Is WordPress Safe For E-Commerce?

I've never built an e-commerce site using Wordpress but today I have one of my clients require an online store for his business so I've make my research and find some negative points regarding using Wordpress as E-Commerce Solution especially Safety issues! the question is Wordpress Secure for Online transactions?

During my research I've found that core Wordpress files are to some extent safe and the threat my come from four issues:

1) Used Plugins
2) Used Theme
3) Hosting
4) Database

So it is essential to use premium plugins such as "WPMU Plugins" For ex: MarketPress Plugin and I can find good themes here also. so what remains hosting and database! what hosting you recommend and how to make Wordpress data more secure. also I'm wondering how can customers data can be hacked in case I'm using gateways like authorize.net since all transactions occur there not on actually Wordpress Site.

I know there are special scripts for E-Commerce like: Magneto, Shopify and so on but I’m not familiar with them for that I prefer Wordpress, also the look and usability in Wordpress is better.

Finally any recommendation for safe plugins, tweaks and tips.

Thank you,

  • Fullworks
    • The Bug Hunter

    The biggest risk is brute force attacks on weak password. This applies to all systems, but Wordpress is a big target as there are so many sites and the login page is well known.

    This allows people to write scripts that find and try and guess password.

    There are two basic things you can do.

    Never use user names like admin and always use strong passwords.
    http://strongpasswordgenerator.com/

    secondly install a plugin like Wordfence (there are others) that blocks IPs after a few failed attempts.

    We get brute force attacks on wordpress login password at least 10 times a day.

  • Vaughan
    • Support/SLS MockingJay

    hiya

    thanks for the post.

    As far as security is concerned, Never become under the illusion that any website, software or anything else on the internet is 100% secure. anyone who claims this, knows nothing about security or is way too confident & we know where over-confidence leads!

    of course, there is secure & more secure. but ultimately, it's never 100%.

    with regards to payments, most sites use 3rd party gateways for simplicity & the fact they specialise in that, this also gives customer protection guarantees. the site owner never actually sees or stores any of the CC info & never the CVV number.

    There's a whole bunch of regulations you need to go through if you are to be collecting and storing customers credit card details on/in your own database. Though this is unlikely in 98% of cases.

    but the biggest issue is people choosing easy passwords, then using the same passwords on their banking/paypal/email accounts.

    you can't really protect from that without forcing them to use complex & long passwords (min length imo should be at least 12 characters) & that's a minimum length.

    just because some plugins are free & some are premium does not make them any more or any less secure than each other, but premium plugins do tend to have a good support & development cycle around them.

    even dedicated e-commerce solutions such as magento etc get hacked, you can't really prevent it, you can only make it harder & more inconvenient, till someone comes along and figures out a new exploit. it might not even be the e-commerce or wordpress or plugins that get hacked, sometimes they hack the server itself, or someone elses site on the server, gain root access & bam.

    security is a whole different kettle of fish where the internet is concerned. & much of the time it's the users fault.

    hope this helps.

    thanks.

  • firas80
    • Site Builder, Child of Zeus

    Interesting Replies thank you ROIBOT and Vaughan.

    @ROIBOT doesn't Wordfence make store slow?

    @Vaughan what I can understand the issue is in users login details, if transactions will be held by third party gateway I guess no data will be stored in the site but as you mentioned the threat comes if they used the same password like their banking/paypal/email accounts. Isn't there a Plugin to force clients using strong Passwords upon signing up?

    Also I have question about SLL Certificate how it can help security?

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.