and spam monitoring for you. In addition, they’ll help you put extra security precautions in place in the admin area.

10. Backup Plugin
Don’t forget that a security plugin always needs a reliable backup plugin to support it.

11. UGC
Be careful about what user-generated content (including reviews, ratings, and blog comments) you allow onto your site.

12. Core Updates
Keep your WordPress core up-to-date. Even if you’re not comfortable automating all of these upgrades, logging in at least once a day will ensure you know when they’re ready so you can take care of them manually.

13. Plugin and Theme Updates
Keep all plugins and themes updated as well. You can use Automate from WPMU DEV to simplify this process.

14. Integrations Review
Verify the quality of your themes and plugins. You should also do regular sweeps of your plugin and theme stash to ensure that anything you’re not using is deactivated and deleted.

15. Online Scanner
Check your WordPress site for vulnerabilities using an online scanner. This will tell you if there are issues with your code or the third-party integrations you’ve added to your site, among other things.

If you’re nervous about remembering each of these steps for securing your eCommerce site, then be sure to integrate a security checklist into your process.

Proof that WordPress Is Safe for eCommerce

Look, it’s easy to talk about how “secure” WordPress is for eCommerce, but those are just words. How can I actually show you that this platform is safe enough for you to conduct monetary transactions on it?

Probably the easiest way to do that would be to share with you a number of successful eCommerce sites that currently run on WordPress. Whether they sell digital or physical products, these websites have demonstrated how reliable a platform WordPress is for eCommerce.

Blue Star Coffee Roasters

Blue Star Coffee Shop

Blue Star Coffee Roasters is an online purveyor of coffee, coffee accessories, as well as coffee subscription services. All purchases are made and processed right on their website and they offer customers an easy one-page checkout with a secure Stripe payment gateway to cap it all off.

The BoardShorts website sells a variety of men’s and women’s board shorts online. The checkout process is clearly laid out, using three breadcrumbs to guide the user through each step. You’ll also see the safety seal which adds extra assurance for visitors worried about safely making their purchases.

Edible Blossoms

Edible Blossoms

Edible Blossoms is a UK-based online store, much like Edible Arrangements that we have here in the U.S. You can order a variety of different fruity arrangements and complete the purchase right there with their WooCommerce-enabled checkout.

Laughing Squid

Laughing Squid is an interesting company as it’s part blog and part web hosting. Obviously, it’s the web hosting side of the business that we’re concerned with as that’s the part that requires eCommerce functionality. The hosting order form appears to be fairly straight-forward and, at the end, they accept three different types of credit card payment.



Much like WordPress, NGINX is an open source platform that helps power the web through server technology, load balancing equipment, and more. So, it’s not all surprising to see that they’ve used WordPress to build out their shopping cart page where they collect credit card, debit card, and PayPal payments for their services and products.



No discussion about conversion optimization would be complete without discussing OptinMonster. Apparently, no discussion about using WordPress to sell your services would be complete without mentioning them either. The checkout process is easy and comes with a number of trust marks like Norton Secured and McAfee Secure clearly visible as you’re about to make your purchase.



For anyone who has ever wanted to make their own rotis (a type of flatbread), there is the Rotimatic. The website itself is a good example of what an eCommerce company can do with the right WordPress tools (including WooCommerce) to sell their unique product online.

Wakami Global

Wakami Global

Wakami Global’s mission is to empower women living in rural areas of Guatemala by giving them jobs and, in turn, selling their products online. Perhaps the nicest part about how they’ve set up the eCommerce part of the site is that they give customers the option to pay with Amazon. Of course, that’s not to say that they don’t trust WooCommerce or their payment gateway; they’re simply giving customers a couple options in case any concerns about security remain.



And, of course, WooCommerce uses WordPress–specifically, their WooCommerce software–to process sales on their own website. Like Blue Star, they’ve chosen to use Stripe to power their payment gateway. They’ve also enclosed a note at checkout ensuring that customers are aware that payments are processed over their secure SSL connection.

Wrapping Up

Of course, a WordPress eCommerce site will only be as secure as you make it be. While the WordPress security team can work day and night to detect and patch security issues in the core, they can’t force you to keep plugins up-to-date or require all users to abide by better login practices.

If you’re not already doing so, keep our Ultimate WordPress Security Checklist on hand. Every website you build–eCommerce or otherwise–deserves to be properly secured against threats and this will be your guide in providing that defense for them.

Brenda Barron
Over to you: Have you experienced issues in the past trying to convince clients to use WordPress to build their eCommerce sites?