The WooCommerce Plugin Stack We Deploy for a $1M/Year Store

Every WooCommerce store we inherit at a million dollars a year is running between 40 and 70 active plugins. Every one we ship from scratch runs 14. The difference is not ideology. It is that an extra plugin is a permanent liability: another cron target, another update that can break checkout on a Friday night, another WAF rule set to collide with the one you already trust. After building and auditing more than 250 Woo stores at WitsCode, the stack below is what we land on when performance, security, and conversion all have to sit in the same room.

This is not a listicle. Each slot is one plugin because we have killed the others in production. We also tell you what we refuse to install, because the avoid list is where most of the real money leaks.

How We Choose: One Job, One Plugin, Zero Overlap

The single biggest mistake at scale is treating plugins as additive. They are not. Two caches fight each other. Two WAFs fight each other. Two SEO plugins emit two product schema blocks and Google throws both away. The rule we hold is uncompromising: for every job on the store, exactly one plugin owns it. If a new plugin encroaches on an existing plugin's territory, one of them leaves the server.

That rule shapes every pick below. It also explains the avoid list. Bundles like the YITH Essential Kit or Jetpack's monolithic install violate it by design, because they assume ownership of jobs you have already solved with a better specialist. Specialists always win on a store moving real volume.

Payments: WooPayments as the Default, Stripe as the Fallback

Our default payments plugin is WooPayments. It is the first-party Woo plugin, runs on Stripe under the hood, settles in the merchant's native currency, handles disputes inside the WordPress admin, and ships multi-currency without a separate switcher plugin. Processing cost lands around 2.9 percent plus thirty cents in the US with no redirect, which keeps checkout inside the Woo checkout page and preserves the CRO work we do above the fold. For merchants in supported regions it is almost always the right answer.

Where WooPayments falls short is geography. Large parts of APAC, LATAM, and EMEA are still unsupported or limited on feature parity. In those cases we install the official WooCommerce Stripe Gateway instead. It is maintained by the Woo team, supports Apple Pay Express buttons, Link, Klarna, Afterpay, and SEPA, and gives us explicit control over payment intents for subscription flows. What we never do is run both. WooPayments already uses Stripe's infrastructure, so stacking the Stripe plugin on top creates duplicate webhook handlers, duplicate Apple Pay domain verification files, and a debugging nightmare when a charge disputes.

Shipping: ShipStation at Volume, Official Woo Shipping Below the Line

Once a store is pushing more than roughly 500 orders a month we install ShipStation. The value is not the label printing, it is the rate shopping. ShipStation compares negotiated rates across USPS, UPS, FedEx, and DHL at the moment of fulfillment and picks the cheapest option that meets the service promise. At a dollar of margin per order, the five to ten cents per label it charges disappears inside the first week of use, and the automation rules (tag a product, route to a specific carrier and packaging preset) remove entire warehouse SOPs.

For stores under that threshold we stay inside Official WooCommerce Shipping, which is free, Jetpack-powered, and gives discounted USPS and UPS rates directly in the order admin. We do not install ShippingEasy alongside either option. The category does not reward overlap and the cron load of two shipping plugins polling the same carriers for rates is measurable in checkout latency.

Tax: Avalara at a Million a Year, TaxJar Only for Simple Catalogs

At a million dollars a year of US revenue most merchants have crossed economic nexus in at least a dozen states, which means they owe actual tax filings in actual jurisdictions. We install Avalara AvaTax. It is not cheap, usually fifteen hundred to three thousand dollars a year depending on transaction volume, but it tracks nexus automatically, handles exemption certificates (critical for any store with B2B customers), and files returns. TaxJar is the lighter alternative and is fine for straightforward DTC with a narrow catalog, but it loses ground on exemption cert management, which is where B2B audits live or die.

The gotcha every inherited store has gotten wrong: Avalara and WooCommerce's built-in tax calculation both run by default. You must disable the core tax rates under WooCommerce → Settings → Tax or every line item computes tax twice. Audit any store reporting unusually high tax totals and this is almost always the cause.

Subscriptions: WooCommerce Subscriptions, Nothing Else

For any store with recurring revenue we install WooCommerce Subscriptions, the official Woo extension at one ninety-nine a year. The competitor that comes up constantly in client conversations is SureCart, and it is a good product, but it lives outside the Woo data model. Subscriptions, customers, and orders sit in SureCart's tables, which means every other plugin in this stack (B2BKing, Avalara, ShipStation) has to be re-integrated or simply does not see the data. We stay in Woo's native tables.

WooCommerce Subscriptions handles renewals, failed payment retries with configurable dunning, upgrade and downgrade proration, and gifting flows. The one combination to watch: when Subscriptions is paired with B2BKing, group-based pricing rules do not auto-apply on renewal orders unless you hook the b2bking_apply_on_renewal filter. Every B2B subscription store we have taken over has been silently overcharging renewal customers because of this.

B2B: B2BKing When the Price List Exists

B2BKing is our default for any store serving wholesale or trade customers. It is roughly one forty-nine a year, handles tiered pricing by customer group, group-based tax and shipping rules, quote requests, purchase order payment methods, and catalog visibility rules. The main competitor, Wholesale Suite from Rymera, is solid but splits functionality across four separate plugins that must stay version-synced. We prefer one plugin that ships one feature bundle and upgrades atomically.

We do not install B2BKing speculatively. If a store has zero net-30 customers and a single public price list, we do not need it. Turning it on adds meta queries to every product load and roles logic to every user load. Only install when the business model actually has tiers.

Analytics: GA4 Direct, Or MonsterInsights When the Client Owns Reporting

Our engineering preference is GA4 wired directly into the theme via gtag, with Enhanced Ecommerce events emitted from Woo hooks. No plugin. When the client's marketing team wants the dashboard inside WordPress admin, we install MonsterInsights Pro at one ninety-nine a year, which gives clean Enhanced Ecommerce, UTM tracking, and form conversion reports without the developer writing tag code. WooCommerce Analytics (the core module) stays on for operational reporting regardless, because order-level revenue attribution still lives better there than in GA4.

The plugin category we actively skip is Google Tag Manager plugins. Use the core GTM snippet in the theme header, or a mu-plugin, and leave tag management to GTM itself. Plugins that wrap GTM are one more abstraction for no benefit.

Security: Wordfence Premium for Application Layer

Wordfence Premium at one nineteen a year per site is our application-layer defense. Real-time WAF rules, malware scan, login attempt limiting, two-factor auth, and a good notifications pipeline. We consider Solid Security (formerly iThemes) when a client is already behind Cloudflare Enterprise and the WAF layer is redundant, because Solid is lighter on the database. But when a store does not have enterprise-grade edge protection, Wordfence's application-layer WAF is the one we trust.

The gotcha at this layer is the one every inherited store has broken: Wordfence WAF plus Cloudflare Managed WAF on the same site. The two rule sets overlap heavily and the result is false positives on legitimate checkout traffic, CAPTCHA loops on wp-login, and occasional blocked Stripe webhooks. The fix is to let Cloudflare handle volumetric and bot fight at the edge, disable Cloudflare's Managed WAF rules for wp-admin and wp-login specifically, and let Wordfence own the application-layer decisions. Never run Sucuri and Wordfence together either, for the same reason.

Performance: WP Rocket, Perfmatters, and Object Cache Pro

Three plugins, three jobs, zero overlap. WP Rocket at fifty-nine dollars a year is our page cache, minification, lazyload, and preload layer. It ships with the correct WooCommerce exclusions out of the box (cart, checkout, my-account, and logged-in users all bypass the page cache), which is the single most common misconfiguration on inherited stores. We will not run WP Rocket alongside LiteSpeed Cache, because the two write into the same cache paths and page delivery goes non-deterministic. If the host runs LiteSpeed server, we use LiteSpeed Cache exclusively. On anything else, WP Rocket.

Perfmatters at twenty-nine a year is the asset manager. Its script manager lets us disable WooCommerce's cart fragments on non-shop pages, kill the Woo block styles on the blog, and drop heavy plugin scripts from pages that do not need them. On a typical inherited build this cuts thirty to forty percent of the JavaScript weight off of non-Woo routes, which is where the Core Web Vitals wins live. The watchout: never disable wc-checkout or wc-password-strength on the My Account route, because Subscriptions uses them on renewal password changes and breakage is silent.

Object Cache Pro is the premium one, roughly ninety-five dollars a month for a single site, and on any store above a million dollars a year it pays for itself in the first month. It swaps the default database object cache for Redis with a purpose-built Woo-aware implementation. Cart reads, product variation lookups, and session handling drop from dozens of queries to low single digits. Cheap Redis drop-ins do not compare. If the host (Cloudways, Kinsta, WP Engine enterprise) already bundles it, we use that; otherwise we install the license directly.

SEO: Rank Math Pro Over Yoast, Now

In 2026 Rank Math Pro has pulled ahead of Yoast for WooCommerce specifically. Its product schema module understands variations, grouped products, brand data, and review schema out of the box, and it emits a single clean JSON-LD block. Yoast still works but its Woo add-on is a separate license and the schema output is less granular. We install Rank Math Pro at around ninety-nine a year and, critically, disable WooCommerce's default structured data output under the Rank Math settings, because otherwise the page ships two competing product schema blocks and Google discards both.

Email Delivery and Backups: The Two Nobody Thinks About Until They Fail

FluentSMTP is free and non-negotiable. It routes every transactional email (order confirmations, subscription renewal receipts, password resets) through an authenticated transactional provider like Amazon SES, Postmark, or Mailgun. Without it, the store's order emails leave the WordPress host's SMTP and land in spam, and the client thinks checkout is broken when it is really just undelivered receipts. Wordfence and Solid Security both log through FluentSMTP too, so security alerts actually arrive.

BlogVault or Jetpack VaultPress handles backups. Incremental, offsite, one-click restore to a staging URL, and critically, the backup cadence is real-time on orders. At a million dollars a year you cannot lose a day of orders to a bad plugin update, which is what the host's nightly snapshot buys you. Budget two hundred to two fifty a year per site.

What We Deliberately Do Not Install

The avoid list is as important as the stack. We skip every related-products plugin on the market (YITH, Boost Sales, and similar) because Woo's native upsell, cross-sell, and related-by-category logic is good enough and the plugins override the core query with their own, usually slower, usually unindexed. We skip currency switcher plugins when WooPayments is running, because multi-currency is native. We skip social login plugins unless the checkout friction data actually justifies the extra auth surface, which it almost never does on a B2C store. We skip page-builder checkout rebuilds (Elementor Pro, Divi) because serializing the checkout page through a builder loses CRO wins faster than it gains them. And we skip plugin bundles, the YITH Essential Kit style offers, because license renewal hell and opaque update bundling is not a trade we take.

We also skip a second cache, a second SEO plugin, a second WAF, a second backup solution, and a second analytics tracker. One job, one plugin.

What This Costs at $1M a Year

Running the full stack comes in between forty-two hundred and seven thousand dollars a year in plugin licenses and recurring services, depending on Avalara transaction volume and whether Object Cache Pro is bundled by the host. Against a million dollars of gross merchandise, that is four to seven basis points. The first conversion-rate win from a properly tuned checkout, or the first security incident avoided, pays for the entire stack for a decade.

How WitsCode Ships This

This is the stack we install on day one of every WooCommerce build engagement at WitsCode. Not chosen from a recommendation article, chosen from 250-plus live stores where we have watched every one of these plugins succeed and every one on the avoid list cause a production fire. The compatibility gotchas above are in our deployment checklist because we have fixed each of them at least a dozen times on stores we inherited.

If you are running a Woo store at or approaching a million a year and the plugin count is north of thirty, the stack is working against you, and there is usually five to fifteen percent of conversion rate and thirty to fifty percent of page weight hiding in the cleanup. We run a Woo stack audit that maps your current plugins against this reference, flags the conflicts, and scopes the cutover. Get in touch if you want the audit on your store.