Security

Why you should avoid WordPress

I am noticing an alarming increase in the number of queries I am getting from people who have used WordPress to create their websites, and then things have gone horribly wrong, usually because they have been hacked and their site is now irrepairable.

Sometimes however it is because they have vanished from search engines since uploading their new free website, whereas they had been doing well in the search engines with their previous custom site.

I understand why people are tempted by a system such as WordPress that will allow anyone, with no design skills or coding experience whatsoever, to create a free website in just a few minutes with no effort required on their part.

Who doesn't like free? Who doesn't like something for nothing? Perfectly understandable...

But offering visitors to your business website a cheap website that looks exactly like thousands of other websites, just tells your visitors you do not care about their needs and will probably also be cutting corners wherever possible in all other aspects of your business, and therefore are best avoided.

So for anyone even considering setting up a WordPress website for their business let me explain why you should stop right there...

If you make that decision you will regret it at some point...

What is WordPress? 

WordPress is free web software originally designed as a Blog system, and then had extra bits bolted on so it could make full websites. It is used on over 75 million websites worldwide.

WordPress is easy to set up and install and is usually used by people with no web design or coding skills wishing to set up a personal or hobby website themselves without needing to hire a web developer. For this DIY market it works rather well.

Business websites however need to be both reliable and secure. Because your business website is often the first impression of your business for your potential customers, just as no business would use home-made business cards, using a Wordpress template site will not give your visitors the impression your site, and so your business, is in any way unique as it looks just like thousands of others using the same WordPress template.

In short, if you want to create a quick DIY website with literally no effort for a hobby or personal site, and don't mind that it will look just like thousands of other websites, then WordPress could be for you. But if you want to give a good impression of your business then WordPress should be avoided at all costs - you need a bespoke website.

Why avoid Wordpress?

1. Security

As there are millions of websites using WordPress they are a big target for hackers. If a hacker can find a vulnerability in one system it is likely that this exists on many of the others. Furthermore, as botnets (malicious networks of compromised computers that trawl the Internet for a nefarious reasons) can determine whether a site is made by WordPress or not; once a vulnerability has been found it can be automatically exploited on every similar website using the same version. Once a website has been hacked it can be very difficult, and often impossible, to fix.

WordPress is the biggest online target for hackers because it is so poorly coded (it was not even a CMS when first released, it was a single page blog system, everything since has been “bolted on” which causes lots of security loopholes). Whereas a dedicated CMS like Joomla, Moodle, Drupal, Typo3 etc., has been coded from the ground up as a CMS so the “bolt-on” security issues don’t exist.

So you have to be a lot more careful with WordPress than with any other website system, and as I have explained in several of my blog posts, hackers don’t care who owns the site, or what the site is about, they are only interested in gaining control of the server your site is on, so if they get in via your site they can then infect every other site on the same server, and start serving up malware to the visitors to every one of those sites on that server, and so it spreads. (like the hack yesterday that took down services in 74 countries and was all over the news – though in that case it was deliberately looking for and infecting Windows XP machines connected to the internet, then encrypted all the files on every machine connected in that network – such as the NHS here in the UK yesterday).

This is not sci-fi or fiction of any kind – the threats online are enormous and have to be taken very seriously indeed. And if you use WordPress for a business website you are making it a target.

Whilst it is true that all websites are vulnerable to hackers to some degree or other; having a custom website would mean that a hacker would need to target your website specifically. The difference with a WordPress based website is that the hacker can target millions of websites at once, without knowing or caring who they belong to.

Some alarming WordPress Statistics:

  • Of all the websites hacked every day around the world, 80% of them are running WordPress!
  • Over 60,000 Wordpress websites are hacked every DAY!
  • That's 42 WordPress websites hacked per minute, for every minute of every day...

Those facts should tell you - do not trust WordPress for your business website.

You have to remember the hackers have a remarkable success rate in hacking WordPress – 60,000 successes a day!

2. Updates

While Wordpress regularly release updates to fix all the security holes (of which it has lots), the trouble is with an average of more than one patch a month it can be time consuming to keep your web site secure. The updates will need to be done by someone technical, which means you inevitably end up paying for this extra work in the long run, even though you perhaps chose WordPress in the hope you could run it for free.

The other major downside to updates is that there is always a risk they will break your site, especially if you used a customised theme.

3. Plugins

Plugins are a great idea. Each plugin is an extension to WordPress written by a third-party developer. They each add functionality to WordPress that is not otherwise in the WordPress system. Unfortunately as there are so many plugins, written by so many people, many have their own security vulnerabilities and issues. Many plugins are written by hobbyists to do something for their own site, they release the code for free and then forget about it.

For example, it’s possible that two plugins will both work independently, yet when both are installed can conflict with each other and cause major issues with the website, perhaps even taking it offline.

Along with the updates, plugins can also break. A plugin can be working perfectly, and then after you update the core WordPress system, the plugin can break, and will remain broken until the plugin’s developer is able to update it. As plugins can often be the basis of essential features of your website, and as we’ve already established that the core system needs to be updated regularly, you’ll be faced with a dilemma, choosing between a working site or a secure one. (if you then roll back to a previous version of WordPress so all your plugins still work - you have to know that the hackers taking down 60,000 WordPress websites every day are waiting for you to do exactly that, to give them a previous version that they already have the hacking code ready for.

4. Support

As WordPress is open source it is free and developed by the ‘community’. This is a good idea and allows such software as WordPress and many UNIX based systems to remain free. However it does cause an issue with support.

As there is no official development team, and as you have never paid anyone for the software, there is no phone number to call and no guaranteed way of getting a response when your site is down. Therefore if your WordPress website breaks, perhaps after an update, any errors can be hard to diagnose. The usual process is to use Google to search various support forums, and if no one else has had the same issue, post a ticket to a forum, and hope that someone can help you fix your issue. Even then you are only likely to receive a pointer in the right direction, and will need to do a fair bit of work yourself. This can be hard enough work for a professional web developer, and can sometimes prove impossible for amateurs who only know how to install and use WordPress, and not how to fix PHP errors because they have never learned to code in PHP as web developers do.

5. Features

The thousands of plugins available can do a variety of different tasks, but the time will come when the plugins will not do either what you want, or in the way that you want it done. When this happens you’ve reached the end of WordPress’ usefulness.

The choice then it to either compromise, by choosing a similar plugin, or create a new plugin from scratch. The first is not ideal, and the second requires a skilled developer and so isn’t always cost effective for small sites.

Alternatively, with a custom built website, the web developer has spent years becoming proficient in coding, and it is usually much easier, and therefore more cost efficient to develop bespoke features. With a WordPress site users often reach the end of the functionality earlier than they expect, and have to start all over again from scratch with a different system that is not so "dumbed-down".

6. Search Engine Optimisation (SEO)

There are lots of SEO plugins for WordPress, and by picking and choosing the correct ones you can achieve a certain level of optimisation. However, you never have the fine control that you get with a custom website, and therefore full search engine optimisation is not possible.

7. Speed

The speed of a website affects the SEO as well as the general user experience. As WordPress caters for many different styles of websites and has lots of features that are often unused, the code is very ‘bloated’. This means your server is processing a lot more code than it needs to which means each page is slower and you will reach the limits of your server much quicker.

One of the advantages of a bespoke website is that it can do exactly what is required with no unnecessary overheads, and therefore run very efficiently.

8. Compatibility

Errors in websites need not be critical; have you ever seen a website that looks different in Internet Explorer to Firefox, or looks obscured on a mobile phone? Well this is common across many websites, in particular ones created using software such as WordPress.

The advantage with custom built websites over WordPress is that, as they are built from scratch step-by-step, is that if required they can be made compatible with all versions or all browsers, work on all mobile phones and validate to current standards. Although this is possible with WordPress it is typically much harder to achieve as it will require the services of a skilled custom designer. If a website is truly compatible, it will open itself up to a much wider audience.

9. Migrating Servers

All websites are hosted on third party servers, or web hosts. From time to time, for various reasons, it is required to move a website from one web host to another. Although a little work is always required, the complexity of WordPress sites means that this is can be harder than as for custom websites. Where a custom website could be moved in a few minutes, any equivalent WordPress website could take far longer.

10. Themes

WordPress has a set of default designs, also known as themes. This is an advantage as you can choose from a library of themes that get installed easily so your design is taken care of instantly and you just need to fill in your text and add your own images, so you can have your site completed in minutes.

Unfortunately most WordPress themes look rather similar, so that means your Wordpress website can never look original. If a theme isn’t exactly what a you want it will need to be customised, so again you will need a custom designer.

The advantage with a custom built website is that it can be designed exactly how you want it. The designer does not need to fit your requirements into pre-built boxes, but can start literally with a blank canvas to produce a truly original design that complements your business and shows visitors that you care enough to present them with a site that is unique, just as your business is unique - rather than just cutting corners and fobbing them off with a free website that took you no effort at all to produce.

After all, if you obviously cut corners on your website, then a visitor can be forgiven for assuming that you cut corners in most other aspects of your business, and so are best avoided. A WordPress site can ruin your professional reputation in ways that your busines may never recover from.

Summary

Wordpress is a powerful piece of software that allows people with NO knowledge of web design OR coding to set up a web site extremely quickly with no effort on their part. And for personal/hobby sites it is great at what it does. However, for your business website you have to question whether it is a good choice to use software that is regularly hacked (60,000 WP sites hacked per DAY), offers slow performance in comparison to almost all other systems due to bloated code, and requires continual technical attention.

Remember that you are at the whim of other developers, not just for Wordpress itself but for each theme and plugin, who have no business relationship with you, and will certainly not be under any obligation to you. You are relying on them to write secure and professional code for your new business website - while most of them are writing code as a hobby.

That’s before you consider that you will be forced to make compromises with the design and operation of the site. Your business is unique and your website should reflect that, which is completely impossible with WordPress.

A real Web Designer usually knows what a new website will look like before he writes a single line of code for it - often spending days in PhotoShop or with a sketchpad working on the design. Once he or she is happy with the design they will then sit down and start coding, knowing full well they will be able to bring their Photoshop/Sketchpad design to life perfectly - pixel perfectly...

Whereas a "WordPress Developer" hasn't got a clue what the site will look like until he/she goes online and shuffles through all the available WordPress templates till he/she finds one he/she likes, pays anything between $0 and $30 on average for the template, installs it in a few seconds (that's the design bit taken care of in 10 seconds flat), inserts the client's text, photos, logo etc., into the right spaces and that's it - job done! And it is probably not even tea-break yet. They then wait a few days before showing it to the client, so the client thinks it took days to create, then hopes their client will like it enough to pay the several hundred or even several thousand pounds being asked for it. Easy money (and if the client doesn't like it they take 10 seconds to install another template, wait a few more days so the client thinks they are working really hard, and try again with the client until they hit a template the client acually likes).

Unless your budget is exceptionally tight, it is often better to get a website developed properly right at the start to ensure you end up with a website that is unique - rarther than one of thousands of sites using exactly the same template (such as the WordPress "MAKE" theme - now installed on 20,000+ websites which now all look exactly the same).

A website is often the first (and potentially the last) thing people will see about your business. It’s therefore important, and more efficient in the long run to get it right first time!

Always remember that WordPress is a platform designed to enable those with NO design skills to make passable websites - the WordPress software takes care of design for you by using templates. So when anyone offers to build you a WordPress website they are admitting to you that they are not a web designer, but they have learned how to use a freebie website builder (that you could easily use yourself with similar results) to make easy money.

CMS Wales does not, and never will, create WordPress websites for profit - we could not in all conscience charge anything for a WordPress site, due to anyone being able to build one in less time than it takes to drink a cup of coffee. Apart from that we prefer to make every website we create for a client a unique one-off design - impossible with WordPress.

This is why we specialise in custom websites, each one being unique, rather than being a copy of 20,000 other sites.

This is why we also offer a far superior, and completely free, website builder with some of our Hosting Plans.

FOOTNOTE:

Although this article explains why I feel that WordPress is really not suitable for business websites - if you feel you must use it due to severe budget constraints then you should at least ensure you do not simply have WordPress installed on a normal Linux web hosting account (this will make it run much slower than it is actually capable of doing), but demand that it is installed on a Dedicated WordPress Hosting Account. This way you can drastically mitigate many of the security concerns as these specifically optimised WordPress hosting accounts monitor, and keep updated, all your core WordPress files, around the clock, 24/7/365.

We’ve developed our own hosting platform just for WordPress websites, ensuring you get a robust, secure hosting environment that caters to the system’s every need. Advanced load-balancing, SSD storage as standard, superfast StackCache caching, clever database handling, automatic WordPress Core updates, and high quality hardware throughout means you get consistently excellent speeds your visitors will love. Our hosting is designed to scale as your website grows, meaning the same great performance no matter how popular you get.

Having the latest version of WordPress core is important not only for security but also speed, that’s why we automatically patch and update your install as soon as it’s available. All sites on our WordPress platform are also behind a custom built Web Application Firewall that is watching over your site and filtering out evil requests before they can even reach it. To avoid abuse through plugins, we are constantly monitoring for and will block any plugins that put your site at risk.

  • Powerful platform specifically built for WordPress hosting
  • Optimised speed and security for WordPress websites
  • Automatically updated WordPress core

Click to view Dedicated WordPress Hosting Plans

Note: While this article may give the impression that I think there is no such thing as a WordPress developer, this is not the case. There are indeed WordPress Developers, but they are relatively few in number in comparison to the number claiming such a title. Of those claiming to be such, possibly 5% of them actually are. The rest simply learned to install and use WordPress and install a template and a few plugins.

For most in this class you could say:

WordPress has convinced a legion of amateurs with no talent or training that they’re web developers because they can configure a WordPress site, upload a theme and install some plugins. Yet they don’t know how to write HTML much less CSS, JavaScript, SQL, or a single server side programming language.

Whereas you could define a real WordPress Developer as:

A WordPress developer is one who can code custom plugins and modules for WordPress and so by definition is also a PHP Developer.