I’m considering buying a WooCommerce store that makes $1m a year selling industrial machinery spare parts.
The site has been around for 5 years, margins are okay and I feel there’s room to grow, that’s why I’m considering taking over.
But there’s something that holds me back. There’s no CTO or Lead Dev inhouse. Tech is outsourced to a freelancer who won’t join full time if I made him an offer.
The developer is good and reliable, so I can live with him not being part of the internal team. However, when I asked him (and the current owner) about web security, they seem pretty clueless.
They have installed Wordfence and run on WP Engine, and they seem to be content with it. Wordfence was installed but noone looks at it. They have a paid service but it seems quite impersonal and it’s too cheap to be real.
I’m a bit concerned about not having anyone who can be by my side if we get hacked. Or someone who can proactively prevent attacks and keep my business safe. Think like setting password policies, access control etc etc. Especially if I grow this business.
Am I being paranoid?
How do other ecommerce entrepreneurs deal with WordPress Security? Do they just cross their fingers that their outsourced developer knows how to fix the site if it gets hacked?
[ad_2]
We do managed hosting for Woocommerce sites of similar scale.
​
Generally, our clients don’t want a F/T person on staff, and they can’t afford someone who has the necessary skill level.
​
Keep someone on retainer that you trust, and budget a few hours a month for monitoring and ongoing maintenance (checking logs, updating stuff, just making sure the ship is trimmed). Everyone looks at it as a cost center, but it’s protecting the revenue center, so it’s different.
​
I’d consider putting CloudFlare in front of WP Engine. Security in depth. And make sure you have a serious backup plan, with one-way writes so that a cryptolocker can’t encrypt your offsite backups too.
I’d also say most businesses in the position you’re describing have no idea how much money they could be making if they used serious e-commerce processes. Lots of brick & mortar businesses “have” a website but they don’t “run” their website. They regard it as an “also” instead of a prime. With proper operation, many of those sites that have longtime credibility and internet presence can increase their sales and RoI manyfold by adopting modern e-commerce practices.
If you increase the revenue, you should consider hiring a CTO, and/or a lead dev, and maybe an e-commerce manager. These people can, if knowledgeable, return far more than their salary costs.
​
Good luck.
+1 for cloudflare. Blogvault also has solid malware scanning, and will clean the site for you as well. What security headers are you running?
I’ve handled security, and WooCommerce at scale for an international dev agency for many years. What we usually see is that sites at that scale without an internal dev, need to have a solid relationship with an agency, if only for redundancy in case something happens to the freelance dev.
You’re already on WP Engine so *most* of the security infrastructure is maintained by them. Look into their add-on services like plugin updates and Cloudflare. They already keep rolling backups for you and keep a pretty close eye on any suspicious traffic. Keep everything up to date, enforce strict password policies and you should be fine. If you have concerns you can reach out to them for more information, you’re paying a premium for that service so use it. They also help recovering and cleaning hacked sites if the worst happens. I’d be much more concerned about targeted social engineering and phishing than someone hacking your site from the outside. In my experience if you follow best practices and keep your stuff up to date the chance of getting hit by a random hack is pretty low.
Cloudfare or there IS a plugin that Tells you if one of your plugins got compromised or has vulnerabilities
> How to deal with security with a WooCommerce store making $1M / year
If margins are good, there’s room to grow, and the WordPress website is critical to your income… hire an expert.
Have (tested, re-tested and continuously proven!) processes for every critical failure.
You’re not being paranoid and if you’re purchasing a company I can completely understand wanting more assurance than ‘some guy does it’.
The problem is that perhaps the person currently managing the site knows exactly what they’re doing and just doesn’t want to give up their freelance position. You could end up paying more for less and burning bridges with possibly the only person who knows the site inside and out.
The other thing is, how many orders are going through the site to make up the $1m per year? If you’re making dozens or hundreds of sales per day, it may be worth investing say $50k in a dedicated build on something like React in tandem with the current site and switching over once it’s complete. That way you have a completely custom build with full documentation.
As a few have mentioned about Cloudflare, you’ll want to get the Global Edge Security add-on from WP Engine as we have. It’s effectively the additional premium Cloudflare tier with some WP Engine extra customisation sprinkled in.
You’ll also want their Smart Plugin Manager add-on, which auto-updates plugins, but does some clever before and after comparisons to check for errors and visual changes. If it detects any it rolls back automatically. We’ve started using this recently after getting to a point that manually updating websites would be a full time job.
We run about 15-20 client eCom sites from our P5 WP Engine server including one of our own which turns over about £3.5M per year.
WP Engine + Global Edge Security + Smart Plugin Manager + Wordfence.
It’s almost set and forget. Just keep an eye on things and you’ll have pretty smooth sailing.
Get someone to review the source code. It’s highly likely it’s a cobbled together piece of shit
You’re not paranoid, props to you for doing your research