Drupal is widely regarded as a secure content management system, so much so that it is often chosen for sensitive sites, including the sites of many government agencies. WordPress’s reputation for security is not quite as impressive, and we’re all familiar with stories of hacked WordPress sites.
Does that mean it’s fair to say that WordPress is less secure than Drupal?
This is not a simple question to answer because it depends on our answers to other questions: What do we mean by secure? How do we measure security? It certainly wouldn’t be fair to compare media stories about WordPress security with Drupal’s record — there are hundreds of times more WordPress sites than Drupal sites, so you’d expect WordPress to be hacked more.
One possible definition of a secure Content Management System (CMS) is one that is extremely unlikely to be compromised if it is configured according to the documentation and regularly updated. If we accept that definition, then both WordPress and Drupal are secure. No application on the web is ever totally secure, but properly configured and regularly updated Drupal and WordPress sites are unlikely to be compromised.
What Are the Qualities of a Secure CMS?
There are many ways to measure the security of an application, but from the perspective of users, three factors are particularly important.
Few vulnerabilities. Software bugs that cause exploitable vulnerabilities should not be a regular occurrence. They’ll sometimes happen because software is complex and humans are fallible, but users should not expect to see their sites regularly hacked because of vulnerabilities in the core application.
Vulnerabilities are quickly fixed. When vulnerabilities are reported to the developers, patches to fix them should be released quickly, and users should be informed of the need to update (or updates should happen automatically).
Easy to secure. If a content management system is generally used by people without a lot of technical knowledge, then it should be designed to minimize opportunities for users to create security problems. For example, it shouldn’t be easy for people to use a default password instead of a secure password.
It’s easier to compare Drupal and WordPress on some of these measures than others. We can see how many critical vulnerabilities are found and fixed in WordPress and Drupal. We can’t see vulnerabilities that haven’t been discovered or reported — so-called zero-day vulnerabilities — but reported vulnerabilities are a useful proxy for overall risk.
It’s clear that both projects have their share of vulnerabilities, but we can also see that patches are released quickly. Both projects take security seriously and react with haste when vulnerabilities are reported.
Security Beyond the Core
What about WordPress plugins and Drupal modules? The fact is that when a WordPress site is hacked, it’s almost always a plugin to blame. There are 50,000 plugins created by developers of mixed ability who are not equally motivated to secure their code. Drupal too has occasional security issues related to modules, but the Drupal module ecosystem is smaller and more tightly controlled.
There are many high-quality WordPress plugins made by developers who are committed to building secure products, but the depth of the WordPress ecosystem means that the average WordPress plugin is more likely to pose a risk than the average Drupal plugin.
For both content management systems, and WordPress in particular, it pays to be cautious when sourcing and installing modules or plugins. Nulled plugins — pirate premium plugins — are a particular issue in the WordPress world. They are often infected with malware, and once a malware-infected plugin is installed on a site, it’s game over.
Developers Can Only Do So Much
Now we come to the most significant cause of security vulnerabilities for any content management system: its users. As we’ve established, every CMS has vulnerabilities that can be exploited by hackers at some point in its life. Those vulnerabilities are usually quickly fixed, but the fixes are useless if they aren’t installed. WordPress users who fail to update WordPress and its plugins are probably the single biggest cause of compromised sites. Outdated sites are also a big problem in the Drupal world, albeit on a smaller scale.
Whereas WordPress’ attracts non-technical users, the same is not true of Drupal, which is squarely aimed at developers and organizations that have the expertise to maintain a more complex content management system. However, because users are expected to be experts or at least have some technical knowledge, it’s not as easy to be secure as WordPress.
Updating Drupal and its modules can be a bit of a pain compared to WordPress’s automatic minor version updates, but if you know what you’re doing, it’s not prohibitively difficult.
Drupal or WordPress?
The truth is that both Drupal and WordPress are secure if properly installed, configured, and maintained. The opposite is also true; a poorly maintained Drupal or WordPress site is a gift to hackers.
Drupal has fewer issues with plugin vulnerabilities, but if a Drupal site is left without updates for a couple of years, it’ll be hacked as quickly as an unpatched WordPress site. Moreover, because Drupal is more complex and more challenging to update, a non-technical user may struggle to maintain adequate security.
If you don’t need the power and flexibility of Drupal, then a well-maintained WordPress site is the best option — just remember to keep the site and its plugins updated. If you do need Drupal’s flexibility, then the fact that expert developers choose Drupal for highly sensitive government and corporate sites should reassure you that Drupal can be secured to the highest level.It’s important to understand that security goes deeper than whichever CMS you choose. Both Drupal and WordPress rely on utility software, a database, a web server, an operating system, and more. These must all be maintained and updated too, and that’s the job of the hosting provider. The first step in securing your content management system is to choose secure WordPress hosting or secure Drupal hosting.
What should happen when a security researcher discovers a vulnerability in a popular software project? Should details of the vulnerability be released so that users can protect themselves? Or should it be kept secret so that bad actors can’t exploit it?
There are drawbacks to both approaches. Immediate full disclosure puts users at risk. Bad actors find out about the vulnerability too, and there isn’t a lot users can do to protect themselves until patches are released. In contrast, secrecy allows software developers to ignore vulnerabilities, and there is no guarantee that bad actors don’t know about them already.
The industry has, for the most part, settled on a hybrid approach called responsible disclosure. When a security researcher finds a vulnerability, they inform the software’s developers but they don’t go public immediately. The developer is given time to release patches. Once the patches are released, the vulnerability is publicized so that users know to update. If the developer fails to release a patch in a reasonable amount of time, the vulnerability is disclosed to users so they can protect themselves. The amount of time given to developers varies; Google’s Project Zero allows 90 days.
Responsible disclosure attempts to balance competing goods. Users who are in the dark about vulnerabilities can’t respond to the threat, but immediate disclosure gives bad actors an advantage. Secrecy might prevent widespread exploitation of a vulnerability before it’s been patched, but developers, especially developers of proprietary software, may not be inclined to invest time and money into bug fixes for vulnerabilities no one knows about. Responsible disclosure is the golden mean between complete transparency and security by obscurity.
Responsible disclosure depends on the assumption that software is updated when patches are released. Secrecy following discovery is justified by the risk disclosure poses to users. They would be exposed without any way to fix the problem. Delayed disclosure is justified by the belief that once patches are available, users are safe.
But what happens when users don’t update? They are in as much peril as if the vulnerability had been exposed without patches having been released. Bad actors know all about the vulnerability, including, in the case of open source software, exactly which code was vulnerable and how to exploit it. Unfortunately, failing to patch isn’t rare: many recent data leaks and security breaches were the result of the exploitation of known vulnerabilities for which patches were widely available.
The point is this: over many years, a system for handling vulnerabilities has evolved, a system which aims to keep software users as safe as possible. Developers, security researchers, and corporations cooperate to minimize the risk to users. But users — businesses, server administrators, hosting providers — have a vital role to play. They have to update their software when patches become available. If they don’t, they put their business, their customers, and the wider population at risk.
For 74% of consumers, the quality and relevancy of search results on an ecommerce site is the difference between whether they do or don’t make a purchase. Storefronts can no longer rely on good navigation alone. Search has become a primary purchasing path, with consumers that use search 200% more likely to make a purchase than those who don’t.
Powerful on-site search provides more than just a direct purchasing path. It also provides customers with the ability to research and further define desired products and attributes. This not only means consumers are able to research their choices more effectively, it also positions you as an industry leader and an invaluable consumer resource.
This article looks at the search options available to Magento merchants, and outlines four of the main tools available; including Elasticsearch, SOLR, Sphinx, and MySQL. It examines the pros and cons of each, and provides a recommendation of what option is best.
Keep reading to see which Magento search option is right for your storefront.
Consumers who use search are 200% more likely to convert.
Note: this article will not be taking a detailed look at the multiple Magento search extensions available on the marketplace, but instead focuses on more powerful, external solutions.
How Magento Search Works
How Magento search works depends on what search option you choose and how you configure it. In some cases, it’s possible to simply connect a search engine to your Magento store and it will do the rest automatically. In other cases, proper implementation requires either a developer or expert.
Regardless of which path you choose, once a search engine has been implemented, it will index your site. This provides an easy to search through directory of your products and their attributes. Depending on the size of your store, this can take a few minutes to a few days.
When looking for a search engine, there are several different features that should stand out. These include:
Fast and accurate results
Natural language processing for longtail and complex search queries
Filtered results pages for more accurate results (Faceted search)
Error-tolerance (this needs to be high to provide better, more relevant results)
Synonym management (especially important for niche stores)
Elasticsearch (ES) is currently the most popular and the default option for Magento search.
As a java-based document store, Elasticsearch is engineered to store large numbers of JSON documents and speak to them natively. So in addition to being able to handle text-based queries, it can also understand advanced analytical queries too, including interpreting numeric and geo data.
Where Elasticsearch really shines is in its full support for Apache Lucene’s real-time search. From a customer’s perspective, this means ES is able to provide faster and more relevant search experiences. For store owners, this means faster conversions.
Currently, Elasticsearch is recommended by both us and Magento. Part of the reason for this is that it’s easy to set up. On Hostdedi accounts, it can be turned on under the Environment tab in your Client Portal. The endpoint can then be transferred into Magento by following this guide.
At the moment, both Foursqaure and Github use Elasticsearch.
A Faster, More Accurate Search Option
Elasticsearch makes use of Fuzzy searching, a technique which allows for stores to interpret customer queries even when they mistype or aren’t 100% sure what they are looking for. Combined with synonym and stop word interpretation, this places ES as one of the more capable search engines available to merchants.
Elasticsearch is able to provide faster and more relevant search experiences leading to more conversions.
ES also allows for merchants to customize search results based on defined parameters. One of the technologies used to do this is finite state transducers. In English, this means that ES can handle search queries that consider both the input and output, and that can then provide results based on the relationship between these two pieces of data.
Complex Search Query Support
While both Elasticsearch and SOLR (below) are based on Lucene query parsing, Elasticsearch provides support for structured query DSL. This allows for more complex search queries not supported by a just-Lucene search engine.
Another standalone, scalable search option for Magento. For a long time, SOLR dominated the Magento search market for high-traffic sites. Not only does it offer a number of important features search admins are looking for, it’s also a scalable solution capable of handling heavy traffic loads.
Some of the features you’ll find with SOLR search include:
Search term suggestions based on misspelling
Weighted search results
Support for synonyms and stop words
At the moment, Cnet and Netflix use SOLR.
Near Real-Time Search Speeds
Where SOLR shines is when it comes to group searches. This is because SOLR supports distributed groups (including grouped sorted, filtering, and faceting). For ecommerce store owners, this allows for their customers to go through better, more relevant search experiences. At this point in time, the main competitor, Elasticsearch, does not support this in the same way.
SOLR offers a number of important features search admins are looking for.
When compared to alternatives, SOLR is a more complicated search engine to implement. Not only does SOLR’s interface take longer to learn than Elasticsearch’s, its deployment also requires a little more knowledge than Elasticsearch’s.
If you’re looking for some added functionality that comes with additional work, then SOLR may work for you. However, in 99 cases out of 100, we would recommend Magento store owners opt for Elasticsearch.
No longer the latest and greatest in Magento Search
Sphinx is a powerful Magento search tool capable of searching multiple content types, with support for multiple languages. While not as powerful as the options above, its favored by a lot of Magento 1 stores due to the ease of integration.
Sphinx is currently used by Mozilla, Craiglist, and Dailymotion.
Fast Search From a Premium Module
By default, Sphinx doesn’t run through an external container but an extension that can be downloaded through the Magento Marketplace. Despite this, it’s still capable of holding its own when pitted against the other options on this list.
From their own documentation, Sphinx is able to deliver over 500 queries/second when a product catalog consists of over 1,000,000 skus.
In terms of its actual search capabilities, Sphinx includes a number of features you see with most of the other search engines listed here, including:
Synonym and plural form support
Long tail search
Stop word support
Sphinx also allows for multiple search types, including products, categories, attributes, and blog content. Its morphology preprocessors allow for different word forms to be replaced with their base form. In Sphinx’s example, this means translating Dogs into Dog. There are, of course, much more complicated use cases where this helps to provide unique and highly-relevant results for customers.
Sphinx is able to deliver over 500 queries/second when a product catalog consists of over 1,000,000 skus.
A Magento 1 Search Tool
While we always recommend using Elasticsearch, we’ve found that when Sphinx is used it tends to be with Magento 1 stores. If you’re running a Magento 2 store, Elasticsearch is a better option – especially if you’re just getting started or are in the process of replatforming from magento 1.
If you’re interested in how to configure search on Magento 1, then we recommend checking out this article from Shero.
A powerful search engine used by a lot of large, popular sites
Years of development have made it stable
Not as well supported as alternatives
Lacks the speed of Elasticsearch and SOLR
The original default search engine for Magento. While competent in its own right, it doesn’t compare to the enterprise options available. Moreover, the MySQL search option for Magento has now been deprecated. Instead, Magento 2 is now configured to use the Elasticsearch search option by default.
The default MySQL search is also missing some other features you’ll find with SOLR or Elasticsearch, including suggestions, clustering, attribute weights, and tips when zero results are returned.
For this reason, we recommend avoiding the default MySQL search option. With the current ease of integration afforded by Elasticsearch, why wouldn’t you want more powerful search powering your Magento store?
It’s not nearly as powerful as other options
It has been deprecated
Expanding Magento Search Functionality Through Extensions
If you own a smaller Magento store and don’t want to invest in a dedicated search engine, then it’s also possible to expand the search functionality of Magento through extensions. These can be found and downloaded from the Magento Marketplace.
The Best Magento Search Engine
We recommend that all merchants make the move to Elasticsearch. Not only because it’s easy to integrate with your Magento store, but also because it provides numerous improvements over the alternatives.
While speed and performance is comparable to SOLR, Elasticsearch does have a slight edge. It also allows for consumers to make more complex searches with more relevant results, thanks to a number of additional features such as fuzzy searching, full indexing, and DSL query support.
In terms of development, Elasticsearch also provides much more in terms of official and community client libraries. This means that your developer is more likely to be able to handle and scale it efficiently. Combine this with its out of the box readiness on the Hostdedi container platform, and it becomes the clear search engine choice for most Magento stores.
WooCommerce doesn’t require a lot of day-to-day maintenance to keep it in peak condition. But, as winter comes to a close and the dust of the busy holiday season settles, spring is the ideal moment to take stock and make sure everything is working as it should be. A little spring maintenance will help your store remain fast and secure throughout 2019.
Update WordPress, Plugins, and Themes
WooCommerce stores should be updated regularly throughout the year, but the busy holiday season leaves little time for ongoing maintenance. If your store hasn’t been updated in a few months, now is the perfect time to spend a couple of minutes hitting the update button. Make sure that you’re running the most recent release of WordPress, WooCommerce, other plugins, and the store’s theme.
Updates help to keep your store safe from hackers and criminals by patching security vulnerabilities. If you don’t update regularly, you may be in for an unpleasant surprise later in the year.
Check Your Backup Procedure
We recommend that all WooCommerce stores are regularly backed up to at least two locations, one of which is a remote location. There are many services and plugins to help you backup your site. We covered some of the best in this post from last year.
Whichever method you choose, it should be checked regularly to make sure it’s still working. It is not uncommon for retailers to lose data because the backup they thought was keeping their store safe had stopped working. When you’re dealing with the aftermath of an attack or accidental data loss, there’s little more frustrating than finding that your backup scripts haven’t worked for the last six months.
Manually run a backup to make sure the process completes successfully, and then carry out a test restore on a staging or development site. You should be able to quickly recreate your store, and if you can’t, it’s time to rethink its backup strategy.
We’ve already covered updates, but it is also worth looking at plugins that haven’t been updated for a while. You can see when a plugin was last updated in the Plugins section of the Admin menu. If a plugin hasn’t received an update in a few months, you should investigate to ensure that it is still maintained.
Unmaintained plugins are not necessarily a security issue, but if a vulnerability is discovered in an unmaintained plugin, it won’t be fixed. If you have any plugins that are unmaintained installed on your store, try to find an alternative that is actively developed.
While you’re looking at plugins, this is also a good time to deactivate and uninstall any plugins that you aren’t using. It’s better to remove unused plugins because every plugin adds code to your store, and code that has been removed can’t cause security or performance problems.
Run Performance Tests
WooCommerce stores evolve as new features are added, plugins are installed and uninstalled, and alterations are made to themes. These changes can impact performance, so it’s wise to run performance tests every once in a while to identify any issues. We recently published a detailed guide to performance and load testing your WooCommerce store.
Check Content for Freshness
The beginning of the year is an opportune moment to review the content you have published over the past few months. Blog posts and web copy can become outdated. Editing dated information ensures that content remains a valuable resource over the next year. Pay particular attention to the site’s About page; it should be updated to reflect changes in the businesses branding strategy and to recent events.
With a couple of hours of spring cleaning maintenance, you can put your WooCommerce in a strong position of reliability, security, and performance for the next year.
Every ecommerce store is unique. Merchants have a lot of choices to make before their store even goes live; choices including site design, customer base, and product curation. Yet underlying these choices is another, potentially more important one: which ecommerce CMS is right for delivering on those decisions?
In 2019, ecommerce sales will account for 13.7% of retail sales worldwide. By 2021, that number is expected to increase to 17.5%. Improved access, data-driven strategies, and mobile implementations are only a few of the reasons for this rapid growth. The continued development of ecommerce CMSs to match merchant and consumer expectations is another.
From Magento to WooCommerce, and beyond, the right CMS allows merchants to create a storefront that optimizes the buyer’s journey and increases sales.
This article takes a look at seven of the most popular ecommerce CMS available to merchants. It breaks down the pros and cons of each and looks at which merchants should be using which. If you’re looking to set up a new ecommerce store, or are interested in exploring other possibilities, keep reading.
The Ecommerce CMS Comparison
Magento 2 is one of the ecommerce world’s most functional platforms. Capable of creating and managing more complex buyer journeys, the application is used by some big names, including Coca Cola, Warby Parker, and Nike.
Currently over 19% of the top 1 million websites use Magento, positioning it as the most popular ecommerce CMS for larger ecommerce stores. Part of the reason for this is its community. At the heart of Magento, vendors, developers, and merchants have come together to create an ecosystem that few other platforms can rival.
Magento is used by some big names, including Coca Cola, Warby Parker, and Nike.
That ecosystem has continued to grow following Magento’s acquisition by Adobe. Integrations with Adobe technologies have continued to be expanded and improved, with many finding Magento 2 to be the “complete ecommerce package”.
Yet Magento isn’t right for all merchants. Development of the type of user experiences and buyer journeys offered by bigger brands requires a bigger investment. For this reason alone, Magento may simply not be the right choice for smaller merchants. Store management is also a more complicated process than with something like WooCommerce.
In addition to this, to truly take advantage of the Magento platform it’s important to find the right hosting provider. This is because Magento is a resource heavy application. If you choose Magento, look for Magento optimized hosting.
We recommend Magento 2 for merchants looking to create cutting edge online experiences that improve the bottom line. But it’s important to remember that this kind of development means a steep price tag.
Incredible functionality and capabilities
Great community that is constantly working to develop even better ecommerce solutions
Open source version is free
Often requires a developer for first time store owners
At this point, sites running on Magento 1 are generally ones that moved to the platform before the Magento 2 release. While Magento 1 is still a very capable ecommerce CMS, it doesn’t have some of the features and support you’ll find with the second version of the application. This is despite still having strong community support.
One of the main differences between Magento 1 and 2 comes in the form of security. Magento 2 supports improved security protocols, including a strengthened hashing algorithm for passwords and improved user management for admins.
To make this worse, the upcoming June 2020 End of Life means that the M1 platform will no longer continue to receive official support. This means many will have to replatform to either Magento 2 or another ecommerce application.
For new merchants interested in Magento, we recommend moving straight to Magento 2.
A history of success with a huge contingent of merchants
A supportive community that will continue to support the platform after its End of Life
Will be deprecated in June 2020
Doesn’t have a lot of the functionality and support you’ll find with Magento 2
Shopify is an easy to use SaaS ecommerce tool. Over the years it has grown from a small, simple application into a capable ecommerce storefront. In doing so, it has solidified its position as one of the more popular options available to merchants.
However, while great for beginners, as soon as merchants begin to see significant purchasing volume, Shopify’s problem starts to make itself known. Unlike alternatives such as Magento, Shopify’s custom functionality is still rudimentary. As a result, it does not allow for the same level of curation regarding the buyer’s journey. Over time, this can limit further merchant growth.
Despite this, Shopify has great support and security thanks to being a closed-source SaaS product. Many of the application’s optimizations all come as standard and are managed by Shopify themselves. This can be both a positive – as you know there is a team of experts behind your store – and a negative – in that you’ll have to wait for unique and cutting edge performance enhancements.
Shopify offers merchants a capable ecommerce storefront.
Still, Shopify is host to just over 10% of the top 1 million websites worldwide and the application is only growing in popularity for small and medium businesses.
If you’re looking for a simple, easy to use ecommerce cms, then Shopify may just be the right choice. If, however, you’re looking to expand your online ecommerce experience and create something distinct, we recommend looking towards Magento.
Shopify takes a cut of all transactions on your site
Not as versatile as Magento
Sylius is a new addition to the ecommerce scene, and one that has managed to consecutively score wins against competitors in terms of functionality and design. Currently the application of choice for a small number of sites, that number has grown rapidly; especially considering that the platform has only been around for a few years.
Perhaps one of the main barriers to entry for merchants looking to move to the Sylius platform is that it requires a developer to create a fully capable storefront. This is a double-edged sword for most merchants. It means that their storefront will likely be an unforgettable one with a curated user experience, but it can also cost a lot to implement properly.
A Sylius storefront will likely be an unforgettable one with a curated user experience.
Despite this, if you’re a merchant looking for a more advanced platform that offers capabilities that rival even the most advanced ecommerce CMS, then Sylius is probably one of your best choices. If you’re looking for something simple that you can manage yourself, we recommend that you continue reading.
Offers complete control over functionality
A great open source community
Is still relatively new
Requires a developer to create your site
BigCommerce (for WordPress)
If you’re looking to take full advantage of the content marketing opportunities available to merchants, then BigCommerce may be one of your best options.
Released in 2018, the BigCommerce for WordPress plugin has quickly grown, now offering merchants access to a clear and easy-to-use ecosystem that offers both powerful ecommerce functionality and content management.
It’s able to do this due to being a headless implementation of BigCommerce. This means that product management is controlled by the BigCommerce back-end, while front-end design and navigation are managed by WordPress.
BigCommerce for WordPress is a headless implementation of BigCommerce.
BigCommerce does require merchants to pay an additional monthly fee. However, this means that you’ll have access to BigCommerce support (for help with the application) and potentially improved security.
Interested in learning more about the BigCommerce for WordPress plugin? Read Topher DeRosia’s guest post, currently BigCommerce for WordPress’ Developer Evangelist.
Allows merchants to use both the product management tools of BigCommerce and the content management tools of WordPress
Relatively easy to use with great functionality
An additional monthly fee
Prestashop has been on the ecommerce scene since 2007. During that time, it has gone through several iterations. Available in both self-hosted form and as a SaaS platform, it now offers some great options for beginners looking to get started with a small ecommerce store.
Firstly, Prestashop helps to simplify daily management tasks by offering an easy to use interface. This includes intuitive labels and the ability to expand functionality through downloadable modules. We took a look at Prestashop and compared it to Magento, and found that in terms of number of downloadable add-ons, the application is almost on par with Magento.
But that’s about where Prestashop’s advantages end. In terms of customization, there’s not a lot you can do. If you’re looking for an ecommerce platform that allows you to create unique, memorable buyer journeys, we recommend looking elsewhere. Prestashop’s customizations pretty much start and end at color schemes, basic UI elements, and modules.
To date, just 2 Prestashop sites have made it into the top 10,000 sites worldwide, out of over 270,000 total live sites. This trend seems to be in keeping with the purpose and audience the platform is primarily designed for.
Easy to use and get started with
Not as up-to-date as alternatives
The final entry on this list should need no introduction. WooCommerce is the most popular ecommerce CMS available, with over 3 million live sites.
Like BigCommerce for WordPress, WooCommerce is a WordPress plugin. It expands the natural content management functionality of WordPress to include advanced configurations for ecommerce.
Because of its nature, it not only manages to serve as a great choice for merchants interested in content marketing and SEO, it also provides a solid foundation for ecommerce and product management.
It’s especially good for small ecommerce stores that are either just starting up, or looking to manage most of their content and design in-house. Unlike most of the other CMS on this list, WooCommerce merchants have access to a huge range of pre-designed themes and customizations.
WooCommerce is a great choice for merchants interested in content marketing and SEO.
WooCommerce also provides merchants with the ability to expand functionality through extensions. These allow more control over payment processes, the buyer’s journey, and more.
Yet despite these capabilities, WooCommerce is still a simple ecommerce platform when compared with competitors like Magento and Sylius. Advanced customization still requires coding knowledge, and the WordPress platform limits what can be done.
If you’re a small business owner then we can’t recommend WooCommerce enough. However, if you’re already an established store, we recommend taking more control with another option on this list.
Free and open source
Easy to use and get started with
A huge range of different themes and extensions
Includes the great content management of WordPress
Not as functional as some of the alternatives on this list
Limited by the capabilities of WordPress
The Right Ecommerce CMS for You
Each application has its own advantages and disadvantages. Much like the products a merchant sells, choosing the right CMS requires merchants to analyze both the resources available to them and their own preferences.
For medium and larger stores, we recommend adopting Magento 2. Not only is it a versatile platform that continues to grow, it also has an incredible community that’s both helpful and knowledgeable.
If you’re looking to be on the cutting edge of ecommerce, we recommend making the move to Sylius. While a relatively new platform, it has already proved itself with merchants worldwide. Contact the Sylius team to learn more about what it can do for your storefront.
Ecommerce sales will account for 13.7% of retail sales worldwide in 2019.
For those interested in content marketing and taking advantage of its relatively “new” appearance on the ecommerce scene, BigCommerce is going to offer a lot of tools you won’t find elsewhere. At the same time, it’s also going to allow better management of products.
For smaller stores, we recommend WooCommerce. With an easy to use interface and even simpler product management, it’s better than a lot of other “easy to use” and manage CMS available. Not sure how to get started, follow our WooCommerce setup guide.
Dev sites allow you to make changes to your site without breaking it.
Whether refreshing your theme or applying a critical security update, sites are living environments that can react unpredictably to well-intentioned changes.
Any change, small or significant, can disrupt or even break your site when carelessly applied. Such disruptions torpedo both your sales and your customers’ trust. Properly executing these changes can be the difference between an unnoticeable hiccup and a prolonged outage.
If you already enjoy the services of a knowledgeable web developer, then you’re likely all set. If you’re not — or you have reason to suspect their qualifications — read on.
At Hostdedi, we host several content management systems, including WordPress, ExpressionEngine, Craft CMS, and Drupal. You can build just about any site with any of these content management system, but each has strengths that make it a better choice for some projects than others. In this article, we will focus on Drupal and the projects to which Drupal is most suited.
Your Website Needs Flexible Content Management
Drupal is often thought of as a content management framework. It provides a set of tools and features that hosting clients can use to manage content, but Drupal doesn’t impose its opinion about how content should be organized. That’s ideal for large organizations with complex and heterogeneous content. Rather than fighting against a built-in content model, they can use Drupal to build a custom content model shaped by the requirements of their project.
Drupal’s fundamental content primitive is the node. All content is in a node (unless it’s a comment, in which case it’s attached to a node). A node can be an article, a page, a forum topic, or a custom content type. Content in nodes can be displayed on pages with endless flexibility.
Lots Of People Will Work On Your Site
Just as Drupal’s content model is supremely flexible, so are Drupal’s user management capabilities. Drupal user management is based on user roles, each of which can have different permissions. A user can be given multiple user roles that determine what they can do on the site. Drupal administrators can create as many user roles as they need.
Drupal’s user role and permissions model is ideal for sites with many writers, editors, and users.
You Need A Decoupled Content Management System
Drupal is architected to make building decoupled or “headless” content management platforms as easy as possible. Decoupling isn’t an afterthought in Drupal; it’s a core design principle. Drupal is an API-first content management system and that makes it much less challenging to build front-end applications and services that take advantage of Drupal as a back-end.
You Need Your Website To Scale
Drupal was built to support the largest and busiest websites. Its target users are enterprise organizations that receive millions of visitors a month, so it’s engineered to scale. Some of the largest publishing and promotional sites on the web are built on Drupal, including the Economist, OpenSource.com, Johnson & Johnson, Lady Gaga’s site, Al Jazeera, and many government sites.
Although Drupal is built to scale, web hosting plays a vital role in the performance, availability, and scalability of a Drupal site. To get the most out of Drupal’s scalability, choose a Drupal hosting platform that can grow with your business.
You Want To Build A Custom User Experience
Although Drupal includes a basic theme and it’s possible to install an off-the-peg theme, organizations that choose Drupal typically build a custom theme that reflects their branding and publication constraints. If your organization would prefer to use a premade theme, then WordPress may be a better choice. But if you value the ability to create a custom content model and complete control over the user experience, Drupal offers many advantages.
In summary, your website needs Drupal if it requires flexible content modeling and management, has many users with a multitude of roles, and you need a comprehensive array of tools to build a custom user experience.
WordPress sites and WooCommerce stores should be backed up. Every byte of data should exist in more than one location, including the files in the site’s WordPress directory and the data in its database. Sites that aren’t backed up are vulnerable to user error and security issues. Sites with an off-site backup are robust. If something does go wrong, a backed up site can be restored in minutes, while a site without a backup may be gone for good.
WordPress and WooCommerce can be backed up manually by copying the files and dumping the database, but it is easy to forget to do a manual backup. A backup that runs at the push of a button is better, and automatic backups that need no manual intervention are best of all.
If you have more discipline than average, you might choose to back up your site and its database manually, copying all of the database’s SQL and the site’s PHP files, images, plugins, and themes to a secure offsite location every day or two. For everyone else, a backup plugin is a good idea.
VaultPress is a backup service owned and operated by Automattic. Part of the Jetpack suite of services, VaultPress is the easiest option for low-maintenance backups. It provides automated daily backups with unlimited storage and a 30-day backup archive at the Personal and Professional tiers. If you need longer-term backups, Jetpack Professional includes an unlimited backup archive.
UpdraftPlus provides a complete backup solution to copy all of a WordPress site’s data to any of a wide variety of storage solutions, including Dropbox, Google Drive, and Amazon’s S3. The free version includes scheduled backups and the ability to restore from the WordPress control panel. The premium version of the plugin adds a few storage options and incremental backups, a useful feature that backs up only the changes since the last backup, rather than sending everything with every backup.
BackupBuddy is a premium-only backup plugin that offers scheduled backups to a variety of storage solutions, including BackupBuddy Stash, which is managed by the plugin’s developers. In addition to complete backups, BackupBuddy also allows you to choose partial backups, such as files-only or database-only backups.
Duplicator is aimed at WordPress users with some technical knowledge because it offers far more configuration options than the user-friendly plugins we’ve already looked at. That makes it more flexible than other backup plugins, but also more complex.
Duplicator is a general tool for migrating, cloning, and moving a WordPress site. For example, it can be used by WordPress professionals to create pre-bundled websites so that the same configuration can be installed for multiple clients.
The premium version of the plugin, Duplicator Pro, includes more backup-focused tools, including scheduled backups to cloud storage, email notifications, multi-threaded backup for large sites, and premium support.
All of the plugins we’ve discussed here will make your WordPress site or WooCommerce store safer and more resilient to attacks, malware, and user errors. If you’d rather not pay for a premium plugin, the free version of UpdraftPlus is an excellent backup solution.
It’s a phrase uttered by parents, corporations, and law enforcement in relation to browsing and interacting with the web. We’re told it almost daily by internet watchdogs and security policies. But how careful are people actually being?
Over the last several years, expectations with regards to user interface (UI) and design have standardized. This has meant that many web users feel they have full control over the actions they perform online. This includes the products and services they buy and subscribe to, and the buyer’s journey they undertake.
Yet for UX designers, the truth is far “darker”. Years of behavioral research and design have gone into creating user experiences that trick buyers into purchasing and consenting to actions they otherwise would not have. These user experiences are what are known as “Dark Patterns” and they can be incredibly damaging to a store’s reputation and bottom line.
This article aims to provide store owners with a better understanding of what Dark Patterns are, and why they should be avoided. Keep reading to learn how to provide your customers with a user experience they return to time and time again and avoid delivering one they dread.
What Are Dark Patterns?
Before we go any deeper, think about your own buying experiences. Have you ever started out your buyer’s journey with a specific product in mind, only to find yourself lost in a maze of alternatives you don’t want? If so, you may have experienced dark patterns: techniques used by ecommerce websites to lure customers towards buying products and making decisions they may otherwise not have.
They do this by taking advantage of a user’s UI assumptions. Modern UI standardization has meant that most users just skim a page’s content instead of reading every word (imagine the time it would take to read each Amazon listing you look at). This allows for sites to make a page look like it’s there for one reason, when actually it’s serving an entirely different purpose.
“Dark patterns” have been around for as long as ecommerce sites have exisited (almost) but the actual term was first coined in 2010 by Harry Brignull. Along with coining the term, he also registered darkpatterns.org; what he calls a “pattern library with the specific goal of naming and shaming deceptive user interfaces.”
Don’t think that Dark Patterns are rare. In one recent study over 1,818 instances of Dark Patterns were found across 11k ecommerce websites. What’s worse, the data indicated that the more popular a site is, the more likely it was to employ Dark Patterns in its UX.
Types of Dark Patterns
So what are these Dark Patterns? Harry Brignull identifies 11 dark patterns and outlines what each of them do on darkpatterns.org. Each of these patterns plays on a specific set of assumptions by users. Learning what they are helps you avoid falling into these traps yourself, or recreating them for your users.
Sneak into Basket
Where a site adds an additional item to your basket during the checkout process. This is often done through an opt-out checkbox.
Where a site convinces a consumer to provide more personal information than they want do. Often done by pulling social data.
Where a consumer is easily able to get into a situation (such as a subscription service) that they find it difficult to escape.
Price Comparison Prevention
Where a site makes it hard to compare the prices for two items to prevent a consumer from making a more informed decision.
A classic: focusing a customer’s attention on something that distracts them from another important piece of information.
Where the last step of the checkout process presents costs that weren’t clear previously.
Bait and Switch
When a consumer sets out to do one thing but the site leads them towards something else.
Where opt-out options are worded to shame a consumer into staying opted in.
Where adverts are disguised as content to encourage clicks from a customer.
When a free trial comes to an end and the service automatically charges a customer.
When a product asks a customer to share and send a message to their friends through social media or email.
Why Are Dark Patterns Bad?
You could be forgiven for thinking that Dark Patterns aren’t that bad. After all, they’re present in many everyday online activities everyone takes part in. Recently, a Norweigan watchdog group called out Facebook for steering “us into sharing vast amounts of information about ourselves, through cunning design, privacy invasive defaults, and “take it or leave it”-choices.”
But by tricking users into making decisions they otherwise wouldn’t, Dark Patterns create a bad user experience. For store owners, this can lead to a loss of returning customers and brand loyalty, and an overall downturn in a store’s performance.
It’s not just a store’s performance and reputation that is at stake. Dark Patterns have also become more relevant following the enforcement of GDPR. Several of the Dark Patterns identified above cause issues regarding consent and to what degree it is given willingly.
If deemed to be “Dark” enough that a user has been tricked into consent for something they had no knowledge of, it’s very possible for a site to find itself in breach of GDPR. Similar privacy laws are regulations are also finding their feet across the pond in the US.
Most recently, this has been in the form of the Deceptive Experiences To Online Users Reduction (DETOUR) Act. This act aims to stop large online platforms from using deceptive user interfaces that trick users into giving away information they don’t want to. Social media companies are particularly under fire.
“For years, social media platforms have been relying on all sorts of tricks and tools to convince users to hand over their personal data without really understanding what they are consenting to. Some of the most nefarious strategies rely on ‘dark patterns’.”
Sen. Mark Warner
Examples of Dark Patterns
A look at Dark Patterns wouldn’t be complete without some examples identified by Harry and the wider world of Dark Pattern seekers. If you’re interested in seeing a full list – or getting involved – visit the Dark Pattern Twitter to see more.
Free But Not
The example below is perfect for showcasing how font size can be used to manipulate a fast clicker. While the ad offers a free magazine and giant mug, the small print says something else. And it’s not just £1 extra either. That’s on top of the standard £4.99 charge. This definitely counts as hidden costs.
Another common example of Dark Patterns at work and one that anyone who has tried to cancel online subscriptions has probably experienced. The use of confusing wording here acts as a bait and switch, in which the user is unsure what clicking each button does. Which button do you think you need to press to cancel your service?
A clear example of Sneak Into Basket by Microsoft. Once ticking the agreement box, the subscribe box is also automatically ticked. This could easily be missed by anyone who clicks through too quickly.
Facebook At It Again
As we already stated, social media networks are often accused of Dark Pattern tactics. In a classic Bait and Switch, the example above leads users to believe they have notifications before logging in. Once they’ve logged in though, there are no notifications waiting for them.
Ever get into a situation you can’t get out of? That’s exactly what happened to James Urteaga, who signed up to a subscription service easily but then had to call customer support to cancel. These calls are not usually quick calls to say goodbye, they are often packed with sales tactics trying to keep you signed up.
When in doubt, make a tool that doesn’t work (didn’t send any of my faxes) and have it be as difficult as possible to cancel a free trial @darkpatterns#darkpatterns There isn’t even a numbered option to cancel on the phone system, 15 minutes on hold… awesome. pic.twitter.com/WI9ChryBgB
A common example from Samsung Health above. Automatically selecting consent options doesn’t mean a user is giving consent. This is a typical example of Privacy Zuckering as it is causing the user to provide more information than they want to.
Avoiding these patterns is an easy win for a lot of ecommerce stores. Sure, Dark Patterns may lead to an increase in sales or leads in the short term, but long term they have a much larger impact on your store and its reputation.
For many users, the frustration caused by the experiences outlined above means they will never return or will look for alternatives the next time they need a similar product or service. They may not even know they have experienced a Dark Pattern, instead just feeling that their buyer’s journey could have been better.
Domain Name System (DNS) is a critical component of every website or eCommerce store. If DNS doesn’t perform, a site can’t be fast. If a site is slow or unavailable, DNS is a likely candidate. In this article, we explain what DNS is, how it can affect your site, and how you can test DNS to make sure it’s working correctly.
DNS is responsible for transforming a domain name like nexcess.net into an IP address that computer networks understand. When a user clicks on a link or enters a URL in their browser, the browser asks a domain name server if it knows the associated IP address. The domain name server is usually hosted by the user’s ISP, although there are public domain name servers hosted by organizations like Google and Cloudflare.
If the domain name server knows the IP address, it tells the browser. If it doesn’t know, it asks another domain name server, which might ask another server, and so on until the answer is found. The order in which servers are asked is determined by a hierarchy. In the case of nexcess.net, the root domain server is asked which DNS server knows about the .net top-level domain, and that server is asked about the nexcess.net domain. All of this is complicated by geographic redundancy: duplicates of major DNS servers exist all over the world.
Is DNS Slowing Your Site Down?
DNS lookups should be a small proportion of your site’s total load time. The browser does nothing while it’s waiting for a response to a DNS request. If you’ve ever clicked on a link and wondered why your browser seems to be stuck, it’s because it is waiting for a response from a DNS server.
Ideally, DNS lookups should take less than 100 milliseconds from any part of the world from which a site gets substantial traffic. A web performance tool like Pingdom can tell you how long each lookup takes from locations around the world. There are several possible causes for slow DNS lookups. If the lookups are slow for you, but fast from elsewhere in the world, the issue is with your ISP’s DNS servers. If lookups are slow from everywhere, then the problem is most likely a slow DNS host. The solution is to host your domain records with a fast global DNS hosting provider.
Have Your DNS Records Propagated?
DNS is a hierarchical and geographically distributed system with many thousands of individual servers spread across the globe. When a site owner edits the DNS records of their site’s domain, the new records have to be synchronized with servers around the world — a process called DNS propagation.
Propagation isn’t instantaneous; it can take up to 24 hours for domain records to propagate. Until they do, some DNS servers will respond to requests with the old records. In some cases, a DNS server might not be able to find any records at all. In consequence, when the site owner or a user tries to visit the site, they may not get the expected results.
This can be confusing and frustrating for web hosting clients who want their domain to work immediately, but propagation takes time. Hostdedi developed a tool to help hosting clients figure out how far DNS propagation has progressed for their domain. Enter your domain, and the tool will tell you which DNS servers around the world have your DNS records.