WooCommerce 9.0+ requires PHP 8.2 or 8.3. PHP 8.1 reached end-of-life in December 2025. Check your hosting control panel. If you are still on PHP 7.4 or 8.0, upgrade before launch — it also makes your store faster and more secure. Most managed hosts let you switch PHP versions in one click from the dashboard.

n

WooCommerce with common plugins like Elementor, Yoast, and Stripe can consume significant memory. Set define('WP_MEMORY_LIMIT', '256M'); in your wp-config.php. Verify it applied in WooCommerce > System Status. If your host caps memory below 256MB, that is a red flag.

n

Solid-state drives are 5u201310x faster than spinning hard disks for the random-read patterns that WooCommerce generates. NVMe SSDs are better still. Most managed WordPress hosts use NVMe. Ask your host if you are not sure. There is no reason to launch a store on a spinning-rust server in 2026.

n

HTTP/3 cuts latency on mobile connections significantly. TLS 1.3 is faster and more secure than TLS 1.2. Both are standard on modern managed hosts. Run your site through SSL Labs to check. Your host handles server-side config — if they do not support these, find a different host.

n

Your database server needs to handle concurrent read/write operations without bottlenecking your store. MySQL 8.0 supports JSON functions that WooCommerce uses for product metadata. Check your host’s database version in their docs or ask support. Anything older than MySQL 5.7 is a problem.

n

Redis keeps database queries and full-page objects in memory instead of hitting the disk every time. For stores with more than 100 products or 50 concurrent visitors, Redis cuts load times by 40u201360%. PapaBear’s managed WooCommerce plans include Redis by default.

n

Your store processes payment information. Even if you use Stripe or PayPal, having HTTPS sitewide is non-negotiable. In WooCommerce > Settings > Advanced, set both site URLs to use HTTPS. Then force all HTTP traffic to redirect to HTTPS via your .htaccess or hosting panel. Run your URL through SSL Labs and confirm you get at least an A rating.

n

WordPress brute-force attacks hit the /wp-login.php endpoint constantly. Use a password generator with 16+ characters, mixed case, numbers, and symbols. Force 2FA on every admin account using Wordfence or a dedicated plugin like WP 2FA. This takes five minutes and blocks the most common store takeover attacks.

n

All folders: 755 or 750. All files: 644 or 640. wp-config.php: 440 or 400. Incorrect permissions are the most common way attackers steal your database credentials. Check and fix these via your hosting file manager or SFTP client before launch.

n

Wordfence (free tier is enough for most stores) gives you a firewall, login attempt limiting (5 failed logins blocks the IP for 15 minutes), and a malware scanner. Install it, enable the firewall, run a full scan before launch. Catch anything suspicious from theme or plugin installs before customers see it.

n

If you use Stripe, PayPal, or WooCommerce Payments, their PCI compliance covers the payment processing side. But you still need to maintain your part: use only PCI-compliant hosting, keep WordPress and all plugins updated, and never store raw credit card numbers. EU sellers also need PSD3 compliance — the EU VAT for WooCommerce plugin handles the VAT piece.

n

Product images are the #1 cause of slow WooCommerce pages. Resize every product photo to a maximum of 1200x1200px before uploading. Compress with TinyPNG, ShortPixel, or Imagify. Serve in WebP format. An unoptimized full-size photo can be 5u201310MB. Your entire product page should total under 1MB of images.

n

Managed hosts handle caching at the server level — you do not need a plugin. On shared or unmanaged hosting, install WP Super Cache or W3 Total Cache. Test it: visit your site, check the page source, and look for a cache hit comment at the bottom. If there is no evidence of caching, your server is regenerating every page from scratch on every visit.

n

Lazy loading means images below the fold do not load until the visitor scrolls to them. WordPress 5.5+ adds loading=”lazy” automatically to most images, but your theme and WooCommerce product gallery may not respect it. Test: open a product page in Chrome DevTools, go to the Network tab, and confirm images below the fold show a “lazy” status rather than loading immediately.

n

Minification strips whitespace from HTML, CSS, and JS. GZIP compresses these files before sending to the browser. Most caching plugins handle both. Run your URL through Google PageSpeed Insights — it lists missing compression under Opportunities.

n

A CDN copies your static files to servers worldwide so visitors load from the nearest location. For WooCommerce, this cuts load time for international visitors by 40u201370%. Cloudflare’s free plan works for most new stores. Point your domain nameservers to Cloudflare, and your host serves files from 300+ edge locations automatically.

n

WooCommerce stores cart data in the database. On high-traffic sites, the sessions table grows large and slows queries. Clear expired sessions regularly via WooCommerce > Status > Tools. Better yet, use Redis persistent object caching to keep sessions in memory. In WooCommerce > Settings > Advanced, use the Database session handler only if Redis is not available.

n

Duplicate product titles are an SEO killer. Every product needs a unique H1 and a 120u2013160 character meta description written for search engines, not just for shoppers. Use Yoast SEO or Rank Math to set these per product. Do not leave the meta description blank — search engines will pull a random excerpt, and you will lose the chance to control what shows in search results.

n

Schema markup tells Google what your product is, its price, availability, and star ratings. Without it, you show up as a generic result. WooCommerce with Yoast SEO handles basic schema. For full rich snippets (star ratings, price range, availability), install Schema Pro or the free Schema & Structured Data for WP & AMP plugin.

n

Your sitemap should include all products, categories, tags, and pages. Verify it exists at yoursite.com/sitemap.xml. Then create a free Google Search Console account, add your property, and submit the sitemap. This is how Google finds your products. Without it, you are relying entirely on backlinks to get indexed.

n

WooCommerce generates multiple URLs for the same product — category pages, search results, paginated views. Without canonical tags pointing to the primary URL, Google reads this as duplicate content and buries your rankings. SEO plugins set these automatically. Verify by checking the HTML source of any product page for the canonical tag.

n

Before going live, run at least three test transactions through every payment method you accept. Use Stripe’s test card (4242 4242 4242 4242) or PayPal’s sandbox. Test: successful purchase, declined card, refund flow, and email receipts. A broken checkout that your first customers discover is worse than no store at all.

n

WooCommerce shipping setup is often an afterthought. Configure real zones based on where you actually ship. Set real rates — not placeholder $0 charges. If you offer free shipping, set a minimum order threshold and make it clear in the cart summary. Test the full checkout with a real address to confirm shipping options appear correctly.

n

If you sell nationally in the US, connect to WooCommerce Tax (powered by Stripe Tax) or TaxJar to calculate rates automatically. Selling to EU customers? You need VAT compliance — the EU VAT for WooCommerce plugin handles this. Selling in Canada? GST/HST rates vary by province. Incorrect tax rates create audit exposure and refund requests.

n

Required by law in most jurisdictions. You need at minimum a Privacy Policy (GDPR and CCPA compliant), Terms of Service, and a Refund/Cancellation policy. These must be linked in your footer, in checkout, and in your cookie consent banner. Use Termly or iubenda to generate compliant pages quickly if you do not have legal counsel.

n

Analytics tools, Facebook Pixel, and Hotjar cannot load until the user consents to non-essential cookies. Install CookieYes or GDPR Cookie Consent. The banner must give users a real choice — “Accept All” and “Reject All” — before third-party scripts fire. Violations carry fines up to $7,500 per incident under CCPA. This is not optional.

n

If you built your store on a staging environment — which you should have — verify the final migration to production preserved everything: products, images, settings, plugin configurations, and order data. Run a complete checkout flow on the live URL before announcing your launch. Check every form, every button, every email notification. Then announce.

n