In over 29 years of building ecommerce websites, we have never had a Futurestore-built shop compromised by malware. That's not luck. It's a direct consequence of how the shops are built.
This guide explains why ecommerce malware is overwhelmingly a platform problem - specifically a WordPress, WooCommerce, and third-party plugin problem - and why a bespoke-built shop sidesteps the vast majority of it by design.
How ecommerce malware actually works
The popular image of a hack is a skilled attacker targeting a specific business. The reality for most small ecommerce sites is different. The majority of attacks are automated - scripts running continuously across the internet, scanning millions of URLs looking for sites that match known vulnerability patterns.
These scripts aren't looking for you specifically. They're looking for any site running:
- WordPress version X.Y with a known unpatched flaw
- WooCommerce plugin version below a certain number
- A specific popular plugin - booking systems, form builders, sliders, page builders - with a published exploit
- A particular theme with an unpatched vulnerability
If your shop matches the pattern, the script logs it and an attack follows - or the access is sold. Your business isn't the target. Your software version is.
Why WordPress is the main target
WordPress powers around 43% of all websites. WooCommerce runs on WordPress and is the most widely-used ecommerce platform in the world. That market dominance is precisely what makes it a target.
When a security researcher - or attacker - finds a vulnerability in a popular WordPress plugin, they have potentially found a way into millions of sites simultaneously. Publishing that exploit (or selling it) is far more productive than finding a flaw in a one-off custom build.
The WordPress plugin ecosystem makes this worse, not better. A typical WooCommerce shop runs 20-40 plugins. Each plugin is written by a different developer. Each has its own update schedule, its own security track record, its own support lifespan. A plugin that was actively maintained in 2022 may be abandoned by 2025. A plugin bought by a new owner after its original developer moved on may have no one reviewing its code at all.
The numbers behind WordPress vulnerabilities
WPScan - the WordPress vulnerability database - lists over 50,000 known vulnerabilities in WordPress plugins and themes. New ones are added weekly. A site running 30 plugins has 30 separate pieces of software to keep patched, each with its own vulnerability history.
What happens when a site is compromised
Ecommerce malware typically does one or more of the following:
- Card skimming - malicious JavaScript injected into the checkout page captures card details as customers type them and sends them to an attacker's server. Customers see nothing wrong. The shop owner sees nothing wrong. Victims only find out when their card is used fraudulently.
- Redirect attacks - visitors are silently redirected to phishing pages or malware-serving sites, often only when arriving from a search engine so the owner doesn't notice.
- SEO spam injection - hidden links and pages are added to the site to boost other sites' search rankings, which can result in the shop being penalised or removed from Google's index.
- Data theft - customer records, email addresses, and order history are exfiltrated. Under GDPR, this is a notifiable data breach with potential fines.
- Ransomware - the site is locked or defaced and a payment demanded to restore it.
None of these are theoretical. They happen to real UK small businesses every week. The shops that get hit are almost always running WordPress, WooCommerce, or a plugin-dependent platform.
What about Shopify?
Shopify's core platform is maintained by a large security team and is generally well-protected. But Shopify shops are not immune. The attack surface is the app ecosystem.
Shopify apps are third-party software built by independent developers. They have access to your store's data - products, customers, orders. A compromised or malicious Shopify app can exfiltrate that data or inject code into your storefront. The Shopify app store has had multiple incidents of apps being found to contain malicious code or being acquired by bad actors after the original developer stopped maintaining them.
The more apps your Shopify store uses, the larger this risk becomes.
Why a bespoke shop is structurally different
A bespoke shop built by Futurestore doesn't run WordPress. It doesn't use WooCommerce. It doesn't have a plugin ecosystem. It doesn't have a public-facing admin login page at a predictable URL that automated tools know to probe.
The shop is purpose-written code running on a managed server. There are no third-party plugin developers whose update discipline you're depending on. There are no known exploit databases that list vulnerabilities in the software your shop runs.
Automated scanning tools that systematically find weaknesses in WordPress installations find nothing to probe on a custom-built shop. The attack patterns simply don't apply.
This doesn't mean a bespoke shop is theoretically perfect - no software is. But it means the automated, mass-market attacks that compromise thousands of WooCommerce shops every month don't work against it.
The maintenance difference
Platform-based shops require ongoing security maintenance just to stay safe: WordPress core updates, WooCommerce updates, individual plugin updates - each one carrying the risk that an update breaks something, and each one that isn't applied carrying the risk of a known vulnerability being exploited.
This isn't a theoretical concern. "Deferred updates" - sites running outdated software because the owner didn't want to risk breaking the shop with an update - are one of the most common reasons shops get compromised. It's a genuine operational dilemma: update and possibly break something, or don't update and remain vulnerable.
A bespoke shop doesn't have this problem in the same way. The codebase doesn't change unless you want to change it. There's no plugin developer pushing an update that conflicts with another plugin. Security fixes, when needed, are targeted and controlled rather than a rolling dependency management exercise.
The GDPR dimension
A compromised ecommerce shop almost always means a data breach. Under GDPR, a breach that is likely to result in a risk to individuals must be reported to the ICO within 72 hours. Depending on the nature of the breach, fines can be significant - up to 4% of annual turnover or £17.5 million, whichever is higher.
For a small business, the regulatory response to a breach - notification letters, ICO reporting, the reputational damage with customers - can be more damaging than the breach itself. The security architecture of your shop is not a technical detail. It's a business risk decision.
Summary
Ecommerce malware is not a random event. It's a predictable consequence of running software with known vulnerabilities. Platform-based shops - WordPress, WooCommerce, Shopify with many apps - are targeted because their attack surface is known, documented, and exploited at scale.
A bespoke-built shop removes most of this attack surface by design. The absence of WordPress, WooCommerce, and third-party plugins means the automated tools that compromise thousands of shops a month have nothing to find.
In 29 years of operating, Futurestore has not had a single bespoke-built client shop compromised by malware. That record is a function of architecture, not luck.
Security is built in, not bolted on
Every shop built by Futurestore uses purpose-written code with no third-party plugin dependencies. No WordPress. No WooCommerce. No exposed admin login at a predictable URL. Get a secure ecommerce website - futurestore.co.uk or call 01209 706544.