AzimutLine — E-commerce for EVA Boat Mats

The challenge

The client has been producing EVA mats for PVC boats for 6 years and selling them on marketplaces. The pain: high commissions and zero direct relationship with the customer. Marketplaces don’t share contact info, so there’s no way to build a customer club, no way to handle quick custom orders for non-standard boats. Goal: a proprietary store that fully replaces marketplace channels and meets the bar for online payment processing.

The solution

Stack: WordPress + WooCommerce as the store core, everything else from scratch. The theme is built for the brand; the Customizer lets the owner edit home content, banners, and blocks. Business logic lives in custom plugins.

What was built:

• Catalogue + boat-model configurator. Customer picks brand and PVC boat model → sees a mat shaped exactly for that boat’s geometry. ~150 boat models in catalogue.
• ЮKassa payments — cards, SBP, automated 54-ФЗ receipts via an agency scheme. Webhooks are signed and verified. Card data is never stored on the server (PCI-DSS).
• СДЭК delivery — API integration. Delivery page uses /v2/location/suggest/cities for city autocomplete (with debouncing and input sanitization), warehouse-to-warehouse rates calculated automatically.
• AES encryption of СДЭК API tokens in DB — tokens aren’t stored in plain text; even a DB dump doesn’t compromise the integration.
• Form spam protection — Contact Form 7 with a whitelist of allowed fields: any attempt to submit extra fields (a classic spam-bot technique) is blocked at the server.

Admin panel built for the manager, not the programmer

A separate story is what the store owner actually sees in the admin area. The default WordPress + WooCommerce UI was stripped down and reworked: only the menu items they need are kept, and custom sections were added for the actual business process — e.g. “Заявки на ковёр” (“Mat requests”) for custom orders that bypass the regular cart. The order page surfaces ЮKassa payment data (including transaction UUID), СДЭК waybill status, traffic source (Yandex / VK / direct) and device type — the manager doesn’t have to dig into Metrika for any of it.

• Defense in depth — 11 independent layers: hosting filters, Wordfence WAF, hidden admin URL, two-tier brute-force protection, unique admin login, XML-RPC disabled at both Nginx and WP level, 2FA. Each layer catches what the previous one missed — no single point of failure.
• Domain migration азимутлайн.рф → azimut-line.ru — 301 redirects from the old domain with Host-header validation, hard-pinned WP_HOME / WP_SITEURL in wp-config.php, follow-up security audit after migration.

SEO

Full technical setup for Yandex and Google — no paid plugins required:

• Rank Math SEO (free version — feature-wise beats paid Yoast Premium): Title templates for home / product / category / page / article, OnlineStore schema, organization data (address, phone, hours) for local search.
• Schema.org JSON-LD: Organization, OnlineStore, WebSite, WebPage, Article, ImageObject, Place. Open Graph + Twitter Cards for clean shareable previews.
• Sitemap with 5 sections: static pages, articles, blog categories, products, product categories. Sitemap URL is in robots.txt, submitted to Yandex.Webmaster and Google Search Console.
• Robots.txt: blocks /wp-admin/, WooCommerce internals, cart parameters (?add-to-cart=); opens admin-ajax.php for scripts.
• Tight indexation: home, products, product categories, pages, articles, and blog categories are open. Duplicate-prone surfaces are blocked — tags, date/author archives, search, cart / checkout / account.
• Breadcrumbs with microdata + automatic alt attributes on images.
• SEO signals carried through migration: Site Move filed in Yandex.Webmaster, Change of Address in Google Search Console (~180-day signal transfer). 301 redirects from all variants of the old domain (including www.).
• Analytics: Yandex.Metrika #109046325 with Webvisor, Click Map, E-commerce (WooCommerce purchase tracking), accurate bounce rate, and outbound-link tracking.

The outcome

The store is live on its own domain with real online payment processing. The post-migration audit closed all 8 identified vulnerabilities — from form-injection vectors to orphan Customizer settings.

The headline business win: the client stopped paying per-order commissions to marketplaces and gained a direct channel to customers. The ability to take custom orders for non-standard boats without intermediaries pays back the build cost in months.

Tech stack

• CMS: WordPress 6.9 + WooCommerce 10.7
• Backend: PHP 8.2, MySQL, custom plugins (must-use), AES encryption for sensitive data
• Payments: ЮKassa (cards, SBP, fiscal receipts via agency)
• Delivery: СДЭК API (rates, city suggest, tracking)
• Security: Wordfence + Limit Login Attempts + WPS Hide Login + 2FA, XML-RPC off at Nginx and WP, forced HTTPS on checkout
• Hosting: reg.ru (shared, daily backups), Let’s Encrypt SSL with auto-renewal
• Analytics: Yandex.Metrika with goals on order placement and payment completion