Why Polling Isn’t Enough
The simplest way to sync two systems is polling — check every 5 minutes for new data. But polling has problems:
Delay: A customer places an order and waits up to 5 minutes before your CRM knows
Waste: 95% of polling requests return “nothing new”
Load: Frequent polling hammers both your store and CRM servers
Gaps: If a poll fails, you miss everything until the next cycle
For real-time business operations, you need push-based synchronization — data arrives the moment it’s created.
Webhooks: Instant Data Delivery
WooSync uses WooCommerce’s native webhook system. When an event occurs in your store, WooCommerce pushes the data directly to your Perfex CRM:
order.created — New order placed
order.updated — Order status changed
product.created — New product added
product.updated — Product details modified
customer.created — New customer registered
customer.updated — Customer profile changed
The data arrives in milliseconds, not minutes. Your CRM is always current.
HMAC-SHA256 Signature Verification
Anyone can send an HTTP POST to your webhook URL. How does WooSync know it’s actually from WooCommerce and not an attacker?
HMAC-SHA256 cryptographic signatures.
Every webhook delivery includes an X-WC-Webhook-Signature header — a hash computed from the payload using your shared secret. WooSync recalculates the hash and compares:
Match: Request is authentic → process it
Mismatch: Request is forged → reject it (401)
This is the same verification method used by Stripe, GitHub, and other enterprise APIs. Your webhook endpoint is cryptographically protected.
Queue-Based Processing
Webhook data doesn’t hit your database directly. WooSync uses a queue table (woosync_webhook_queue) with production-grade reliability:
Deduplication: Each delivery has a unique delivery_id — the same event is never processed twice
Retry logic: Failed processing attempts are retried up to 3 times
Status tracking: pending → processing → completed (or failed)
Locked processing: A locked_at timestamp prevents concurrent processing of the same item
Error logging: Failed attempts store error messages for debugging
Rate Limiting: 120 Requests/Minute
WooSync includes IP-based rate limiting on the webhook endpoint:
Maximum 120 requests per minute per IP
Excess requests are rejected with 429 Too Many Requests
Rate limit data stored in woosync_rate_limits table
Protects your CRM from webhook floods (e.g., bulk updates in WooCommerce)
CSRF Whitelist
Perfex CRM has built-in CSRF protection that blocks external POST requests. WooSync automatically whitelists its webhook endpoint so WooCommerce deliveries pass through without CSRF validation — while keeping all other CRM endpoints protected.
Comprehensive Sync Logs & Debugging
Even with a perfect setup, network issues or data validation errors can occur. WooSync v1.2.0 introduces an interactive Sync Logs Modal for effortless debugging:
Click "View" on any sync log to open a detailed modal.
Inspect the complete Action type, Server Message, and the raw JSON Request Payload received from WooCommerce.
Identify exactly which field or payload structure caused an issue without digging through server text logs.
The Complete Security Stack
LayerProtectionHMAC-SHA256Verifies webhook authenticityRate LimitingPrevents flood attacks (120/min)CSRF WhitelistAllows legitimate webhooks throughQueue DedupPrevents duplicate processingRetry LogicHandles transient failuresAES EncryptionProtects stored API credentials
Setup: 5 Minutes
Secure. Instant. Reliable.