{web reveal}
7 min read Web Reveal Team

How to Tell if a Website Uses WooCommerce (2026 Guide)

WooCommerce is the world's most widely used e-commerce platform, powering roughly a third of all online stores. Built as a plugin on top of WordPress, it leaves a distinctive set of fingerprints across URLs, JavaScript globals, HTTP cookies, and REST API endpoints. This guide shows you the fastest tools and the manual signals to confirm a WooCommerce installation.

Why Detect WooCommerce?

Knowing whether an online store runs on WooCommerce is useful in several professional contexts:

  • Plugin and extension vendors: Identify stores that are potential customers for WooCommerce-compatible products, payment gateways, or shipping plugins.
  • Ecommerce agencies: Qualify inbound leads and understand a prospect's current setup before a discovery call.
  • Competitive intelligence: Discover which WooCommerce themes or checkout plugins your competitors use to optimise conversion.
  • Developers and integrators: Confirm WooCommerce is present before building a custom integration or data pipeline.
  • Security researchers: Identify stores running outdated WooCommerce versions, which are a common target for payment skimmer attacks.

Fastest Method: Free Scanner Tool

The quickest way to detect WooCommerce is to use Web Reveal—a free technology scanner that analyses the live site and returns a full breakdown of the technology stack, including whether WooCommerce is present, the plugin version (where visible), and the underlying WordPress installation.

Enter the store URL on the Web Reveal homepage. Within seconds you'll see the CMS, e-commerce platform, payment provider hints, hosting, and analytics tools all in one report.

For passive detection while browsing, install the Web Reveal Chrome extension—it automatically identifies WooCommerce and displays the result in your browser toolbar on every store page you visit.

URL and Path Signals

Because WooCommerce is a WordPress plugin, its assets are loaded from predictable paths inside the WordPress plugin directory. View the page source (Ctrl+U or Cmd+U on Mac) and search for any of the following strings:

  • /wp-content/plugins/woocommerce/ – WooCommerce loads its own CSS and JavaScript from this path. Any occurrence is a definitive indicator.
  • /wp-content/plugins/woocommerce/assets/js/ – Frontend JavaScript bundles for cart, checkout, and product pages.
  • /wc-api/ – The legacy WooCommerce API endpoint, present on many older stores.
  • ?wc-ajax= – WooCommerce uses AJAX actions appended to URLs as query parameters (e.g., ?wc-ajax=get_refreshed_fragments).

You may also see standard WordPress signals (/wp-content/uploads/, /wp-includes/) alongside these WooCommerce-specific paths, confirming the WordPress layer underneath.

JavaScript Globals

WooCommerce injects a set of JavaScript configuration objects into every page load. Open your browser's developer console (F12 → Console) and type the following variable names. If they return an object rather than undefined, WooCommerce is active:

  • wc_cart_fragments_params – Present on every front-end page; contains the AJAX URL for cart fragment refreshes.
  • wc_add_to_cart_params – Injected on product listing pages; contains cart URL and nonce.
  • woocommerce_params – General WooCommerce configuration object.
  • wc_price_slider_params – Present on pages with the WooCommerce price filter widget.

Of these, wc_cart_fragments_params is the most reliable because WooCommerce loads it on every page—not just product pages—to keep the cart count in the header in sync.

Browser Cookies

WooCommerce sets several distinctive browser cookies that are visible in the Application tab of browser developer tools (F12 → Application → Cookies):

  • woocommerce_cart_hash – An MD5 hash of the current cart contents, used to avoid unnecessary AJAX requests.
  • woocommerce_items_in_cart – A boolean flag (1 or 0) indicating whether the cart is non-empty.
  • wp_woocommerce_session_ – A session cookie whose name is prefixed with wp_woocommerce_session_ followed by a hash. This is the most distinctive WooCommerce cookie.

The wp_woocommerce_session_ cookie is set as soon as a visitor adds an item to the cart, so it may not be present on a first visit. Add a product to the cart and then inspect the cookies to trigger it.

WooCommerce REST API Endpoint

WooCommerce registers its own namespace in the WordPress REST API. Visiting https://example.com/wp-json/wc/v3/ will return a JSON response listing available routes if the WooCommerce REST API is publicly enabled. A successful response confirms WooCommerce is installed and active.

Many stores restrict the REST API to authenticated requests, so a 401 Unauthorized response also indicates WooCommerce is present—the endpoint exists, it just requires credentials. A 404 means WooCommerce either is not installed or the WordPress REST API is disabled entirely.

Note: Only use publicly accessible URLs for identification purposes. Do not attempt to authenticate with the REST API without authorisation from the site owner.

HTTP Headers

HTTP response headers can provide additional confirmation. Open browser developer tools (F12 → Network), reload the page, click the main document request, and inspect the Response Headers:

  • X-Powered-By: PHP/x.x – WooCommerce requires PHP, confirming the server language.
  • X-WooCommerce-Total-Count – Returned by WooCommerce REST API responses; a strong indicator when present.
  • Link: <https://example.com/wp-json/> – The WordPress REST API discovery header is a prerequisite for WooCommerce and confirms the WordPress layer.
  • Managed WooCommerce hosting headers such as X-Kinsta-Cache, X-WPE-Request-ID (WP Engine), or cf-cache-status (Cloudflare, common on WooCommerce deployments).

When WooCommerce Is Hidden

Some merchants and developers attempt to obscure the platform for competitive or security reasons. Common obfuscation techniques include:

  • Renaming or proxying the /wp-content/plugins/woocommerce/ path so assets are served from a generic CDN URL.
  • Using a headless WooCommerce setup (e.g., with Next.js or Gatsby as the frontend), which hides most of the typical WordPress and WooCommerce signals from the HTML layer.
  • Disabling the public WooCommerce REST API.
  • Serving all assets through a CDN with opaque URLs, masking the plugin path.

Even with these measures, automated tools like Web Reveal often detect WooCommerce through lower-level signals such as the wc_cart_fragments_params JavaScript object, cookie naming conventions, and checkout page markup patterns that remain consistent across even heavily customised stores.

Frequently Asked Questions

How can I tell if a website uses WooCommerce?

The fastest method is to scan the URL with Web Reveal. Manually, search the page source for /wp-content/plugins/woocommerce/ or open the browser console and type wc_cart_fragments_params to check for the WooCommerce JavaScript global.

What JavaScript globals does WooCommerce expose?

WooCommerce injects wc_cart_fragments_params, wc_add_to_cart_params, and woocommerce_params into the page. Typing any of these in the browser console will return an object if WooCommerce is active.

Is there a WooCommerce REST API I can check?

Yes. Visit /wp-json/wc/v3/ on the domain. A JSON response confirms WooCommerce is installed. A 401 Unauthorized response also indicates WooCommerce is present but restricted to authenticated access.

Can a WooCommerce store hide that it uses WooCommerce?

Partially. Headless setups and CDN asset proxying can mask many signals. However, JavaScript globals, cookie names, and checkout markup patterns are difficult to fully remove without deep customisation, so automated scanners like Web Reveal can still detect WooCommerce in most cases.

Detect WooCommerce on Any Website Instantly

Web Reveal is a free tool that identifies WooCommerce, the active plugins, version, and full tech stack of any website. No account needed.

Scan a Website Free