Published March 15, 2018 by Tommy George

After some recent questions, I considered building a video course on setting up and securing an online store with WordPress and WooCommerce.

But in those same conversations, I usually run into the same thing: for my small-business-owning friends, and bootstrapping “startups” with smaller budgets, I usually end up recommending an alternate approach. While a self-hosted WordPress (+ WooCommerce for e-commerce stuff) is a great option, the folks I’ve been talking to just don’t have the time, energy, or means to dedicate to the maintenance and setup that goes into that.

What’s my “alternate” recommendation? Usually, if the aim of the site is to be an online store, and the person in question would be better off managing their business than their website, I will recommend a hosted platform like Shopify or SquareSpace.

Each time I’ve started to sit down and work on the longer course idea, I’ve been a bit put off by all the work that might go into it, when I’m just as likely to tell a person to spend 15 minutes looking into Shopify. Done. Sold. They don’t have to pay me to set things up, and they don’t have to spend time in the future making sure WordPress is secure, plugins are updated, and all the other maintenance that comes with that.

However, I am aware that some of you are in a different position.

Is this for you?

Perhaps you fall into one of these groups:

• You already have an established WordPress-based site that you want to add a store to.
• You are familiar with WordPress and/or WooCmmerce, and just need to fill in some gaps or learn some best-practices.
• You are a bit “geeky”; you want to have more control, or to learn more about the inner workings of the software itself. (The open-source ecosystem around WordPress is great for this!)
• You desire the fine-grained control that self-hosted WordPress provides, and you know the costs involved.
• You just want to learn more about the nitty-gritty details about running a self-hosted WordPress + WooCommerce store.

If you fit into any of those categories, I wrote this for you.

I don’t want to leave you hanging! I’m just not ready to dedicate the resources to develop a full-blown course. I do want to help you out though, and what I can provide are my thought processes, some best-practices and tips, and questions that I would ask or consider if I were going to set up a WordPress + WooCommerce online store.

What’s in this “guide”?

Firstly, this guide is still very much a work-in-progress. It’s mostly a “brain dump” of information and thought process, after a few conversations on the subject. If you find problems, missing info, or would like to contribute, please get in touch!

Here, I intend to give an overview of what you need to know, or have established, to open an e-commerce store with WordPress and WooCommerce.

Specifically, based on my experiences:

• Things to consider and prepare for
• Questions that will come up, and that need answers
• Some potential headaches
• Commonly overlooked items, specifically geared at selling online

My hope is that looking over this guide will be extremely helpful. I hope it will guide you on topics to research, learn more about, or point out something you might not have considered.

This guide is primarily technical in nature. I’ve tried to limit the scope to be just what’s necessary to think through and check after you’ve made the decision to use WordPress and WooCommerce for building an online store.

This guide is not intended to be a comprehensive resource for starting a business online*.* I’m assuming you’ve already handled things like having a name, creating a logo, buying a domain name, etc. Things like branding, marketing, the creation of legal documents, etc, are outside the scope of this guide. This guide also leaves out WordPress-only specific configuration information, like setting up custom database names, serving WordPress from a sub-directory, and so forth. Those items and more are covered in many other “pre-launch” checklists, and generic WordPress security checklists.

This document is meant to ask and raise more questions than it answers! I welcome your feedback, suggestions, and questions! Please reach out.

Let’s get to it!

---

Table o’ Contents!

---

Have a Staging site

Having a duplicated version of your production WordPress environment will likely save you lots of headaches, worry, and potentially disaster itself in some cases. It’s the best way to test out major changes to site design, architecture, and major plugin updates or changes.

Setting up a staging environment depends on a lot on your hosting setup. Managed services like WP Engine actually include staging sites as a feature. As of this writing, Pagely recommends using the “RAMP” plugin by Crowd Favorite.

Other methods of setting up and syncing a staging site usually involve using a backup plugin or service, and restoring that backup to an alternate location.

• Using VaultPress + restoring to the “alternate connection”
• The BackupBuddy plugin from iThemes
• Using the Duplicator plugin, and restoring to an alternate environment

However you decide to do it, it’s worth it. Having a “sandbox” area to try potentially harmful things, without worrying about downtime, is a Good Thing.

Set up HTTPS

You should offer secure connections to your website. In just the last couple years it’s become increasingly common, for any website, regardless if you’re taking people’s credit card or financial information. If you are getting anywhere near asking people for money online you absolutely, positively should have a fully HTTPS-enabled website.

HTTPS is a big deal

If you need help understanding or justifying the time and effort (not a lot these days!) to set it up, these might be handy:

• If you’re not entirely sure about HTTPS and why it’s important, Google has a great guide in their Web Fundamentals reference about Why HTTPS Matters. This is a great resource for learning a little bit more about why, and some of the added benefits beyond “it makes things secure”.
• You can also check out the US Governments document on why they adopted an HTTPS-Only standard for their sites.
• Every plain HTTP request is unencrypted. This means every request can potentially reveal information about your users, to anyone “snooping”.
• The decision of what should or shouldn’t be private or protected information shouldn’t fall on you.
• HTTPS protects the security and privacy of your users.
• HTTPS is now so standardized that Google search ranking results are partially scored based on its presence.

How to set up HTTPS: It depends

Is your site hosted on a dedicated server, like DigitalOcean, Linode, etc?

Do you have SSH access? Does your site live somewhere you can run programs and generate your own certificates?

The easiest, probably most common, and free way to do this is to use Let’s Encrypt. You’ve probably heard of this. The exact setup will depend on your operating system and the web server software you are using to serve your site (usually Apache or Nginx).

I’d recommend starting with the official Certbot documentation first. From there, you select your web server software and operating system, and they give you specific, clear instructions. If something’s not quite right, there’s a lot of community activity around Let’s Encrypt, and tutorials are fairly common. You can get it knocked out yourself. I believe in you!

Alternatively, you could use a service like ServerPilot. They have a premium tier offering that will make setting up HTTPS with Let’s Encrypt certificates a matter of a few clicks, instead of a manual process. They also make sure your server is kept up to date with security updates, and have some other cool benefits you might be interested in.

Alternatives to ServerPilot that I haven’t yet tried: Cloudways, and Moss.sh.

In a shared hosting environment, like Dreamhost, HostGator, BlueHost?

If you are using a shared hosting setup (often the cheaper ~$7/month hosts) that offer a CPanel, you’ll need to check with your specific host about how to enable HTTPS for your site.

• Hit up the relevant support team, and find out how to set up HTTPS.
  • SSL Help at HostGator
  • Free Let’s Encrypt certificates on DreamHost
  • Free WordPress SSL certificates at BlueHost
• Caveat: I don’t usually recommend hosting any e-commerce sites in a shared hosting environment. There are enough potential pitfalls and headaches that it’s usually well worth the price difference to move up to something managed, or something dedicated.
  • What is their uptime like? Is there any promise or “SLA” against downtime?
  • How is their live support?
  • How are you supported in case of outages, maintenance, etc?

Using a managed WordPress-specific platform like WPEngine, Pagely, or Flywheel?

Usually these premium/dedicated WordPress hosting services will offer HTTPS out of the box. Check your specific provider for details and pricing for turning on HTTPS for your domain(s).

• Free and paid types of HTTPS certificates are available at WPEngine
• Flywheel includes “free SSL with every site”.
• SSL setup info for Pagely

Things To Check

Check that HTTPS is working before you spend a ton of time getting the site ready. You don’t want to be “ready for launch” and realize you have a gaping security vulnerability because HTTPS isn’t working correctly.

• Use a tool like the Qualys SSL Server Test to verify your HTTPS configuration is set up correctly, and using only secure algorithms
• Make sure the site is redirecting any HTTP traffic to the same HTTPS page — not just to the home page. For example, requesting http://example.com/awesome-sauce/ should send a “301 Moved Permanently” redirect response to https://example.com/awesome-sauce/
  • This ensures that users can’t accidentally link to or visit an insecure version of your website.
  • This may also earn you some SEO points, since Google considers HTTPS a ranking factor.
  • If you don’t configure this at the server level, there are also WordPress plugins that can help serve your site “https only”. It’s better to catch it at the server level tho, especially if you’re employing heavy caching. (Hosted services like WPEngine will usually have an option to handle this for you).
• Are you self-hosting, using Let’s Encrypt, or otherwise have to manually renew your HTTPS certificates? Here’s a couple things I learned the hard way…
  • Know when your certificates expire!
    • You can see your certificate expiration date via browser dev tools.
  • Set a reminder to renew them.
  • If you set up some kind of auto-renew feature, it may still be wise to set a reminder to check them at least a week out. If your auto-renew fails, you need to notice before your customers do!
    • Let’s Encrypt is great about sending a renewal notice email 20 days before your certificate expires; another at 10 days and 1 day before the certificate expires.
  • TIP: After renewing your certificates, make sure your fresh certificate is being served! This usually means restarting your web server service. I’ve forgotten this verification step before and got an interesting call from a client whose site was suddenly displaying warnings in the browser because the certificate that the server was sending was expired.

Confirm WooCommerce is installed correctly: Check the WooCommerce System Status Report

Before going too far, check the WooCommerce System Status Report. It’ll let you know if something isn’t installed correctly, or your system requirements aren’t ideal for running a store for some reason.

WooCommerce has a 5-minute video of the important things to see in this report. The report screen itself contains a lot, but there are a handful of things you can check to quickly verify things are in working order. I recommend watching the video, because it covers those quickly and visually.

This should give you some clear clues on if anything is wrong, before you continue into more technical things.

Email

Deliverability and Authentication: Make sure emails from the website do not go to Spam Folders.

Spam is a really big deal, and all of the biggest email providers are constantly and aggressively finding new ways to stop as much as possible. You can’t just send email from your own little bedroom mail server and expect your “deliverability” rates to be good. Often, emails will land in spam folders, or never even make it to the recipient at all.

The email industry has come up with standards on how to verify and authenticate which servers are allowed to send email for certain domain names. Spam protection is also watching how often, how many, and what the content of emails looks like.

I absolutely recommend using an “email service provider” (ESP) like SendGrid, MailChimp, Mailjet, Mailgun, Amazon SES, SparkPost, Postmark, etc.

Stick with the full-stack/full-service offerings, unless you’re very technically savvy, and up for a challenge.

Services like MailChimp, SendGrid, etc, work hard to maintain white-listed status with large email providers, and can provide excellent support for getting your email authentication set up correctly, and verified to send email.

Email Authentication

How other email servers know your email server is allowed to send mail on your behalf.

• SPF*
• DKIM*
• SenderID
• DMARC

*You need to set up at least SPF & DKIM.

MailChimp has a good breakdown of what/why for the different types of email authentication.

Email Templates in WordPress and WooCommerce

A default WordPress + WooCommerce install sends a variety of email. Covering each email, their templates, and things to consider is enough for a guide of it’s own. Here’s some questions you should familiarize yourself with, and some helpful links.

• Can site users automatically “join” somehow? Which emails are involved in that process?
• Do you have a preference for sending Text-only or HTML emails? Are you able to control that for all of your sites emails?
• Does your site have an automated “returns” flow?
• Does the site sell Subscriptions that may have expired payment method notifications?
• Is there Wishlist functionality that may have email notifications involved?
• Does the site send all email from the same email address? Is that email address something that users can reply to, to easily get in touch with support?

There’s usually a ton of email templates and things to consider. Some are default WordPress emails (like New User notifications and Password Resets) and some are from WooCommerce (Order confirmations). You need to make sure you’re familiar with the emails that your system sends, and that the copy and tone in them is as expected.

• WooCommerce Email FAQ
• Email Settings + List of emails that WooCommerce sends
• List of Emails that WordPress sends, by default
  • As of this writing, it looks like the default set of emails aren’t in simple templates, and exist inline in methods that use them. Some of these are:
    • New User Created
    • User Password Reset
    • User change email address (initial, and confirmation)

Core Shipping Methods and Details

Out of the box, WooCommerce has a few “core shipping options” you can set up, including:

• Flat Rate
• Local Pickup
• Free Shipping

Other options are available as plugins, from WooCommerce directly, or even from third parties. For some shops, the built-in methods may cover all the bases just fine. If you want more fine grained control over shipping, or real-time shipping calculations from UPS, FedEx, etc., then you may need to pay for a premium plugin to add that functionality.

WooCommerce can also handle Digital/downloadable items, like software, music, and ebooks. You can also create digital variations of a single product, under the same SKU — e.g., you might sell a physical book, with a digital ebook variation, instead of entering them as two entirely separate products. WooCommerce has a good blog post of tips for selling digital items.

Important Questions

• What kind of products does the site sell? Physical or digital only? Both?
• Do they have simple, or complex variations? (Sizes, colors, types, editions)
• What about shipping needs? Are per-item or flat-rate shipping options reasonable? Or will they require more fine grained control, or features?
• Can the out-of-the-box shipping methods handle your our use cases, or will we need to get a specific plugin for our needs?
• Does the site sell services, like hourly consulting or appointments? WooCommerce supports “Virtual” products out of the box. Those might be flexible enough for your needs. Otherwise, there are premium plugins that may better suit that requirement.

Payment Methods

Out of the box, there are a handful of “Core Payment Options” (payment methods) that you can set WooCommerce to use. As of this writing they include two online methods: PayPal Standard, and Stripe, for accepting credit card payments online.

With almost any online payment processor, there’s usually a concept of “testing/integration” and then “production/live” usage. You want to set up your staging site with your sandbox/testing credentials, and your live site should use your production/live credentials.

• PayPal Sandbox testing documentation.
• Stripe testing guide, including special credit card numbers that trigger specific results.

In either case (or even others, if you choose):

• Set up an account at the vendor (PayPal, Stripe, etc), and familiarize yourself with their rates, process, and workflows, if necessary.
• Make sure you get the “test” or “sandbox” credentials, API keys, for the account
• Walk through a purchase flow
• Walk through a return flow
• What happens for fraud or chargebacks?
• What does a failed transaction look like?
• Your staging site should always use your payment gateway TEST credentials, and your production site should always use your PRODUCTION credentials.
  • TIP: Keeping these strictly separate, and consistent, will prevent you from being confused later, if something isn’t working quite like you thought it should. Better to keep it ruled out as a non-issue.
• AFTER LAUNCH: Spend some actual money! Buy something from your new online store (assuming your products aren’t prohibitively expensive). Because, why not? Yes, it’s paranoid manual testing in production. Assuming your overhead from your payment provider isn’t too crazy, and your products not extremely expensive, it might be worth a couple bucks for you to have the peace of mind of seeing it all work.

Learn how to backup WordPress site, and how to restore backups in case of emergencies

You need a backup, and a plan for restoring that backup. There’s a phrase I’ve heard before that says…

“The only valid backup is the last one you tested”.

I think it’s fair to say that you also need to have walked through the backup-restore process at least once, so that you’re familiar with it. Because what if your backup isn’t valid?

The minimum bar for a reliable service is not that you have done a backup, but that you have done a restore.

– Joel Spolsky

If you’re using the “alternate-restore-location” method for creating your staging site (you have a staging site, right?), then you may already be familiar with the process. Otherwise, it’s a good practice to be famliar with exactly what you’d do, if you needed to restore your site from a backup.

There are a lot of solutions for this. I’ve used and recommend one of the following popular backup plugins or services. The important thing is to choose one, and be familiar with making backups and restoring them.

• If you’re not hosted on a service that provides backup/restore functionality, choose a backup solution
  • Duplicator
  • BackupBuddy
  • VaultPress
• Know how to restore backups on your hosted service, or with your chosen solution

Server and Client-Side Performance / Website Speed

WooCommerce has a Server Recommendations page, with some very brief guidelines on what to look for.

WordPress and WooCommerce official sites mention several hosting providers as adequate, including Bluehost and DreamHost. There’s also managed hosting like WP Engine, Pagely, Flywheel, and others. It’s hard to make a sweeping recommendation on which to use, because it depends on so many factors.

I’ve run successful websites on the cheapest DigitalOcean machine ($5/month at the time of writing), that do just fine for the traffic and customers they get. Without knowing more about your specific situation, the least you should do is be familiar with your backup and restore plan (in case you need to move your site to a beefier service), and ask your current host about your options, should you find yourself more popular than you intended. I’d venture to say that you’re likely to run into client-side performance issues related to your choice of Theme, than server-side limitations. (If you do, you’re probably doing quite well!)

Choosing a WordPress Theme

You may have already settled on a Theme, or developed one of your own. Here’s some of my thoughts on the process, and things to keep in mind.

• Given that you’ve set up caching and CDN’s properly, the front-end performance of your site is almost entirely based on the WordPress Theme you’ve chosen.
• Responsive or mobile-first design is a must.
• WooCommerce has documentation on finding a good compatible Theme.
• Some basics, if I’m shopping or not developing my own theme:
  • Should be fully responsive, and perhaps “mobile-first and desktop-friendly”. (Mobile might be 54% of your site visits, per Forbes)
  • Should be developed by an individual or organization with a track record of great support, and sustainability.
  • Must not rely on bleeding edge “cool” stuff. The Theme should be rock solid and secure, and leave room for plugins to handle the fancy extras.
  • Run your favorite PageSpeed/performance check on the demo site. This won’t give you a perfect picture, but should help to set your performance expectations, and maybe reveal red flags early.
  • If using PageSpeed, pay special attention to warnings about the size of tap targets and mobile friendliness. Those are sometimes harder to fix later, than say “render-blocking Javascript”, which can usually be moved.
  • Accessibility! Does the theme have even basic support for users whose abilities may be limited in some way?

Client Side Performance

There is a lot of ground to cover for a section with this title, and this almost entirely relies on the Theme you choose. Here’s a few things that come to mind:

• Did you have a Performance Budget in mind?
• Your home page isn’t the only page you should test! Be sure to keep en eye on the performance of these pages:
  • Product pages
  • Cart page
  • Item or category listing pages
  • Search results pages
  • Blog listings, archives, and single pages

After you’ve settled on a theme:

• Check your scores, and write them down. You need to check them again at a later date, and have some historical data for comparisons. You’ll need to know if changes you make later are effecting things, and how.
• Better than writing things down: Automate! Use a service like GTmetrix. It’ll automatically keep a history of your PageSpeed and YSlow scores that you can refer to and monitor.
• Check the website yourself on Desktop, Tablet, and Mobile/phone platforms.

Check all of the above with services like:

• WebPageTest
• Pingdom Website Speed Test
• GTmetrix (PageSpeed, YSlow, + history)
• Google PageSpeed Insights
• Google Search Console Mobile-Friendly Test

Important Pages and Info

I am pretty sure the intro to this guide says that we don’t go into legal documents and business things, but there are some things that are very important and worth bringing up. Here’s some thoughts and questions about the site, in general:

• “About” and “Contact” pages are practically ubiquitous. Is it extremely easy for visitors to find out about who runs your site and how to contact them?
• Having your address and phone number consistently listed on the site can help search engines list you in local results (if relevant), on maps and local directories.
• Do you live in a place (or serve customers that do) where there are privacy laws about your use of “cookies”, ad networks, or other tracking data? Do you have the necessary notices in place, if required?
• Does the site need or have a valid Terms Of Service document and/or Privacy Policy, with a prominent and easy to find link? What about a clear Returns, Refunds, or Exchanges policy?
  • Shopify actually provides a list of free tools, including a
    • Privacy Policy generator
    • Terms and Conditions generator
    • and a Refund Policy generator
• Does the site include “affiliate links”, and does it properly disclose that fact?

Caching

Unless you’re on a managed WordPress host, you’re probably going to be running one of the popular WordPress caching plugins. Managed platforms sometimes don’t allow caching plugins, because they tend to come with their own specialized caching mechanisms.

• Important question: Is your caching strategy going to interfere with the dynamic nature of shopping carts?
  • E.g., shopping carts need to change quantities and values, and every user should only see their own, unique cart displayed. A naive caching strategy might break your cart functionality! So it’s worth thinking through and testing.
• Check the official WooCommerce documentation on “configuring caching plugins” for up to date notes on various common caching plugins, compatibility, etc.
• WP Rocket
  • This is currently my favorite WordPress cache plugin, when I need to use one.
  • Newer versions are compatible with WooCommerce out of the box. See this guide for details, and a specific blog post, if you plan to use the “AJAX cart total”.
• W3 Total Cache needs at least one specific settings change.
• Varnish-based caches may require specific rules.

CDN’s and Static Assets

• Some managed platforms implement their own CDN; check the details because you may or may not still want to bring your own.
• Have you set up a CDN and configured WordPress to use it correctly?
• Many popular CDN’s have very easy integration into WordPress, via official plugins. Here are the most popular ones I’m aware of:
  • MaxCDN/StackPath
  • Fastly
  • Cloudflare
  • KeyCDN
  • Amazon Cloudfront
• Where is your media stored?
  • Are you serving uploaded media, thumbnails and images, from your local server or from an offsite storage like Amazon S3?
• Are you serving all of your static assets from a “cookie-less domain”?
  • There may still be cases for splitting your CSS and Javascript assets onto different domain(s) than your images and other media.
• Some caching plugins make it very simple to serve static assets from custom CDN domains, even by type (CSS, JS, images). WP Rocket’s CDN settings are a great example of this.

Monitoring

How do you know if your website is down? What if it’s not down, but users are experiencing higher-than-normal load times? You should have at least one method of being automatically notified about these situations. Some of these tools offer free tiers, which can be “enough” if you’re just starting a small shop:

• Pingdom
• UptimeRobot
• NewRelic
• PagerDuty

Other great resources

• WPEngine’s prelaunch checklist (PDF) is really good
• Capsicum Mediaworks “Killer WordPress Checklist”
• wpmudev’s pre-launch checklist

---

Note: A few of the links in this document may be "affiliate links", where I may receive discounts or payments if you use them to purchase a given product or service. That said, every word and link in this document is genuine and nothing is included purely for its ability to earn income, etc.