This week I had the opportunity to ride along with Patrick Rauland on Pantheon’s first WooCommerce webinar focused on best practices of building WooCommerce sites. We covered security, PCI compliance, optimization, and a QA checklist for developers. This post shares the highlights in case you missed it. If you want the full details, check out the recording.
WooThemes is a great case study in security for ecommerce. They were hacked in 2012 and again in 2014. They were transparent about the issue and worked to resolve it to the best of their ability, but they still ended up paying in lost customers, lost revenue, and regulatory fines. Don’t let this happen to you!
General Security Considerations
Plugin and Theme Vulnerabilities
- Only install items from trusted sources, such as WordPress.org and the WooCommerce marketplace.
- Keep your site up to date. This is important with all WordPress sites but even more so with WooCommerce.
- Delete unused plugins/themes, don't just deactivate them.
- First, this is not optional for ecommerce.
- Make sure you force HTTPS for every page. If you’re on Pantheon, this code snippet will force HTTPS on every page. Plugins such as Really Simple SSL and WordPress HTTPS (SSL) can also do this.
- If you don’t have HTTPS enabled on at least the WooCommerce checkout page, your customers won’t be able to check out—not ideal for sales growth.
Virtual Private Network (VPN)
- VPNs route all internet traffic through a private network so it can’t be monitored.
- Make sure to use a VPN whenever you are on a public network, such as WiFi at a coffee shop or the airport.
Upload code securely
- Use SFTP (not plain FTP) or git with an SSH key.
- Do not reuse passwords. If someone cracks one site they will crack them all—don’t be that person!
- There are lots of great password generators to help you create and manage all your passwords. I use 1Password.
- Pro tip: use the "words" option of the password generator to get a secure pass phrase
Ecommerce Specific Security
- PCI is designed to protect consumer credit card data.
- If you have an ecommerce store that isn’t PCI compliant you might skate by for a while, but you will eventually be caught and fined, potentially heavily.
- The good news: Most stores never even see credit card numbers. They go directly to the processors, like Stripe or Braintree. If this is how your store is operating, you only need to adhere to the lowest level of PCI compliance.
- This only requires you to fill out a short self assessment questionaire.
- Pro tip: Use recommended gateways on WooCommerce.com.
- It is best practice to have at least two payment gateways enabled on your site. For example, use Stripe for credit cards and PayPal for direct payments.
If you can improve the speed of your website by just one second you can see a 7% increase in transactions. Speed matters on the web, and even more so in ecommerce!
- Most ecommerce stores think about more sales when they think about making more money, not about how something as simple as improving performance would be able to help with their current traffic patterns.
- If it takes your site in any more than two seconds to load, you need to be thinking about optimization improvements. I can guarantee you are disappointing your visitors.
- If you’d like to know exactly how fast our site is loading, we recommend using tools such as Pingdom and Google Lighthouse.
- Our guide on how to improve your speed test score walks you through ways to get a faster site by leveraging Pantheon’s Global CDN along with other recommendations.
- New Relic APM Pro can also help you find out where to spend your time on optimizations.
- Images are important in ecommerce but can also slow your site down. These recommendations will help ensure your pictures are loading fast.
- Compress PNG & JPEG images before uploading them to your site. There are plugins that will do this for you on upload if you don’t want to manage it all yourself.
- Make sure your photos are being delivered over a Content Delivery Network (CDN)— Pantheon has one built in.
- Enable lazy loading. This means your site will only make requests to load images from the server as a user scrolls to reach that image.
- Your site needs to be running in at least PHP 7, which is the default on Pantheon.
- WooCommerce recommends PHP 7.2, which you can enable via pantheon.yml.
Additional Performance Optimizations
- The Disable Cart Fragments plugin can help speed up your site on pages where a shopping cart isn’t necessary.
- Object caching via Redis on Pantheon will also help with your site speed.
WooCommerce QA Checklists
QA is important when launching a new site or deploying changes. Like everything else I’ve gone over, it is even more important with ecommerce. We reviewed a full pre and post-launch checklist for WooCommerce sites in the webinar. You can find them in the full recording to help you avoid forgetting something important.
This should get you going on the basics to building you ecommerce website with WooCommerce. For more help, please attend our office hours, and look out for more WooCommerce webinars and content throughout the summer!
P.S. check out WooSesh a free, online WooCommerce conference October 18th and 19th.
You may also like:
Topics: Agencies, Development, Digital Agencies, Guides and Tutorials, Training and Education, WordPress