Security Experts Review: Pros and Cons of Top eCommerce Platforms

Vast is the world of eCommerce platforms, and often, confused is the eCommerce merchant who is choosing their platform for the first time, or simply looking for a new platform to call home. While there’s a plethora of eCommerce platforms to wade through and choose from, we will look at a select handful of the most popular ones on the market today, with input concerning the security offering of each solution. It’s highly recommended to think of your security needs at the beginning of your eCommerce journey, or whenever you are switching platforms; because it’s much more challenging to implement security elements, or to discover you are unhappy with your platform, at a later date.

In addition to security, it’s important to understand which platform will meet your needs in terms of pricing, functionality, ease of usage, and the options available to customize your online store. Selecting the right platform for your business will empower you to produce memorable customer experiences, conduct your business operations with efficiency, and fuel growth.

Without further ado, let’s compare the leading eCommerce platforms; we will look at what’s great about them, what’s not so great, and what we think of their security offering.


Google trends show that eCommerce merchants favor Shopify above all other platforms (at least, in the U.S.). Shopify’s strong point is that the eCommerce site does not need to be hosted elsewhere in order to utilize the platform. The widely popular eCommerce SaaS proclaims that “anyone, anywhere, can start a business” - and indeed, Shopify doesn’t require proof that you own an actual business to set up shop.


Shopify offers a two week free trial period for new users, and from there, subscriptions range from $9 - $299/month, depending on the functionality desired. It’s great value for your money, especially considering you receive customer service that is available day and night. Shopify also boasts easy social media integration, and an unlimited number of products, file storage, blog modules, and product reports, all in its Basic plan, while the platform’s extension store includes several hundred extensions and themes. The Advanced Shopify plan offers extra features, including calculated carrier shipping and advanced customer reporting.

You are also able to use a diverse array of payment options, such as bank deposits, PayPal, Stripe, and cash on delivery. As an added bonus, the platform is also available both online and offline.


Because Shopify hosts your site, Shopify is in charge of your online store and your customer data - not you. Shopify also features limited free store templates, with themes for purchase costing up to $180. The Advanced Shopify package we mentioned above will run you $299 per month. For a small business, these costs add up. Additional customization features are available, but at extra cost. We did not find the checkout process user-friendly; for instance, the discount code field is very well hidden. We also did not find creating sub-categories an easy endeavor.

Unfortunately, Shopify is not a friend to SEO, as you are required to use a standard URL structure. Another point of contention is that Shopify uses its own unique open-source template language called “Liquid,” which hinders widespread usage. Finally, Shopify charges an extra transaction fee for each sale if you do not use Shopify Payment.


Shopify controls the security and the upkeep of the platform for its clients. But just because the company manages security, does not mean it doesn’t experience hiccups - in 2019, an API vulnerability allowed bad actors to glean private customer data from Shopify. Last year, Shopify informed its clients that two of their own team members stole customer data from merchants using their software. The responsible party was found guilty this year of stealing Shopify customer data from over one hundred merchants.

To check your Shopify site for vulnerabilities, use a security scanner on your site to ensure you don’t have malware or malicious links lurking on your site. While 2-factor authentication is an innate part of Shopify, it’s important to take additional measures to protect your login credentials, such as using at least 8-10 characters in the body, with a mixture of uppercase and lowercase letters, numbers, and special characters. Make sure you do not re-use your Shopify password on any other site, in order to keep your business safe in case your credentials are compromised elsewhere on the web. Check out our two part series on password hygiene and two-factor authentication for extra tips and tricks.

If you’re using the Shopify API, it means that your API keys are akin to a password. Never ever share your API keys, and ensure that your code does not reveal the keys either.

If you choose to use third parties, like a payment gateway, ensure that the company is following the correct online security standards and regulations.

Our Thoughts

Beginners and perhaps less-than-tech-savvy users will find Shopify easy to use and intuitive. But the security incidents we mentioned, and functionality, such as less-than-friendly-SEO-aspects, mean that Shopify is a step behind its competitors. Because it’s best suited for beginners, it’s not ideal for multinational businesses who perhaps need a bit more leeway to customize their solutions.


PrestaShop is a popular open-source PHP-based eCommerce platform that boasts a user base of 300,000 merchants and an excess of 1 million community members. Users of this platform can choose to use the software hosted in the cloud, or download it directly from the PrestaShop website.


This platform is ideal for both new and experienced eCommerce merchants, and the large community means that new features are constantly being added to the software. The platform is simple to install and manage, and we found the admin panel easy to use and navigate. The attention to user experience in this platform means that making changes to your online store is a breeze.

PrestaShop supports a MySQL-based database system, and provides an access of 500 built-in goodies, including advanced SEO features, unlimited listings, a smorgasbord of payment options, advanced navigation, and customized promotions. It also offers the ability to create multilingual web shops with 75 languages included out-of-the-box.

The flexible and customizable platform allows you to install thousands of themes and extensions from the PrestaShop Marketplace. The software also purportedly boosts the loading speed of your website.


While PrestaShop is appropriate for beginner and intermediate level businesses, it may not be suitable for larger businesses, as it’s not possible to cross-sell products nor to add attributes to products. It’s also worth noting that the modules and extensions needed for a fully functioning eCommerce web shop are on the pricier side when compared to its competitors.

PrestaShop also does not support a multi-currency setup out-of-the-box.

As with other open-source platforms, PrestaShop is free to use. Still, users need to pony up funds for hosting, SSL certificates, domain, and any paid extensions required for their web shop’s functionality.


This platform is considered secure, but as with other open-source platforms, it’s your responsibility to ensure proper configuration and security within the web shop. PrestaShop has been open in the past with vulnerabilities discovered, but they were fixed quickly.

Ensure you keep your PrestaShop version updated to avoid bad actors exploiting known bugs against your system. Enable your SSL certificate via your PrestaShop admin panel to encrypt your data in transit. Rename your admin folder for additional security, and delete all unnecessary files after you have either upgraded or installed a new version of the platform.

Deny access to the templates and files of your theme by utilizing the .htaccess file. Use this same file to create an additional layer of security, such as restricting access to your admin panel, and securing backend files. Generate backups for your store, to protect your business in case of a hack or downtime.

Utilize the settings in your admin panel to turn on the usage of cookies, but remember to inform your customers that your business uses cookies, as per GDPR regulations.

SQL injection and cross-site scripting are common methods of attacks against PrestaShop sites, so pay particular attention to the types of security measures you select - it's wise to ensure they protect against these particular threats.

Our Thoughts

PrestaShop is notably easy to use, and thus, it’s a great option for smaller businesses, or businesses that require a simple web shop. Merchants that need a high level of scalability and performance may want to look elsewhere.


This powerhouse of a platform is wildly popular across the world, and it’s no wonder - WooCommerce supplies its customers with exceptionally customizable options for the functionality and the aesthetics of an online shop. Litextension found that WooCommerce had the greatest number of live websites in their study, at a staggering 2,789,626 to date. WooCommerce itself is an extension created for the WordPress platform, but clearly, it has taken on a life of its own.


The open-source software is free to use and distribute with a royalty-free license. As with other open-source platforms, this means the merchant is responsible for hosting, domain, and everything else that comes with running a web shop. WooCommerce allows merchants to utilize any one of thousands of WordPress themes that are available. The ease of usage makes this a great option for beginners, especially if you’re familiar with WordPress.

The platform is widely customizable, with a huge assortment of extensions available. Merchants are able to tailor their stores down to the T, with access to endless design and functionality options via third-party software. WooCommerce also provides an unlimited number of products, and product categories. The platform offers a diverse array of plugins, including ones that boost SEO. On top of all that, WooCommerce allows the merchant to retain control of their data.

WooCommerce includes payment options through PayPal and Stripe, as well as bank transfers and cash on delivery.


With WooCommerce, you will need to pay another provider to run your online store, including hosting, SSL certificate, and domain. Setting up your WooCommerce shop may take a good while, as the process includes acquiring a domain name, installing WordPress, establishing a theme, and installing the (free) WooCommerce plugin. WooCommerce also sets a limit on file storage.

The platform does not support bundled products out of the box, nor does it support product swatches or PDF invoicing. Of course, these missing elements can be purchased as extensions, but this runs up the cost of using the platform.


Because WooCommerce is a WordPress extension, it’s quite vulnerable to bad actors who are attracted to the widely-used platform. The platform relies heavily on extensions itself, which makes it an easy target. Just this year, a WordPress data breach exposed 100,000 websites through a vulnerability in the responsive menu plugin. Last year, WordPress malware was found to be collecting data from WooCommerce.

We recommend the following measures to secure your WooCommerce site:

A security plugin or a scanner will help to proactively block attempted attacks, and a firewall will protect your site against bad actors. An SSL certificate will ensure that the data you transmit is encrypted, while enabling 2-factor authentication for your login page provides an extra barrier against bad actors trying to guess your login credentials. Modifying your default username from “Admin” to just about anything else is another simple way to increase your security on WooCommerce; simply add a new user with administrative rights, log in to your new account, and delete your old account.

Limit login attempts to curb brute force attacks, and implement tougher requirements on passwords for user accounts. Ensure that all of your employees’ accounts have the least amount of privileges required to perform your job, as granting everyone admin rights increases your chances of control of your store falling into the wrong hands. Use an activity log to keep track of comings and goings on your website, and to understand suspicious behavior - if you and your employees are located in India, it would be strange to see login attempts from Portugal.

To edit or access your WordPress files, use an FTP client such as File Manager. The most critical file in your system is the wp-config.php file which contains a large amount of sensitive data about your site, such as your database connection details and your security keys. Safeguard this file by granting only yourself access to the file; furthermore, block the editing of specific files altogether by disabling file editing. Finally, keep your website up-to-date, and keep a backup of your site in case of downtime or a cyber attack.

Our Thoughts

While WooCommerce offers ease of usage for beginners and for WordPress aficionados alike, the security risks must be considered. The merchant that uses WooCommerce must be diligent in installing and running security measures, and utilizing security audits and penetration testing.

Adobe Commerce (Magento)

Magento is a giant in the world of eCommerce, with both small business and large corporations favoring the open-source platform. Most Fortune-500 companies, such as Nike and Samsung, utilize the platform because it’s customizable, feature-rich, and scalable. In 2020, Litextension’s in-house data confirmed that Magento is one of the three platforms that merchants use, with only a handful of merchants migrating to other providers (by the way, the other top two were WooCommerce, and Shopify).


Magento provides a seamless user experience, and it’s highly scalable to boot. The open-source platform offers endless possibilities to customize your online store, along with thousands of extensions and applications. The software can be downloaded free, and Magento does not charge transaction fees. This means the Magento Open Source edition is free, while its premium sibling, Magento Commerce, will set you back a cool $1600/month.

Magento generously allows an unlimited number of products (along with a robust catalog management system), and boasts more than 100 free store themes. The behemoth platform is completely SEO-friendly, and comes loaded with a large community of users and enthusiasts. The platform is also mobile-friendly, is easy to integrate to third parties, and offers built-in cross-selling options. The content management system is simple to use, and the entire store can be overseen from the backend.

The platform uses Elasticsearch, a robust search engine that provides a high level of functionality, such as custom sorting and filtering. Varnish caching ensures a reduced page load time by decreasing the load on the server, meaning eCommerce shops running Magento can easily attain page load speeds as fast as 1-1.5 seconds.


Alas, dear merchant - nothing is free in life. While customization in Magento is free, it’s on the more complex side of things. Unless you are a Magento whiz, you will most likely want to hire a professional developer to work on your store, as you will need to install the platform, and configure a server before use. You will also need to find a hosting provider, and a domain name for your business (if you opt not to use Magento’s own cloud hosting service). Magento also does not provide 24/7 customer support. You are on your own, valiant merchant.


For comparison’s sake, the minimum non-platform specific security measures needed for Magento are similar to those required for WooCommerce (see above). Magento offers several levels of security permissions which may be managed internally. When compared to its counterparts, the platform is essentially more secure and stable because it uses HTTPS/SSL and WAF (if you opt to utilize Magento’s hosting solution). However, a Magento store must be appropriately configured in order to be considered secure. Furthermore, you are responsible for the security of your servers (along with the configuration of the platform). We wrote an entire blog post about the minimum security requirements and tools needed to run your eCommerce shop via Magento - check it out here.

Our Thoughts

For us, the pros outweigh the cons, as the customizability and flexibility that extends to content, design, and functionality that Magento provides far outweighs the fact that technical skills are required to install and work on the shop. Also, consider that while you can work on your Shopify or WooCommerce store yourself, oftentimes, you will still want outside teams to work on your shop, especially if you run a larger business. While scalability of this platform is almost infinite, it may be overkill for the beginner merchant. However, Magento is perfect for the merchant that needs a rock-solid platform that can power their business operations for a long time.

In Closing

There is no one size fits all when it comes to eCommerce platforms - it all depends on your individual business needs, and the needs of your customers. That’s why we can’t recommend one platform above the other, as you may have a small Etsy shop you want to scale up, or you may run a large corporation that has outgrown their current platform. In any case, it’s important to never rely entirely on a platform for your security needs (even though it should tick certain security boxes for your needs). Use the age-old adage of “trust but verify,” and utilize services such as a Security Audit and a Penetration Test to understand the weak points of your individual online business. During Lokte’s Security Audit, we identify and study the vulnerabilities in your system to ensure it cannot be compromised and that your sensitive data remains safe. Our Penetration Testing shows where you’re most likely to face an attack and illuminates the weak points before bad actors get a chance to exploit your eCommerce solution. Get in touch with us today to learn more about our security services!