WordPress isn’t secure
WordPress has a content management system (CMS) market share of 60.4% and can at times seem to be a victim of its own success. Being popular means that it makes more sense for wannabe hackers to learn the vulnerabilities of WordPress over Homestead or EPIServer CMS.
It also means that a higher number of users are likely to use insecure passwords, outdated installs, shoddy code and to have their computers compromised.
The wealth of add-ons such as plugins and themes (of differing quality), also increase your site’s code base and potential security holes.
WordPress has made efforts to tackle this, it now asks you to create your own admin username (rather than creating the default ‘admin’ user) and gives your password a strength rating. It has also introduced automatic core updates, for smaller releases. Plugins also have star ratings, reviews and last updated information.
Like many others I have experience of bots trying to enter my sites’ admin area. I’ve also seen the aftermath of hacked WordPress sites, through flawed plugin code and insecure administrator passwords. I’m still a massive advocate of WordPress and with a few simple steps you can greatly reduce the chance of your site being victimised.
WordPress is just for blogs
WordPress’s roots were in blog publishing, but since v2.9+ it has become so much more. A post item is no longer just a blog article but can be an album, a hotel listing, a song, an order and much much more. WooCommerce has extended WordPress’s ecommerce repertoire, whilst companies have used it to power their own intranet dashboards via REST apis and created full Customer relationship management (CRM) and booking systems off the back of it.
The fact that it is still recognised by many as a blogging platform may be a result of its own marketing and a failure to promote its self as a multifaceted CMS much earlier.
WordPress doesn’t provide support
There’s no ticketing system or helpline, but WordPress has some of the best support available. Take a look at WordPress Codex, the new Code reference and a quick Google will unveil a massive WP community of tutorials, bloggers and forums.
Big companies don’t use WordPress
Some of the world’s biggest brands such as CNN, TechCrunch, TIME and NBC use WordPress. It has also seen a surge in popularity for universities, colleges and schools.
A historical reluctance to use WordPress by corporate organisations, can be traced to a variety of reasons;
Cost – a free CMS open source CMS is presumed to have flaws. Often a company will go down the costly bespoke route, believing that off the shelf doesn’t suit their needs.
Open-source wasn’t as accepted in large corporates as it is today. Many of the companies I worked in would be ASP.NET based, using Visual Studio, IIS and Windows servers.
Security – the security of a website is of even greater importance when it stores the information of clients and customers. Data protection breaches can result in large fines, loss of trust, business and brand damage.
A previous employer was an early adopter of WordPress and suffered at the hands of hackers who found a vulnerability in the core. This coupled with some bad plugin experiences, made them very difficult converts.
WordPress updates too often
WordPress does update a lot, which can in turn create a flurry of updates for your site’s plugins. However updating WordPress is much easier than other CMS software I’ve had experience with such as EPIServer and Magento. Most CMS’s have updates to the core, but as they can be problematic, it seems more expectable for say a patched Magento site to be using v1.4 than a WordPress site to be out of date.
Most WP updates are backward compatible, so unlikely to break your site. I’ve only had one bad experience with a WordPress core update and that was related to intermittent hosting. Updates are frequent, especially for people used to websites with custom built cms’s or static non database websites, but if they are meaningful improvements that’s a good thing.
Automatic background updates were introduced in WordPress 3.7 and now address minor releases; such as maintenance, security and translation file updates.
WordPress is difficult to maintain
WordPress does require some maintenance; from setting up a cron job to remove old post revisions, monitoring your security plugin, approving comments or applying updates.
Again some of this comes down to your website’s original set up, the following can make your WordPress website less manageable;
- having a site made up of countless plugins – especially when the same functionality can easily be developed
- not having used a child theme to make modification, when the parent theme is continually updating – diffing file differences can be time consuming
- not having automatic / easy to create manual backups – this can scare people off keeping on top of updates and site changes
- microsites that were built with multiple WP installs before the multi-site functionality was available
Perhaps one reason why people find WordPress difficult to maintain is the cross over between novice bloggers and experienced developers. The ease of adding themes and plugins means WP site owners are more likely to contemplate making their own changes, than owners of a Drupal or Magento site who might consult a professional web developer.
Again owners and developers of websites built with custom or neglected CMS’s will find that a WordPress site does need some after care. Too often agency or in house web designers (who work across multiple websites) would finish a site never to return to complete v2.0, or to make subsequent updates. Custom/bespoke CMS’s supported this approach, as they would often not be developed further and so would not require core updates.
WordPress can’t do anything out of the box
I once met a WP site owner who was adamant that WordPress couldn’t support his SEO needs. It transpired that he expected meta tag fields to be available ‘out of the box’ and didn’t understand the ease of adding a plugin such as WordPress SEO by Yoast. What elements and functionality should be part of the core of a CMS, is always debated (some CMS’s assist with the uploading of a favicon, whilst developers might find this unnecessary). It’s very difficult for one size to fit all.
In my opinion a multi use CMS like WordPress should be kept reasonably fast and light weight. Admin menu items are easy to manipulate via themes, and there are some very established plugins for; contract forms, SEO, spam prevention and security.
WordPress plugins are often flawed
Not all plugins are flawless; some have bugs, outdated and inefficient code, security issues and poor support. However, some plugins are worth their weight in gold. Plugins such as Wordfence, WordPress SEO by Yoast and Contact Form 7 are able to help me to easily achieve things that would be very difficult or costly, to achieve alone.
Don’t blindly add plugins, make sure they have excellent reviews, high downloads and are being maintained.
Open-source software – You get what you pay for
Firstly, not all WP themes and plugins are free, especially if they offer tiered support or functionality. Secondly, if you need something bespoke in terms of look or functionality, you are likely to need a web developer if you’re unable to develop it yourself. However WordPress’s popularity means development is likely to be cheaper than most other CMS development. There are no license fees, basic LAMP hosting is inexpensive and there is a large community offering free advice and support.
I’ve worked at companies who have developed multi million pound CMSs, feeling that they need that custom level of file and database architecture or functionality. However, such systems tend to become quickly outdated and abandoned as staff move on or a company’s IT direction changes.
WordPress’s architecture can be messy
Not everyone loves the way that WordPress works. Server administrators have disliked; the way that multiple unused image crops can be produced for each image (especially if thumbnail sizing isn’t set up in the theme correctly), folder permissions being too open and some of the db structure.
WordPress’s open nature also means that best practice is often difficult to know or follow. Even premium themes can get things wrong e.g. bundling of plugins and security update issues. Coding practices aren’t always that strict, and it’s interesting to see how different themes tackle everything from template files to use of the functions file.
I’m a big fan of Sage (previously known as Roots), which helps to add a bit more structure to theme development.
To conclude..
WordPress is constantly expanding in a bid to remain the CMS of choice. I’ve been using it for many years now and haven’t looked back.
