Many users worry that managing a WordPress multisite may require them to spend more time on securing it.

This concern is not misguided. We’ve seen how a single weak spot can put every site in a multisite network at risk.

The good news? WordPress multisite can be secure when you take the right steps.

We’ve been running our own multisite setup for a while now, and in this guide, we’ll share our tried and tested WordPress multisite security tips to help protect your network.

What Is WordPress Multisite?

Imagine managing multiple websites without juggling separate logins or installations. That’s exactly what WordPress multisite lets you do.

It’s a built-in feature that allows you to run multiple websites from a single WordPress installation, all controlled from one dashboard.

This setup is popular among organizations, schools, and businesses handling several sites under one roof. It’s also a favorite for blog networks and thriving online communities.

Getting started with WordPress multisite might sound technical, but it’s surprisingly simple. We’ve broken it down in our step-by-step multisite setup guide to make the process effortless.

While multisite is powerful, it comes with its own security challenges. Since all websites share the same core files, a single vulnerability could impact the entire network if not properly secured.

Is WordPress Multisite Secure?

Yes, WordPress multisite is very secure, particularly when it is properly managed.

It is part of the core WordPress software, which is actively maintained and regularly updated to patch security vulnerabilities.

However, multisite introduces unique risks to the setup. Since all websites share the same core files and database, a single weak spot could affect the entire network.

We’ve worked with multisite setups where a minor plugin vulnerability impacted every connected site. It’s a reminder of how important proactive security measures are for protecting your entire network.

Don’t worry—when you take the right precautions, WordPress multisite can be just as safe as a standard WordPress site. Let’s explore how you can secure your network with confidence.

WordPress Multisite Security Tips

Securing a WordPress multisite isn’t just about locking things down—it’s about staying one step ahead of potential risks. We’ve learned that small gaps, like forgotten updates or too many admin privileges, can create unexpected vulnerabilities.

But securing a WordPress multisite doesn’t have to be overwhelming. A few smart practices can go a long way in keeping every site in your network safe.

Let’s walk through the key steps we recommend to strengthen your WordPress multisite security with confidence.

1. Back Up Your WordPress Multisite Regularly

Whenever we talk about WordPress security at WPBeginner, we always start with backups. It’s the single most important step to protect your website from data loss.

We’ve seen firsthand how a reliable backup can turn a stressful situation into a minor inconvenience. Whether it’s a malware attack, plugin error, or accidental deletion, having a backup means you can restore your entire network without losing a thing.

Many users tell us their hosting company offers automatic backups. Here’s the truth—those backups aren’t always guaranteed or easily accessible when you need them most.

That’s why we always recommend taking control of your own backups. It’s easier than you think, especially with the right tools.

The best way to back up your multisite network is with Duplicator. It’s a powerful backup plugin that makes protecting your network simple.

Why Do We Recommend Duplicator?

• Easily schedule automatic backups.
• Safely store backups on the cloud.
• Restore your entire multisite network with one click.

You can learn more about its features in our detailed Duplicator review.

Once you install Duplicator, it will guide you through the setup process. From there, you can automate backups on a schedule that fits your needs.

Need help getting started? Check out our step-by-step tutorial on how to back up WordPress multisite.

2. Choose a Secure Hosting Provider with Experience in Multisite Setups

Your hosting provider plays a huge role in the security of your WordPress multisite network. Not all web hosts are built for multisite setups, and choosing the wrong one can leave your entire network vulnerable to attacks.

We’ve worked with a few different hosting providers that offer great performance with a properly secure platform.

Starter WordPress Multisite

For a new WordPress multisite, we recommend Bluehost. They offer a free domain, SSL, and built-in security features.

They support all types of WordPress multisite configurations, including custom domains, subdomains, and directory sites. Plus, they are offering WPBeginner users a huge discount on hosting (you can start at $1.99 / mo).

For more details, take a look at our Bluehost review, which includes our performance test scores and pros and cons.

For Established WordPress Multisites

We all know that WordPress multisite can be resource-intensive, especially for websites with existing traffic and user base. For these kinds of websites, we’ll go for a little more expensive option: SiteGround.

Here is why we recommend SiteGround:

• Can handle more traffic than your average shared hosting provider.
• One of the top-rated managed WordPress hosting companies on the market.
• Excellent customer support, fast servers, and hassle-free platform.

We use SiteGround to host several websites, including WPBeginner. It has been incredibly reliable for our website’s growth and success. See why we switched to SiteGround, or take a look at our in-depth SiteGround review.

Going with a trusted hosting provider gives you peace of mind, knowing your sites are protected from the ground up.

3. Limit Super Admin Privileges

In a WordPress multisite network, the ‘Super Admin‘ has complete control over every site. They can install plugins, manage themes, and even delete websites from the network.

We’ve seen WordPress multisite networks where each individual site admin was also a super admin. Giving too many people super admin access can backfire.

A simple mistake or compromised account with this level of control can put the entire network at risk.

The best practice? Keep super admin privileges limited to only the most trusted individuals managing the network.

To restrict access, go to Network Admin » Users » All Users and ensure only essential team members have super admin rights.

For larger teams, consider creating custom user roles with limited permissions using a plugin like Members. It allows you to create custom permissions for user roles, and this way, you can assign responsibilities without giving full control.

For more details, see our guide on WordPress user roles and permissions.

4. Use Strong Passwords and Two-Factor Authentication

We’ve all been guilty of using a password that’s a little too easy to guess—something like password123 or a pet’s name. But when you’re running a WordPress multisite network, weak passwords can be a serious risk.

We’ve seen cases where a single compromised password gave hackers access to an entire multisite network. It’s stressful, and recovering from a security breach can take a lot of time and effort.

That’s why we always recommend enforcing strong passwords for everyone on your network. You can even make it automatic by following our tutorial on how to force strong passwords in WordPress.

But strong passwords alone aren’t enough these days.

To add another layer of protection, you should set up two-factor authentication (2FA). It’s that extra step where you enter a one-time code after your password—kind of like having a second lock on your door.

The easiest way to do this is with the WP 2FA plugin. It guides you through the setup and makes securing your network simple.

Need help? We’ve broken it all down in our step-by-step guide on how to add two-factor authentication in WordPress.

5. Keep WordPress Core, Themes, and Plugins Updated

We get it—updating WordPress, plugins, and themes can feel like a chore. But skipping updates can open the door to serious security risks.

We’ve seen cases where outdated plugins became the entry point for hackers, turning a small oversight into a network-wide issue.

The good news? Keeping everything updated doesn’t have to be complicated.

WordPress regularly releases updates to patch vulnerabilities and improve performance. Staying current helps keep your entire multisite network safe.

Start by making sure your WordPress core is always up to date. You can follow our step-by-step guide on how to update WordPress.

Don’t forget your plugins and themes—they need regular updates, too. We’ve explained how to do this safely in our tutorial on how to properly update WordPress plugins.

6. Set Up a WordPress Firewall

Imagine having a security guard at the entrance of your multisite network, stopping threats before they can even knock on your door. That’s exactly what a WordPress firewall does.

On WPBeginner, we use Cloudflare, and it’s made a huge difference. We’ve seen it blocking massive DDoS attacks, spam bots, and even suspicious login attempts—all without slowing down our site. For details, see our case study on why we switched to Cloudflare.

The best part? Cloudflare offers a free plan, so you can add this extra layer of protection without spending anything.

If you’re ready to set it up, we’ve got a full tutorial on how to set up Cloudflare in WordPress.

Want to take security even further?

You can also install a dedicated WordPress security plugin like Sucuri or Wordfence. These plugins add extra features like malware scanning and activity logs, making your multisite network even safer.

7. Restrict Plugin and Theme Installations

In a WordPress multisite network, only super admins can install plugins and themes for the entire network. Site admins can only activate plugins that have already been installed by the super admin.

We’ve seen how unrestricted plugin access can lead to issues—like when a poorly coded plugin introduces security vulnerabilities across multiple sites. Keeping plugin and theme installation restricted helps avoid these risks.

The safest approach? Limiting plugin and theme installations to trusted super admins who only network activate thoroughly tested and well-reputed plugins.

If you’re unsure how plugin activation works in multisite, check out our guide on network activating plugins on WordPress multisite.

8. Enable Activity Monitoring and Logging

When managing a WordPress multisite network, keeping track of user actions isn’t just helpful—it’s essential for security. We’ve seen how a single unnoticed change, like a plugin deactivation or permission update, can lead to unexpected vulnerabilities.

That’s why we recommend using a reliable activity logging tool like WP Activity Log. It helps you monitor everything from user logins to content changes so you can catch suspicious activity early.

With a logging tool in place, you can:

• Track when plugins or themes are activated or deactivated.
• Monitor user logins and failed login attempts.
• Review content edits and permission changes.

If you’re looking for a step-by-step guide on setting up activity monitoring, check out our tutorial on how to monitor user activity in WordPress.

Common WordPress Multisite Security Mistakes

Even with the best intentions, it’s easy to overlook certain security practices when managing a WordPress multisite network. Unfortunately, small mistakes can snowball into major vulnerabilities.

Here are some of the most common security mistakes to avoid:

• Assigning Too Many Super Admins: Giving super admin access to too many users increases the risk of accidental changes and security breaches. Limit this role to trusted individuals only.
• Using Weak Passwords: Weak passwords make it easier for hackers to gain access. Enforce strong passwords for all users and set up two-factor authentication.
• Ignoring Updates: Failing to update WordPress core, plugins, and themes can leave your network vulnerable to known exploits. Always keep your software up to date.
• Relying Solely on Hosting Backups: Hosting backups aren’t always reliable or easy to restore. Set up your own offsite backups using a plugin like Duplicator.
• Installing Untrusted Plugins and Themes: Plugins and themes from unknown sources can introduce security risks. Stick to trusted sources and restrict who can install new tools on your network.

Avoiding these mistakes can go a long way in keeping your WordPress Multisite secure. The key is to stay proactive and regularly review your network’s security settings.

Final Thoughts 💭

Securing a WordPress multisite network may feel overwhelming at first, but it’s completely manageable with the right steps. We’ve worked with many different multisite setups and have seen how proactive security measures can prevent serious issues.

By setting up regular backups, limiting super admin privileges, and using tools like Cloudflare and WP Activity Log, you can create a safer environment for every site in your network.

Remember, security isn’t a one-time task. It’s about staying vigilant—keeping your software updated, reviewing user access, and monitoring activity regularly.

Take the time to apply these tips, and you’ll be well on your way to running a secure and reliable WordPress multisite network.

Bonus Resources for WordPress Multisite Security

The following are some additional resources that you may find helpful in maintaining your WordPress multisite network:

• Beginner’s Guide to Fixing Your Hacked WordPress Site 🛡️: If your WordPress multisite gets hacked, this guide shows the steps you need to take to start fixing it by yourself.
• Best WordPress Multisite Plugins You Should Use 🔌 : Our team shares their recommendations for essential plugins for WordPress multisite networks.
• How to Move a Site from WordPress Multisite to Single Install 🔃: This tutorial will come in handy if you ever need to move a site from multisite to its own WordPress installation.
• How to Add / Remove Default Pages in WordPress Multisite 📃 : This guide explains how to add or remove pages created by default on your multisite network.

We hope this article helped you improve WordPress multisite security. You may also want to explore our WordPress troubleshooting guide or learn about common WordPress maintenance tasks.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post Is WordPress Multisite Really Secure? 8 Security Tips to Know first appeared on WPBeginner.

You panic. Losing your website could mean losing customers, revenue, or years of hard work. But here’s the catch—this email isn’t real.

It’s a scam designed to trick you into clicking on a dangerous link.

Unfortunately, fake security emails are becoming more common. We have heard from many users who have fallen for the scam and accidentally damaged their websites.

In this guide, we’ll show you how to tell if a WordPress security email is real or fake.

You’ll learn how these scams work, the red flags to watch for, and what to do if you receive a suspicious email. By the end, you’ll know exactly how to keep your website safe.

How These Fake WordPress Security Emails Work

Scammers are getting smarter. They know website owners worry about security, so they create emails that look official.

WordPress is the most popular website builder, and it is also very secure. Malicious hackers have a hard time finding vulnerabilities in WordPress code, so they have to resort to scamming site owners with fake emails.

These emails might claim to be from the WordPress Security Team, your hosting provider, or a well-known security company.

The message usually includes:

• A warning about a vulnerability on your site.
• A reference to a security flaw with a name like “CVE-2025-45124.”
• An urgent request to take action by clicking a link or downloading a security patch.

But here’s the trick: the link doesn’t go to WordPress.org. Instead, it leads to a phishing site that looks real but is designed to steal your login credentials. Some emails also ask you to install a plugin that contains malware.

Once the scammers gain access to your site, they can add backdoors, redirect visitors to harmful sites, or even lock you out completely. That’s why it’s important to recognize these fake emails before it’s too late.

Red Flags 🚩🚩: How to Spot a Fake WordPress Security Email Before It’s Too Late

Spotting a fake WordPress security email isn’t always easy. Some scammers use logos, professional formatting, and technical terms to make their messages look legitimate.

However, there are certain easily identifiable red flags that give these scams away. Here are the most common ones:

• Suspicious Email Address: Look at the sender’s domain. Genuine WordPress emails come from @wordpress.org or @wordpress.net. If you see anything else, then it’s a fake.
• Urgent Language: Phrases like “Act now!” or “Immediate action required!” are designed to create panic.
• Poor Grammar and Formatting: Many scam emails have typos, awkward phrasing, or inconsistent branding. You can compare it with past emails from WordPress for clarity and tone.
• Links That Don’t Match the Destination: Hover over any link in the email (Do Not Click!) to see where it leads. If it doesn’t point to wordpress.org, don’t click it.
• Unexpected Attachments: WordPress never sends attachments in security emails. If there’s a file attached, then it’s a scam.
• Requests for Passwords: WordPress will never ask for your password or login credentials via email.

Over the years, we’ve seen all of these tricks in action. One user we worked with even clicked a link from a fake email and unknowingly gave away their login details.

Their site was compromised within hours, redirecting visitors to a phishing page. Stories like this remind us how important it is to stay cautious and verify every detail in these emails.

Once you start recognizing these red flags, you’ll feel more confident about handling suspicious emails.

Remember, taking a few seconds to verify an email can save you from days—or even weeks—of cleaning up your site.

Think a WordPress Security Email is Real? Here’s How to Know for Sure

Sometimes, even the most cautious website owners hesitate when they see a well-crafted security email.

Scammers are getting better at making their messages look real. However, there’s always a way to verify authenticity before taking action.

Here’s how we approach it whenever we receive a security-related email:

1. Check the Official WordPress Sources

WordPress publishes security notices on WordPress.org. If an email claims there’s a critical vulnerability, then check the official site first.

2. Check Email Sender and Signed Information

Official WordPress emails will always be sent from the WordPress.org domain name. In some cases, they may also come from WordPress.net.

3. Compare with Past WordPress Emails

If you’ve received real security emails from WordPress before, you can check for differences in tone, structure, and branding.

Fake emails often have awkward phrasing, inconsistent fonts, or incorrect spacing. Official emails from WordPress are professionally written and formatted.

4. Look for a Matching Security Notice from Your Hosting Provider

Reputable WordPress hosting companies like Bluehost, SiteGround, and Hostinger post verified security updates on their websites. If your hosting provider hasn’t mentioned the issue, the email may be fake.

5. Hover Over Links Before Clicking

Before clicking any link, hover over it to see where it leads. If it doesn’t point to wordpress.org or your host’s official site, don’t trust it.

Hackers may use deceptive domain names that may look like a wordpress.org domain name but are actually not.

For instance, a domain called security-wordpress[.]org is not an official WordPress domain name, but some users may not catch that on time.

6. Use a WordPress Security Plugin

Plugins like Wordfence and Sucuri track vulnerabilities and send real security alerts. If your plugin doesn’t mention the vulnerability, then it’s likely a scam.

One time, a user sent us a security email that looked real. It mentioned a plugin vulnerability, included a CVE number, and even had the WordPress logo.

But when we checked WordPress.org, there was no mention of it. A quick look at the email header showed it came from a suspicious domain, confirming it was a phishing attempt.

These quick verification steps can help you avoid falling for scams. If you’re ever in doubt, wait and verify—real security alerts won’t disappear in a few hours.

What to Do If You Receive a Fake Security Email

So, you’ve spotted a fake security email. Now what?

The worst thing you can do is panic and click on anything inside the email. Instead, take these steps to protect your website and report the scam.

🫸 Do Not Click Any Links

Even if the email looks legitimate, never click on links or download attachments. If you have already clicked, then change your WordPress password immediately.

🕵️ Check Your Website for Suspicious Activity

Log in to your WordPress dashboard and look for any unfamiliar admin users, recently installed plugins, or settings changes.

📨 Report the Email to Your Hosting Provider

Most web hosting companies have dedicated security teams that handle phishing scams. Contact your host’s support team and provide details about the suspicious email.

🚩 Mark It as Spam

Flagging the email as spam in your inbox helps email providers filter similar messages in the future.

Spam filters at big email companies like Gmail and Outlook are incredibly smart and get data from several other spam filtering companies. When you mark an email spam, you teach their algorithms to identify similar emails in the future and block them.

🔍 Run a Security Scan

Use a WordPress security plugin like Wordfence and Sucuri to scan for malware, just to be safe. For information on how to do this, just see our guide on how to scan your WordPress site for potentially malicious code.

One website owner we worked with ignored a fake security email but later found that their WordPress login page had been attacked.

Fortunately, they had Cloudflare (free) set up on their website, which blocked malicious login attempts on their website.

What Happens If You Fall for the Scam?

Clicked on a link in a fake email? Installed a suspicious plugin? Don’t worry—you’re not alone.

We’ve seen site owners panic after realizing they’ve been tricked, but acting quickly can minimize the damage.

Here’s what you need to do right away:

1. Change Your Passwords: If you entered your WordPress login details, change your password immediately. Also, you will need to update your hosting, FTP, and database passwords to prevent unauthorized access.

2. Revoke Unknown Admin Users: Log in to your WordPress dashboard and check Users » All Users. If you see an unfamiliar administrator account, you need to delete it.

3. Scan Your Website for Malware: Use a security scanner plugin like Wordfence or Sucuri to check for malicious files, backdoors, or unauthorized changes.

4. Restore a Clean Backup: If your site has been compromised, you should restore a backup from before you clicked the fake email.

Ideally, you should have your own backups from a WordPress backup plugin like Duplicator. We recommend Duplicator because it is secure, reliable, and makes it very easy to restore your website when something bad happens. Read our full Duplicator review to learn more.

However, if you don’t have a backup, you can try reaching out to your hosting provider. Most good WordPress hosting companies keep backups and can help you restore your website from a clean backup.

5. Check Your Website’s File Manager

Access your hosting control panel or FTP and look for recently modified files. If you find unfamiliar PHP scripts, they could be part of a backdoor.

Hackers often use deceptive names like wp-system.php, admin-logs.php, or config-checker.php to blend in with core WordPress files. Some may even use random strings like abc123.php or create hidden directories in /wp-content/uploads/.

6. Update WordPress and All Plugins

If an attacker has exploited a vulnerability, then updating your site ensures they can’t use the same method again. Outdated themes, plugins, or WordPress core files may contain security flaws that hackers exploit.

Go to Dashboard » Updates and install the latest versions. You can see our guide on how to safely update WordPress for more details.

We once helped a small business owner whose site had been compromised after they installed a fake security patch.

The hacker injected malicious scripts that redirected visitors to a phishing site. Luckily, they had a recent backup, and restoring it along with resetting passwords saved their website.

If your site has been hacked, you can follow our step-by-step guide to clean up your WordPress website: How to Fix a Hacked WordPress Site (Beginner’s Guide).

How to Protect Your Website From Future Scams

Preventing fake security emails is just as important as spotting them. While scammers will always try new tricks, taking a few precautions can keep your site safe.

• Enable Two-Factor Authentication (2FA): Adding 2FA to your WordPress login prevents unauthorized access, even if your password gets stolen.
• Use WordPress Firewall & Security Plugins: Use a WordPress firewall like Cloudflare and then strengthen it with a security plugin like Wordfence or Sucuri.
• Update WordPress, Plugins, and Themes: Keeping everything updated prevents hackers from exploiting known vulnerabilities.
• Verify Emails Before Acting: Always check WordPress.org and your hosting provider’s website before acting on security emails.
• Educate Your Team: If multiple team members work on your site, train them to recognize phishing emails and report anything suspicious.

By following these steps, you’ll make it much harder for scammers to trick you and keep your WordPress site secure.

Stay One Step Ahead and Keep Your Website Safe

Fake WordPress security emails may sound scary, but now you know how to spot them before they cause any damage.

Remember, scammers rely on fear and urgency, but you can easily outsmart them by staying cool and calm 😎.

Next time you see a suspicious email, take a deep breath, slow down, and check the details. You’re in control.

By verifying emails, keeping your WordPress site updated, and using the right security tools, you can make your website a much harder target for scammers.

Want to take your website security to the next level? We have compiled a complete WordPress security guide with step-by-step tips. You may also like to see our expert pick of the best WordPress security scanners for detecting malware and hacks.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post [Revealed] How to Tell if a WordPress Security Email is Real or Fake first appeared on WPBeginner.

If you want to boost your sales and reduce annoying transaction fees, then listen up! 👂

We accept Stripe payments through all of our online stores, so we’ve learned a few tricks for managing transaction fees without hurting the customer experience.

In this post, we’ll share some proven strategies to reduce Stripe transaction fees in WordPress.

Why Reduce Stripe Transaction Fees in WordPress?

Stripe is a powerful payment gateway widely used by WordPress site owners. It offers seamless integration and support for various payment methods.

However, Stripe charges a standard transaction fee of 2.9% + 30¢ per successful credit card transaction in most countries. These fees can quickly add up for businesses with high sales volumes, causing you to lose lots of profits.

For example, if your WordPress site generates $10,000 in monthly sales, then Stripe would take $290 plus 30 cents for every transaction. For a large number of small transactions, the costs are even higher.

Individual transaction fees may seem small. But over time, they can significantly lower your earnings.

Reducing the payment processing fee helps you keep more of your revenue, especially if you sell products or services at a lower price. By using alternative payment methods like ACH or Bacs Direct Debit, you can cut down on these costs without affecting the customer experience.

Plus, it allows you to reinvest the savings into other areas of your business, like marketing software, plugin upgrades, or growing your operations. Overall, it helps you create a cost-effective payment system for your business.

Having said that, let’s take a look at how to easily reduce Stripe transaction fees in WordPress. You can try one or all of these expert tips.

Tip 1: Accept ACH Payments in WordPress (For Customers in the U.S.)

If your business is based in the United States or you have many customers from that region, we recommend accepting ACH (Automated Clearing House) payments on your website.

Unlike traditional Stripe transactions, which come with a standard fee of 2.9% + 30¢, ACH payments typically cost a flat fee of 0.8% per transaction, capped at $5.

This means that no matter how large the payment is, the fee will never be more than $5. This makes it especially cost-effective for high-value transactions.

For example, if a customer makes a $1,000 purchase on your WordPress site, then the Stripe fee for a credit card payment would be $29.30. However, if the same payment is made through ACH, the fee would only be $5.

So, in this case, switching to ACH would instantly save you $24.30! If lots of your customers are spending higher amounts, then this can really add up.

Keep reading to learn how to add ACH payments to a WordPress payment form or to a WooCommerce store.

Create a WordPress Payment Form with ACH Payment

If you run a simple membership site or you sell a limited number of products, then you might be using a WordPresss payment form.

In that case, we recommend using WP Simple Pay to add ACH payments to your payment form options. We’ve tested this plugin for lots of different use cases, and we think it’s fantastic.

We love that it comes with a user-friendly builder, premade payment templates, and complete spam protection. To learn more about our experiences with the plugin, see our WP Simple Pay review.

First, you’ll need to install and activate the WP Simple Pay plugin. For details, check out our tutorial on how to install a WordPress plugin.

After you activate the tool, a setup wizard will appear on your screen. Here, just click the ‘Let’s Get Started’ button.

You will now need to enter the license key. You can find this information in your WP Simple Pay account area.

Next, click the ‘Activate and Continue’ button.

Once that’s done, you’ll need to connect Stripe with your WP Simple Pay account. Keep in mind that the plugin will not work unless you connect it with a new or existing Stripe account.

To do this, click the ‘Connect with Stripe’ button.

Then, you’ll need to log in to your Stripe account to connect it to WP Simple Pay. For more details, see our tutorial on how to accept Stripe payments in WordPress.

After that, you can configure the rest of the setup wizard settings however you want.

Then, visit the WP Simple Pay » Payment Forms page from the WordPress dashboard and click the ‘Create Your Payment Form’ button.

This will take you to the ‘Select a template’ screen, where you will notice a list of premade templates.

From here, locate the ‘ACH Direct Debit Payment Form’ template and click the ‘Use Template’ button under it.

You will now be directed to the ‘Add New Payment Form’ page, where you can add a title and description for your form.

After that, select your form type as ‘On-site payment form.’

Then, switch to the ‘Payment’ tab from the sidebar and choose your preferred tax collection rates from the dropdown menu.

You can also use the form to add the price for the service or product you plan to sell. If you have a subscription service, then you can select the ‘Subscription’ option.

Next, add subscription tiers by clicking the ‘Add Price’ button.

Once you have done that, scroll down to the ‘Payment Method’ section.

Here, you will notice that the ‘ACH Direct Debit’ and ‘Card’ payment options have already been selected for you. You can also choose other options, such as Cash App, iDEAL, or Klarna.

After that, you can add form fields, include a confirmation message, set up email notifications, and create a custom page for your payment form from the settings in the builder.

Once you are done, just click the ‘Publish’ button to store your settings.

You’ve now given customers a payment option that reduces your store’s Stripe transaction fees.

For detailed instructions, see our tutorial on how to accept ACH payments in WordPress.

Offer ACH Payments in Your WooCommerce Store

If you have an existing WooCommerce store, then the above method may not be the best match for you.

In that case, you’ll need to install and activate Payment Plugins for Stripe WooCommerce. For details, see our tutorial on how to install a WordPress plugin.

Once you activate the tool, visit the WooCommerce » Settings » Payments page. Here, you will notice a list of payment methods displayed on your screen.

Now, locate and click the ‘ACH (Stripe) by Payment Plugins’ option.

This will direct you to a new page where you must first switch to the ‘API Settings’ tab.

Here, go ahead and click the ‘Connect to Stripe’ button to integrate your Stripe account with your online store.

After that’s done, head back to the ‘Local Gateways’ section and choose the ‘ACH’ option.

Now, check the ‘Enabled’ box to add ACH as a payment option in your online store. You can also add a custom title and description for ACH payments.

Finally, click the ‘Save Changes’ button to store your settings. It’s as simple as that!

Tip 2: Accept Bacs Direct Debit Payments (For Customers in the UK)

As we mentioned, the method above is only suitable for businesses with customers in the United States. If your WordPress site serves customers in the United Kingdom, then offering Bacs Direct Debit can help reduce Stripe transaction fees.

Bacs Direct Debit charges around 1% per transaction, capped at £2. This makes it a cost-effective option for businesses with customers in the UK.

For instance, let’s say a customer makes a £500 payment. If they use a credit card, then you would pay about £14.80 in fees. But if the same payment is made via Bacs Direct Debit, the fee could be as low as £2.

As with ACH payments, there are two ways you can do this. You can accept Bacs Direct Debit payments either on a WordPress form or in your online store.

Create a WordPress Form that Accepts Bacs Direct Debit Payments

We recommend WP Simple Pay for accepting these payments through Stripe. It includes a ready-made Bacs Direct Debit Payment Form template, so it’s super easy to set up.

To get started, you’ll need to install and activate the plugin.

After you activate the tool, a setup wizard will open up on your screen. Here, you’ll need to add your license key and then connect with Stripe.

This step is super important because WP Simple Pay won’t work if it isn’t connected to a new or existing Stripe account. To learn more, see our tutorial on how to accept Stripe payments in WordPress.

Once you’ve finished the setup wizard, visit the WP Simple Pay » Payment Forms page and click the ‘Create Your Payment Form’ button.

You will now be taken to the ‘Select a template’ screen.

Find the ‘Bacs Direct Debit Form’ template and click the ‘Use Template’ button under it.

This will take you to the ‘Add New Payment Form’ page, where you must add a title and description for your form.

After that, you can choose your form type as ‘On-site payment form.’

Then, switch to the ‘Payment’ tab from the left column.

Here, you have to choose your preferred tax collection rates from the dropdown menu under the ‘Tax Collection’ option.

Next, add the service or product price that you plan to sell using the form. If you have a subscription service, then you can select the ‘Subscription’ option and add tiers.

After that, scroll down to the ‘Payment Methods’ section, where the ‘Bacs Direct Debit’ option will already be selected.

You can also choose other payment options that fit your preferences.

Next, edit the form fields, add a confirmation message, and set up email notifications according to your form.

Finally, head over to the ‘Payment Page’ tab and check the ‘Enable a dedicated payment page’ box. The plugin will now let you build a custom page for your payment form.

Once you are done, click the ‘Publish’ button to store your settings. Your website can now easily accept Bacs Direct Debit payments.

Offer Bacs Direct Debit Payments in Your WooCommerce Store

If you already have a WooCommerce store, then the method above won’t be the best option. In that case, you can install and activate the Stripe Payment Plugin for WooCommerce.

For details, see our tutorial on how to install a WordPress plugin. After activating the tool, visit the WebToffee Stripe page from your WordPress dashboard and click the ‘Connect to Stripe’ button.

This will take you to a new screen. Here, just follow the on-screen instructions to connect the plugin to your Stripe account.

Then, head back to your dashboard and visit the WebToffee » Local Gateways page.

Next, switch to the ‘Bacs’ tab at the top and check the ‘Enable’ box.

You can also add a title, description, and order button text. Finally, click the ‘Save Changes’ button to store your settings.

You have now successfully added the Bacs Direct Debit option as a payment method in your online store.

Tip 3: Upgrade to Premium Plugins (For Customers Everywhere)

One of the best ways to reduce transaction fees on your WordPress site is by upgrading to a premium plugin. This way, you only pay the plugin’s premium fee and avoid extra charges on top of Stripe’s standard transaction fee.

Free payment processing plugins often add additional fees, sometimes 1% or more, on top of Stripe’s standard fee (2.9% + 30¢ per transaction). Upgrading to the premium version helps you skip these extra costs and pay just Stripe’s fee.

If you want to add a simple payment form that accepts Stripe payments, then we recommend opting for WP Simple Pay Pro. It removes extra platform fees charged by the free version of the plugin, allowing you to pay only Stripe’s standard transaction fee.

Meanwhile, for stores selling digital products, the Easy Digital Downloads Pro version also removes extra fees, making it an ideal option. To learn more, see our complete Easy Digital Downloads review.

Similarly, WPForms Pro allows payment collection without extra platform charges, ensuring you only pay the regular Stripe transaction fee.

We recommend this premium plugin for selling a single product on your website. To learn more, see our WPForms review.

On the other hand, YITH WooCommerce Stripe eliminates the extra transaction fees often added by other payment gateways.

It’s an excellent solution for businesses using WooCommerce to sell physical products.

Upgrading to these premium versions ensures you only pay Stripe’s transaction fees, reducing your overall costs while giving you additional features.

Bonus Tip: Pass Payment Processing Fee to Customers in WordPress

Alternatively, you can simply pass the Stripe payment processing fee to customers. This ensures that your profit margins remain unaffected by transaction costs.

When you pass the payment processing fee to the customers, you add this extra cost to the customer’s bill instead of paying it yourself.

For example, if a customer buys an item for $100 and Stripe charges a fee of $3, you may add that $3 to the total cost. So, the customer would pay $103 instead of just $100.

However, charging customers extra fees could impact your sales. So, you may want to do some market research before adding that cost to the product’s total price.

Also, if you already have a well-established business, raising your prices without letting customers know can lead to a negative user experience. To avoid scaring away customers, you might consider telling them why you’re raising prices. This transparency can help build customer trust.

For detailed instructions, see our tutorial on how to pass the payment processing fee to customers in WordPress.

We hope this article helped you learn how to reduce Stripe transaction fees in WordPress. You may also want to see our beginner’s guides on how to add Bancontact payments in WordPress and how to add Giropay payments in WordPress.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Reduce Stripe Transaction Fees in WordPress (3 Expert Tips) first appeared on WPBeginner.