After some recent questions, I considered building a video course on setting up and securing an online store with WordPress and WooCommerce.
But in those same conversations, I usually run into the same thing: for my small-business-owning friends, and bootstrapping “startups” with smaller budgets, I usually end up recommending an alternate approach. While a self-hosted WordPress (+ WooCommerce for e-commerce stuff) is a great option, the folks I’ve been talking to just don’t have the time, energy, or means to dedicate to the maintenance and setup that goes into that.
What’s my “alternate” recommendation? Usually, if the aim of the site is to be an online store, and the person in question would be better off managing their business than their website, I will recommend a hosted platform like Shopify or SquareSpace.
Each time I’ve started to sit down and work on the longer course idea, I’ve been a bit put off by all the work that might go into it, when I’m just as likely to tell a person to spend 15 minutes looking into Shopify. Done. Sold. They don’t have to pay me to set things up, and they don’t have to spend time in the future making sure WordPress is secure, plugins are updated, and all the other maintenance that comes with that.
However, I am aware that some of you are in a different position.
Perhaps you fall into one of these groups:
If you fit into any of those categories, I wrote this for you.
I don’t want to leave you hanging! I’m just not ready to dedicate the resources to develop a full-blown course. I do want to help you out though, and what I can provide are my thought processes, some best-practices and tips, and questions that I would ask or consider if I were going to set up a WordPress + WooCommerce online store.
Firstly, this guide is still very much a work-in-progress. It’s mostly a “brain dump” of information and thought process, after a few conversations on the subject. If you find problems, missing info, or would like to contribute, please get in touch!
Here, I intend to give an overview of what you need to know, or have established, to open an e-commerce store with WordPress and WooCommerce.
Specifically, based on my experiences:
My hope is that looking over this guide will be extremely helpful. I hope it will guide you on topics to research, learn more about, or point out something you might not have considered.
This guide is primarily technical in nature. I’ve tried to limit the scope to be just what’s necessary to think through and check after you’ve made the decision to use WordPress and WooCommerce for building an online store.
This guide is not intended to be a comprehensive resource for starting a business online*.* I’m assuming you’ve already handled things like having a name, creating a logo, buying a domain name, etc. Things like branding, marketing, the creation of legal documents, etc, are outside the scope of this guide. This guide also leaves out WordPress-only specific configuration information, like setting up custom database names, serving WordPress from a sub-directory, and so forth. Those items and more are covered in many other “pre-launch” checklists, and generic WordPress security checklists.
This document is meant to ask and raise more questions than it answers! I welcome your feedback, suggestions, and questions! Please reach out.
Let’s get to it!
Having a duplicated version of your production WordPress environment will likely save you lots of headaches, worry, and potentially disaster itself in some cases. It’s the best way to test out major changes to site design, architecture, and major plugin updates or changes.
Setting up a staging environment depends on a lot on your hosting setup. Managed services like WP Engine actually include staging sites as a feature. As of this writing, Pagely recommends using the “RAMP” plugin by Crowd Favorite.
Other methods of setting up and syncing a staging site usually involve using a backup plugin or service, and restoring that backup to an alternate location.
However you decide to do it, it’s worth it. Having a “sandbox” area to try potentially harmful things, without worrying about downtime, is a Good Thing.
You should offer secure connections to your website. In just the last couple years it’s become increasingly common, for any website, regardless if you’re taking people’s credit card or financial information. If you are getting anywhere near asking people for money online you absolutely, positively should have a fully HTTPS-enabled website.
If you need help understanding or justifying the time and effort (not a lot these days!) to set it up, these might be handy:
Do you have SSH access? Does your site live somewhere you can run programs and generate your own certificates?
The easiest, probably most common, and free way to do this is to use Let’s Encrypt. You’ve probably heard of this. The exact setup will depend on your operating system and the web server software you are using to serve your site (usually Apache or Nginx).
I’d recommend starting with the official Certbot documentation first. From there, you select your web server software and operating system, and they give you specific, clear instructions. If something’s not quite right, there’s a lot of community activity around Let’s Encrypt, and tutorials are fairly common. You can get it knocked out yourself. I believe in you!
Alternatively, you could use a service like ServerPilot. They have a premium tier offering that will make setting up HTTPS with Let’s Encrypt certificates a matter of a few clicks, instead of a manual process. They also make sure your server is kept up to date with security updates, and have some other cool benefits you might be interested in.
If you are using a shared hosting setup (often the cheaper ~$7/month hosts) that offer a CPanel, you’ll need to check with your specific host about how to enable HTTPS for your site.
Usually these premium/dedicated WordPress hosting services will offer HTTPS out of the box. Check your specific provider for details and pricing for turning on HTTPS for your domain(s).
Check that HTTPS is working before you spend a ton of time getting the site ready. You don’t want to be “ready for launch” and realize you have a gaping security vulnerability because HTTPS isn’t working correctly.
http://example.com/awesome-sauce/should send a “301 Moved Permanently” redirect response to
Before going too far, check the WooCommerce System Status Report. It’ll let you know if something isn’t installed correctly, or your system requirements aren’t ideal for running a store for some reason.
WooCommerce has a 5-minute video of the important things to see in this report. The report screen itself contains a lot, but there are a handful of things you can check to quickly verify things are in working order. I recommend watching the video, because it covers those quickly and visually.
This should give you some clear clues on if anything is wrong, before you continue into more technical things.
Spam is a really big deal, and all of the biggest email providers are constantly and aggressively finding new ways to stop as much as possible. You can’t just send email from your own little bedroom mail server and expect your “deliverability” rates to be good. Often, emails will land in spam folders, or never even make it to the recipient at all.
The email industry has come up with standards on how to verify and authenticate which servers are allowed to send email for certain domain names. Spam protection is also watching how often, how many, and what the content of emails looks like.
Stick with the full-stack/full-service offerings, unless you’re very technically savvy, and up for a challenge.
Services like MailChimp, SendGrid, etc, work hard to maintain white-listed status with large email providers, and can provide excellent support for getting your email authentication set up correctly, and verified to send email.
How other email servers know your email server is allowed to send mail on your behalf.
*You need to set up at least SPF & DKIM.
MailChimp has a good breakdown of what/why for the different types of email authentication.
A default WordPress + WooCommerce install sends a variety of email. Covering each email, their templates, and things to consider is enough for a guide of it’s own. Here’s some questions you should familiarize yourself with, and some helpful links.
There’s usually a ton of email templates and things to consider. Some are default WordPress emails (like New User notifications and Password Resets) and some are from WooCommerce (Order confirmations). You need to make sure you’re familiar with the emails that your system sends, and that the copy and tone in them is as expected.
Out of the box, WooCommerce has a few “core shipping options” you can set up, including:
Other options are available as plugins, from WooCommerce directly, or even from third parties. For some shops, the built-in methods may cover all the bases just fine. If you want more fine grained control over shipping, or real-time shipping calculations from UPS, FedEx, etc., then you may need to pay for a premium plugin to add that functionality.
WooCommerce can also handle Digital/downloadable items, like software, music, and ebooks. You can also create digital variations of a single product, under the same SKU — e.g., you might sell a physical book, with a digital ebook variation, instead of entering them as two entirely separate products. WooCommerce has a good blog post of tips for selling digital items.
Out of the box, there are a handful of “Core Payment Options” (payment methods) that you can set WooCommerce to use. As of this writing they include two online methods: PayPal Standard, and Stripe, for accepting credit card payments online.
With almost any online payment processor, there’s usually a concept of “testing/integration” and then “production/live” usage. You want to set up your staging site with your sandbox/testing credentials, and your live site should use your production/live credentials.
In either case (or even others, if you choose):
You need a backup, and a plan for restoring that backup. There’s a phrase I’ve heard before that says…
“The only valid backup is the last one you tested”.
I think it’s fair to say that you also need to have walked through the backup-restore process at least once, so that you’re familiar with it. Because what if your backup isn’t valid?
The minimum bar for a reliable service is not that you have done a backup, but that you have done a restore.
– Joel Spolsky
If you’re using the “alternate-restore-location” method for creating your staging site (you have a staging site, right?), then you may already be familiar with the process. Otherwise, it’s a good practice to be famliar with exactly what you’d do, if you needed to restore your site from a backup.
There are a lot of solutions for this. I’ve used and recommend one of the following popular backup plugins or services. The important thing is to choose one, and be familiar with making backups and restoring them.
WooCommerce has a Server Recommendations page, with some very brief guidelines on what to look for.
WordPress and WooCommerce official sites mention several hosting providers as adequate, including Bluehost and DreamHost. There’s also managed hosting like WP Engine, Pagely, Flywheel, and others. It’s hard to make a sweeping recommendation on which to use, because it depends on so many factors.
I’ve run successful websites on the cheapest DigitalOcean machine ($5/month at the time of writing), that do just fine for the traffic and customers they get. Without knowing more about your specific situation, the least you should do is be familiar with your backup and restore plan (in case you need to move your site to a beefier service), and ask your current host about your options, should you find yourself more popular than you intended. I’d venture to say that you’re likely to run into client-side performance issues related to your choice of Theme, than server-side limitations. (If you do, you’re probably doing quite well!)
You may have already settled on a Theme, or developed one of your own. Here’s some of my thoughts on the process, and things to keep in mind.
There is a lot of ground to cover for a section with this title, and this almost entirely relies on the Theme you choose. Here’s a few things that come to mind:
After you’ve settled on a theme:
Check all of the above with services like:
I am pretty sure the intro to this guide says that we don’t go into legal documents and business things, but there are some things that are very important and worth bringing up. Here’s some thoughts and questions about the site, in general:
Unless you’re on a managed WordPress host, you’re probably going to be running one of the popular WordPress caching plugins. Managed platforms sometimes don’t allow caching plugins, because they tend to come with their own specialized caching mechanisms.
How do you know if your website is down? What if it’s not down, but users are experiencing higher-than-normal load times? You should have at least one method of being automatically notified about these situations. Some of these tools offer free tiers, which can be “enough” if you’re just starting a small shop:
Note: A few of the links in this document may be "affiliate links", where I may receive discounts or payments if you use them to purchase a given product or service. That said, every word and link in this document is genuine and nothing is included purely for its ability to earn income, etc.