Why Not WooCommerce?

Why Not WooCommerce?

Next to Shopify, WooCommerce is the cart that we get the most questions about.  Many store owners start out with a simple WordPress site, and when it comes time to get into E-Commerce, adding WooCommerce looks like a simple solution.  Just click a button and it is installed, and hey, it’s FREE!  Sounds too good to be true doesn’t it? Well, it is and here’s why.


WordPress is the most hacked platform on the planet, mainly because it is one of the most popular platforms on the planet.  Even a lousy hacker knows exactly how the login system works in WordPress, and how to exploit known security holes in the platform.   All it takes is one missed upgrade or one insecure password and a hacker has full control over your entire site, as WooCommerce resides in the same database.  The more add-ons you have in WordPress and WooCommerce, the more potential security holes you have.  Hosting also plays into this, which I’ll cover more below.

The big problem with a hacked e-commerce site is that you most likely won’t know you have been hacked until your customers start calling and complaining that their credit cards have been stolen.  A hacker typically installs some malicious code that cc’s them on all credit card transactions, and then collects credit cards for weeks or even months.  When they have a nice collection of cards, they either sell them on the dark web, or start racking up charges themselves.  By the time you are aware that there is a problem, it is way too late.

PCI Compliance

One of the ways the credit card companies protect both themselves and their customers from hackers is by requiring that e-commerce sites be PCI Compliant.  Essentially this means that you are operating your site according to a strict set of guidelines, from how the server is configured to how the cart itself is built.  Since WooCommerce is a self-hosted cart as opposed to an SaaS cart like Shopify, it falls into the scope of PA-DSS compliance, the strictest component of the PCI Compliance guidelines.  To save some time, I’m not going to explain all of the ins and outs of PA-DSS compliance, but you can read more about it in our article here.

The problem with WooCommerce is that the core software is NOT PA-DSS compliant. This means that you can not collect credit card data ON your site in Woo, at least not without risking heavy fines (up to $50k) and penalties if you are hacked.  There are of course workarounds – you can send the customer off-site to pay (never a good choice), or you can use one of the PA-DSS compliant gateways like Braintree or Stripe.  If you want to use a gateway of your choice like Authorize.net or PayPal Pro, you are out of luck.


For those of you who have worked with WordPress before, you know one of the biggest headaches is keeping the site and various plugins up to date.  With each upgrade of WordPress you run the risk of crashing your entire site if the various plugins you have installed aren’t also upgraded by their respective developers.  I can’t tell you how many times I have run into conflicts and have had to manually disable the plugin directly in the database.  When you add WooCommerce, you are adding yet another level of complexity, and that isn’t even counting the numerous plugins you need for WooCommerce!  As you can see, this requires quite a bit of your time each month to ensure that your site is up to date and everything plays nice together.


Unlike carts like Shopify and Americommerce, the hosting isn’t included with WooCommerce.  You need to pick your own hosting account, and with that comes quite a bit of responsibility.  First, you have to ensure that the host you choose is PCI-Compliant.  Are they running the correct version of PHP?  Is the firewall configured properly?  Is SSH access disabled?  Is the core software being updated regularly?  Will it pass quarterly PCI-Compliance scans?

Next, what happens if the server crashes?  Do they have an automated backup system? 24/7 support?

Maintaining you own hosting account is yet another thing that an e-commerce store owner shouldn’t have to deal with, as it just takes time away from what really matters, selling your products!


Let’s face it, E-Commerce is not a simple business, and problems happen.  Do you really want to rely on a company that only provides support through a ticket system and ‘may respond in 24 hours‘?  Yes, that’s what their web site actually says!  You get what you pay for here for sure.  You need 24/7 support if you are in the e-commerce business and WooCommerce doesn’t provide it.

Hiring a Developer

If you run a WooCommerce store, you will need a developer.  There is just no way around it, as you WILL run into problems.  As much as I hate to say it, most web developers out there have no idea what they are doing.  Anyone with a computer and an internet connection can claim to be a web developer, so finding a good one is a job in itself.  This can be a painful process that many people would rather just avoid all together.

Why Not WooCommerce?

WooCommerce is great if:

  • You have a full-time developer on staff (or are a developer yourself)
  • Your site is mostly content-driven but you offer a few things for sale
  • You have a very simple store that only handles a few sales a month
  • You only offer PayPal as a payment method

WooCommerce is NOT great if:

  • None of the above apply to you

While it may seem like a super-easy choice to start selling from your WordPress site, it is not an option I would recommend for most e-commerce store owners.

Questions?  Feel free to contact us!