Why Not WooCommerce?

Why Not WooCommerce?Next to Shopify, WooCommerce is the cart that we get the most questions about.  Many store owners start out with a simple WordPress site, and when it comes time to get into E-Commerce, adding WooCommerce looks like a simple solution.  Just click a button and it is installed, and hey, it’s FREE!  Sounds too good to be true doesn’t it? Well, it is and here’s why.


WordPress is the most hacked platform on the planet, mainly because it is one of the most popular platforms on the planet.  Even a lousy hacker knows exactly how the login system works in WordPress, and how to exploit known security holes in the platform.   All it takes is one missed upgrade or one insecure password and a hacker has full control over your entire site, as WooCommerce resides in the same database.  The more add-ons you have in WordPress and WooCommerce, the more potential security holes you have.  Hosting also plays into this, which I’ll cover more below.

The big problem with a hacked e-commerce site is that  you most likely won’t know you have been hacked until your customers start calling and complaining that their credit cards have been stolen.  A hacker typically installs some malicious code that cc’s them on all credit card transactions, and then collects credit cards for weeks or even months.  When they have a nice collection of cards, they either sell them on the dark web, or start racking up charges themselves.  By the time you are aware that there is a problem, it is way too late.

PCI Compliance

One of the ways the credit card companies protect both themselves and their customers from hackers is by requiring that e-commerce sites be PCI Compliant.  Essentially this means that you are operating your site according to a strict set of guidelines, from how the server is configured to how the cart itself is built.  Since WooCommerce is a self-hosted cart as opposed to an SaaS cart like Shopify, it falls into the scope of PA-DSS compliance, the strictest component of the PCI Compliance guidelines.  To save some time, I’m not going to explain all of the ins and outs of PA-DSS compliance, but you can read more about it in our article here.

The problem with WooCommerce is that the core software is NOT PA-DSS compliant. This means that you can not collect credit card data ON your site in Woo, at least not without risking heavy fines (up to $50k) and penalties if you are hacked.  There are of course workarounds – you can send the customer off-site to pay (never a good choice), or you can use one of the PA-DSS compliant gateways like Braintree or Stripe.  If you want to use a gateway of your choice like Authorize.net or PayPal Pro, you are out of luck.


For those of you who have worked with WordPress before, you know one of the biggest headaches is keeping the site and various plugins up to date.  With each upgrade of WordPress you run the risk of crashing your entire site if the various plugins you have installed aren’t also upgraded by their respective developers.  I can’t tell you how many times I have run into conflicts and have had to manually disable the plugin directly in the database.  When you add WooCommerce, you are adding yet another level of complexity, and that isn’t even counting the numerous plugins you need for WooCommerce!  As you can see, this requires quite a bit of your time each month to ensure that your site is up to date and everything plays nice together.


Unlike carts like Shopify and Spark Pay, the hosting isn’t included with WooCommerce.  You need to pick your own hosting account, and with that comes quite a bit of responsibility.  First, you have to ensure that the host you choose is PCI-Compliant.  Are they running the correct version of PHP?  Is the firewall configured properly?  Is SSH access disabled?  Is the core software being updated regularly?  Will it pass quarterly PCI-Compliance scans?

Next, what happens if the server crashes?  Do they have an automated backup system? 24/7 support?

Maintaining you own hosting account is yet another thing that an e-commerce store owner shouldn’t have to deal with, as it just takes time away from what really matters, selling your products!


Let’s face it, E-Commerce is not a simple business, and problems happen.  Do you really want to rely on a company that only provides support through a ticket system that ‘may respond in 24 hours’?  You get what you pay for here for sure.  You need 24/7 support if you are in the e-commerce business.


You’ll notice that I didn’t talk about the actual features and functions of the cart at all.  That’s because out of the box, WooCommerce is just a basic shopping cart.  It does some things better than other carts, and some things worse than other carts.  Some functionality is built-in, some will require third party add-ons to get it to do what you need.   The reason so many people use WooCommerce is because it is free, and because it can be installed in a WordPress site with the click of a button.  But that is also the biggest reason NOT to use WooCommerce.  It would be like building your high end boutique on the bad side of town.  Sure it is cheap, but you run the risk every day of someone walking in and stealing all of your stuff.  Yes there are police available, but they might not show up for 24 hours.

WooCommerce is a great cart if you have a dedicated developer on staff to set it up and maintain it for you, but it just isn’t worth the headache if you plan on running it yourself.