Why We Don't Recommend WordPress or any generics CMS

I. Introduction

We do not recommend Wordpress (or any CMS system) to our clients as the first recommendation.

We create and host Wordpress websites. Wordpress is a popular CMS (content management system) tool for creating websites. It’s easy-to-use, such that around 34% of all websites, and 60% of CMS websites are built using Wordpress. They feature a great library of plugins, many of them with a “free” version, to add functionality to your website. They’re great for allowing non-programmers to design and maintain a website.

We’ll create a Wordpress website if that’s a better fit for our client. But that’s usually not our first recommendation. There are many reasons, primarily price, performance, and the biggest of them all, security.

II. Price

As we mentioned before, Wordpress is free, and the plugins usually have a “free” version. It’s great and works well for blogs.

But for e-commerce, free plug-ins either have very basic functionality as to be practically unusable for “non-traditional” or complex workflows (such as 2-stage bank deposit payments or complex formulas for how much your insurance will cost or one of the new paymentment or fulfillment gateways); and/or they charge a commission for online sales on top of the merchant fees. On that note, one of the more popular “free” e-commerce platforms charges a 1% on online sales on top of the merchant fees.

However, when starting out, that might actually be the way to go. Instead of investing a larger amount up-front, it might be wiser to start selling on a simpler, and free, Wordpress model to see if you have an audience before diving in. In addition, if you’re making frequent and extensive changes to your website, and you have a talent for design, it will probably be easier for you to make the changes yourself instead of paying a 3rd-party to do so. And then switch to a custom website once you see the business model is sustainable.

III. Performance

Wordpress will always perform slower than a custom website. It’s greatest strength, easy to attach plugins, is also its greatest weakness. Each plugin adds an extra layer of processing, which adds to the time it takes to draw your website. And it’s easy to get carried away and add multiple, and many times redundant, plugins that overlap in functionality, further slowing down your website.

IV. Security

Popular CMS platforms like Wordpress are constantly under attack and probed for security vulnerabilities.

If the website is configured and maintained correctly, and all its plugins are configured and maintained correctly, then there shouldn’t be any issues. That being said, since Wordpress is aimed at people who might not be as technical, and most Wordpress websites have 10-20 plugins, they may either forget to upgrade a plugin, or a particular plugin may have an unforeseen vulnerability. Below is an example of the probing that a typical Wordpress website undergoes.

And yet our server load report shows an average of 204 visits to the website every day, with 1,777 unique visitors last June. On an empty page. It’s even more popular than some of our actual legit business clients! What gives?

The answer apparently is: constant probing for security vulnerabilities:

Most notable are the xmlrpc attack with over 50% of the access, and the rest looking for other exploits. These are all definitely attacks as the website is, we repeat, still “Under construction” without any internal activity. It looks there were only 13 valid attempts at the website (one with the single / in the page url)..

For another actual, live, active Wordpress website of another client, out of around 27k views, more than 75% of the access are probing for security vulnerabilities and trying out passwords. We hope they chose a good one.

And no, Wordpress does not come with built-in brute force protection. There are plugins for that. But this brings up the catch-22 for Wordpress. Wordpress was designed for non-technical people to make and maintain a website, which means they might not be aware of everything they need to do to keep their website secure. It is also quite common to have a plugin with a security vulnerability and not be aware of it, which is the most common reason why Wordpress websites get hacked.

And these constant attempts to hack the empty Wordpress website have grown from 2,279 in April, then 3,223 in May, and 6,129 in June definitely affects performance as well.

V. Plugin Issues

Wordpress Plugins are 3rd-party programs that make Wordpress development easier. Most of them are free for basic functionality, and charge a premium for more advanced functionality. A typical Wordpress website has 10-20 plugins. Here are the primary issues with them.

1. Cost
The free basic functionality is usually not really enough, which is by design. The workable functionality will cost more than the basic web hosting, so multiple paid plugins can quickly double or triple or more your web hosting costs.

2. Compatibility You’ve downloaded and paid for your plugins, then your website stops working. Sometimes, your plugins just don’t work with each other. Sometimes it’s obvious when they don’t. Sometimes it breaks things just enough so that it subtly affects performance and reliability, which can be even worse.

Fortunately, you can download a Compatibility plugin to check which plugins are compatible with your other plugins, so you can all have a happy plugin family! The fact that these plugins even exist summarizes this issue better than anything we can say.

3. Plugin Reliability
Plugins are 3rd-party tools made by different people/groups/companies. Who are they? Read the previous screenshot and really read what they typed.

They made grammatical and spelling errors. And, based on “Issues Resolved in Last Two Months”, you can see that these plugin authors also make programming mistakes. You’re essentially trusting your website code to unknown people, and hoping that they keep their plugin continuously up to date. Try limiting your website to more “reputable” plugins to minimize this problem.

VI. Conclusion

If it was just price and performance, then there are use cases for each. The security concerns make us advise our clients not to use Wordpress as their first choice, and only after we make them aware of the many implications. But if you're a start-up and want the smallest initial investment just to test out the market, then Wordpress is a good start.