Why I don't recommend Wordpress

Wordpress. The marmite of the web development world. Some devs love it. Some devs hate it.

It powers over 30% of all live websites today. There' no financial cost attached to using it, and there's a wealth of free themes and plugins out there that makes changing a design or adding new functionality quick and easy.

It's a good way to quickly get a decent-looking website online with next to no budget, so it's not hard to understand why it's held in such high-regard by so many.

In the past I've even recommended it to others who have very little in the way of budget for a site. Get a site online using Wordpress, grow your business, then get the site designed and built properly.

Yet, aside from a blog I started nearly 10 years ago, I don't use it. And now I often recommend my clients use an alternative platform for their own sanity.

Because you really need to know what you're doing with Wordpress to run a website using it.

Wordpress is not a 'do it yourself' solution

Wordpress is often touted as a DIY solution to those who need a website up and running quickly thanks to no financial cost, an easy '5-minute install' and plethora of free themes and plugins out there.

Need new functionality but can't code it? There's probably a plugin that does it already.

Its a great concept, but a reliance on plugins is bad for a number of reasons, namely speed and security.

Poorly written or outdated Wordpress plugins are also notorious security risks as they're an easy way in to your database for hackers.

An over-reliance on plugins is often the main cause of slow Wordpress sites due to having to access the database each time the page loads. Google doesn't like slow pages. In fact it uses page load speed as a factor when ranking sites in search results.

Faster page loading = better SEO results.

Plugins can also conflict with one another, causing broken functionality and in a worst-case scenario, even locking you out of the site completely.

Think of Wordpress as an old Ford Fiesta.

Everyone's familiar with the Fiesta. Chances are you know someone that owns or has owned one, and many of us have driven them ourselves at some point.

It's a cheap run-about that gets you from A to B.

And whilst it runs fine for the most part, from time to time it will also just completely break down, forcing you into the engine bay to start twiddling stuff to get it working again.

When Wordpress updates, pray everything still works. Image credit: Pexels

Welcome to the world of Wordpress-powered websites.

Constant maintenance and manual updates are required, because you can't trust automatic updates not to break your site. And automatic updates have broken many Wordpress sites.

It's for this reason alone I don't recommend using Wordpress if you're not a developer or have someone with the required expertise to set your site up properly and ensure it keeps running smoothly.

Wordpress security is a a constant worry

Let's look at the main downfall of a DIY Wordpress site. Security. Or rather, it's lack of it.

Wordpress security updates come thick and fast, mainly because the platform is such a juicy target for hackers. The fact that the code is open source and viewable by everyone is great, but not when it's powering a huge portion of the internet.

WPScan keep a running record of past and current Wordpress vulnerabilities. As of July 2018 they are showing over 11,600 known security issues across multiple versions of Wordpress since they started tracking them.

In that time, nearly 75% of all vulnerabilities have been shipped with the Wordpress core itself.

Wordpress vulnerabilities ratio according to wpscan.org

At the time of writing, the most recent is an exploit that allows any user that can edit uploaded media (typically, most blog contributors) to delete a core WP file that will result in the installation process running again, allowing them to create a new admin account just for them.

Hackers wouldn't even need an admin login to gain complete access to the site. A contributor account with a weak password could let them in.

Most, if not all, of the found vulnerabilities have been patched, but this list is being updated regularly with new ones.

A decent WP developer will be able to prevent most security issues, and will be running back-ups in case of data loss. But with the new, stricter GDPR recently coming into effect, can you really afford to risk a data breach?

For most websites, Wordpress is pure overkill

For smaller, 'static' websites, i.e. those that don't require regular content additions such as articles, using Wordpress (or in fact most database-driven CMS solutions) is just overkill.

I meet many 'developers' (a term I'm using loosely here) at business events who only ever use Wordpress to power sites, regardless of clients' needs. It's quick and easy for them to churn out a website for a client using a theme and some plugins and get paid.

But this often causes problems later down the line when a plugin is retired and no-longer updated. At best, functionality might break. At worst, your entire database could be comprised by a hack.

Honestly, most businesses don't even need the ability edit live site content.

Wordpress and indeed any CMS should really be used for adding and editing new content. If you don't need to regularly perform a repetitive task like adding pages to a site, you probably don't need a CMS at all.

Should you avoid Wordpress in 2018?

Contrary to this article, I don't really have anything against Wordpress as a platform. It's great for certain situations, so long as you have the knowledge and experience needed to get it running correctly and securely.

My main gripe is the inevitable time-sink of ongoing maintenance that comes with using it, something that I don't think should be passed onto a client.

Despite it's popularity and famous '5 minute install', the reality is it's a platform that really requires a developer that knows what they're doing with it.

I'm not saying don't use Wordpress, I'm saying find a reputable developer or studio who will build you a solid, secure site that fits your business needs.

Whenever possible, I prefer to be platform agnostic, picking a CMS or platform based on the clients own needs rather than what I or a developer would prefer to use.

There are many other options out there for managing site content.

For smaller sites that don't need to be regularly updated or require access to content stored in a database, I'll typically use a flat-file CMS or static-site generator (SSG), my favourite at the moment being Pico, great for quickly producing small, simple sites. If a site is little more complex but still small enough to not require a database, then Grav is a nice little flat-file CMS with the ability to login and edit live sites.

For more complex sites I'll use Perch, mainly because I like its approach to managing content and the way you build sites using it. You just focus on writing the HTML and outputting content via Perch. No bloated mark up or plugins to load, just output content and whatever mark up you yourself wrote.

It's not free but you sure do get a great bit of kit for around £50. The support team are great too.

And finally for larger, more complex sites, I've heard very good things about the ModX CMS, though I've yet to use it myself.

But, if I'm working with a developer and they think Wordpress is the best solution for the clients needs, and I'm confident they can deliver the goods using it, then so be it.