WordPress is a powerful content management system with a wide range of capabilities, one of them being a simple way to build a full ecommerce site jam-packed with features. There are some concerns about security, however. Let’s go over a few simple things you can do to keep your WordPress ecommerce site secure.

Use a Highly-Rated Ecommerce Platform


The most important thing you can do is ensure you’re using a trusted ecommerce platform, commonly referred to as a “shopping cart plugin.” The most popular option is WooCommerce. This plugin has over 12.5 million downloads and powers about 30% of all online stores. Other reputable options include iThemes Exchange: Simple Ecommerce, Cart66 Lite and MarketPress – by WPMUdev.

There are numerous ecommerce platforms available for WordPress, but it’s best to go with a trusted platform as less-trusted platforms may contain security threats and vulnerabilities. You should also use a theme from a trusted source. WooThemes, the developer of WooCommerce, has many themes compatible with its own ecommerce plugin with Storefront, a free theme, being its most popular.

Divi by Elegant Themes is a popular site-building theme designed to be compatible with WooCommerce.

Get an SSL Certificate


Regular sites can get away with not having SSL certificates. They’re not collecting sensitive personal information, such as payment and billing information, but you are. That’s why you need to purchase an SSL certificate for your site to enable HTTPS. An SSL certificate encrypts sensitive data on your server.

Your hosting provider likely sells SSL certificates, so look to them first. We highly recommend hosting your site with SiteGround, Bluehost, HostGator or WP Engine, all of which offer SSL certificates. If your host does not provide SSL certificates, you’ll need to purchase one from a third-party seller, such as DigiCert or Namecheap. After you acquire an SSL certificate, you will need to ask your hosting provider to install it on the server that’s hosting your ecommerce site.

WooCommerce Force SSL

You’ll be good to go from that point on. Some plugins, such as WooCommerce, have SSL settings you may need to configure.

Use Secure Payment Gateways

WooCommerce Payment Gateways

This is an extra step you should take to ensure security on your site. Using payment gateways like PayPal, Stripe and Authorize.net negates the need for you to collect payment directly through your site, which means you won’t store sensitive credit card information when customers purchase something from your site.

These payment gateways handle every part of the payment process for you, which also adds efficiency when it comes to how payments are handled on your site. They’ll also make sure your shop is PCI-compliant, a law that requires credit card and other sensitive data to be protected.

Use a Secure Password

LastPast Password Generator

This is a general WordPress security tip, but it’s worth mentioning anyway. Use a secure password for your WordPress administrator account, especially if you’re still using the default “admin” username.

What qualifies as a secure password? Anything that isn’t too short or contains too many dictionary words. Consider using complex passwords for ecommerce sites. It won’t be easy to remember, but it’ll stump the password-cracking software hackers use.

If you need help generating a complex password, use LastPass’ password generator.

Create Regular Backups


You have tons of security and a great host, but that’s not enough. Sites can go down and databases can be wiped for a number of different reasons, so it’s highly recommended that you create backups in case something goes awry.

phpMyAdmin allows you you create backups of your WordPress database. If something goes wrong with your database, all you have to do is import this backup. To create a backup, all you need to do is download the program, log in and export your database. Save the backup file to your computer, and upload a copy of that file to a cloud storage provider’s server, such as Google Drive or Dropbox.

The computer file is known as an “on-site backup” while the cloud storage file is known as an “off-site backup.” If your computer’s storage drive fails, you’ll have the cloud storage file to refer to and vice versa. You should also consider saving a copy to a USB drive or portable hard drive. There’s a saying, albeit a lesser-known saying, in the tech world. It goes “if there aren’t three copies of a file, it doesn’t exist.”

You can also try using BackupBuddy for general WordPress backups. Never rely on your host to backup your site, even if they say they do. We have also written a complete step-by-step guide to backup WordPress.

Perform Regular Maintenance


You should also perform regular maintenance on your site. This includes making sure WordPress, your theme and your plugins are up to date. Most WordPress hacks are allowed to occur due to people failing to keep WordPress up to date.

You can also install a security plugin that limits login attempts, sets up a firewall for WordPress and scans for malware. Plugins like these include Wordfence Security and iThemes Security. If you have around $200 for a yearly license, consider upgrading to a premium security service, such as Sucuri.

Make sure you also have a caching plugin installed to keep your site running smooth. These plugins work like the caching applications you use for your computer or phone. They include WP Super Cache and W3 Total Cache.

Lastly, use a CDN service on your site. This creates proxy servers that redistribute the traffic your site receives across multiple servers. This limits DDoS attacks and increases site speed. We highly recommend using MaxCDN for your CDN needs. We use this service on this site to increase our site’s page speeds, and it’s even recommended by influencers around the web, such as Joost de Valk, creator of the Yoast SEO plugin, Jason Cohen, founder and CEO of WP Engine, and David Braun, CEO of TemplateMonster.

Final Thoughts

Keeping your customers safe should be your number one priority. Get an SSL certificate and allow a payment gateway, such as PayPal or Stripe, handle all transactions that occur on your site. Make sure to also keep your site free of malware!

2 thoughts on “How to Optimize Security for WordPress Ecommerce Sites”
  1. This is a great checklist of keeping your ecommerce website secure. It should be considered by everyone who owns a WordPress ecommerce website.

    Lately I found out that not only ecommerce sites are using SSL but also simple content websites where not payment is processed or confidential data stored. You have any idea why they are doing it?

Leave a Reply

Your email address will not be published. Required fields are marked *