One of the challenges of software development is explaining the differences between different languages, platforms, frameworks & approaches. It’s easy to fall into jargon or become too technical when explaining why we do or don’t use a particular technology.

This article is an effort to explain in plain English why we don’t use WordPress to build websites.

For some context the following has been written by someone:

  • with over two decades of website development experience.
  • who used to use WordPress to build websites.
  • who uses open source software on a daily basis.

To make sure I’m not just putting across my own personal opinion I’ve had this reviewed by a number of other independent IT professionals.

The simple answer of why we no longer use WordPress is that there are far better, more modern solutions out there we’d much rather use instead. But to go deeper here are the factors that make up this decision.

 

WordPress is not fit for purpose in many use cases

WordPress was originally developed as a blogging platform, where people could post a chronological list of posts or articles. Over time more & more functionality has been added, but at its heart WordPress is a blogging platform. This works fine if you’re posting recipes or writing articles, but blogging is a long way from selling products online, handling private data, interacting with business systems or operating in an enterprise environment.

Over the years WordPress has added more functionality & flexibility around how it handles content, allowing for more flexible layouts than the original blogging approach into general content management.

 

WordPress uses an outdated approach to coding

WordPress was developed in the early 2000s, using a method of coding pioneered in the 1970s called procedural programming, which is very outdated in modern times.

Over time how we programme computers has changed, new languages are introduced & the methods we use evolve to become more scalable, secure & stable. Procedural programming is generally easier to learn than modern programming methods, but is less scalable, secure & stable. Most modern software & professional developers now use more structured methods like object oriented programming for core functionality.

The way we deliver web content has changed too. Content tends to be more dynamic & delivered to computers, phones & other devices. The line between website & app is blurring, but this can only happen using modern methodology.

WordPress also suffers from very little separation between the frontend (what you see) & the backend (the part you don’t see). Modern web systems have layers between the two which make sure that what you do on the frontend doesn’t impact the backend. This is of particular importance where the backend contains sensitive data.

 

WordPress suffers from “plugin anarchy”

One of WordPress’s greatest strengths is also its greatest weakness. You can currently browse almost 60,000 “plugins'' on the WordPress website. These add-ons bring additional functionality to WordPress’s blogging/ content platform.

The big problem with this is there is no real discipline or method about how WordPress plugins are developed. This means anyone can write a bit of code & call it a WordPress plugin, with no real oversight into quality, stability or security.

For example, a plugin search for “booking calendar” on the Wordpress plugins site produces 21 pages containing over 400 plugins. Some of these plugins were last tested on versions of WordPress from 2011.

This isn’t a criticism of open source (which I’m a fan of). Other platforms generally use a standardised structure for add-ons & contributions are peer reviewed by other developers or the platform before being accepted. This gives us the best of both worlds where we have the flexibility & collaboration of community coding coupled with the security & stability of disciplined coding.

 

WordPress is less secure than most alternatives

Security is a nuanced topic & more than I can cover in a couple of paragraphs. The good news is the core WordPress is relatively secure, as long as you keep WordPress up to date. The bad news is the plugins are the most common point of entry for hackers & harder to keep secure.

A recent security report by Patchstack for 2021 identified that 29% of Wordpress plugins with critical vulnerabilities never received a security update, to quote from the report:

In 2021 there were 35 critical vulnerabilities reported in WordPress plugins. Two of these critical vulnerabilities were found in plugins with over one million installations. These likely had many users scrambling to update their sites and hosting providers rushing to apply firewall rules to protect their customers.

There are bots scanning websites every day probing for weaknesses. The hackers’ bot only needs to get it right once, Wordpress site owners have to get it right all of the time which is exceedingly difficult when relying on third party plugins of dubious quality.

The older procedural programming methodology also means that it is easier for a hacker to access & alter data than in a modern system where the frontend & backend of a website are separated by a layer of security. This means that sloppy programming in WordPress themes, plugins or customisations can open the entire website to hackers.

As a general rule the further WordPress is moved from its core functionality the less secure & stable it becomes. That security has to be separately monitored & managed on every individual Wordpress website generates significantly more risk than centrally managed platforms where teams of professionals proactively identify & fix security issues before they become a problem.

 

WordPress is less stable than most alternatives

As with above the massive range of plugins of questionable quality & support lead to stability issues. So even if a WordPress website isn’t hacked it might be plagued by errors & glitches.

Even if a WordPress plugin is bug free on installation it will be generally maintained by contributors so while a new version of WordPress may be released to counter a security threat, a plugin may not be updated to work with the new version or to patch a security vulnerability.

WordPress themes may also need updating for new versions of the core system, especially between major version updates. For example the change from version 4 to version 5 required an overhaul of existing themes.

A domino effect can happen where different versions of themes, plugin & core can start to conflict with each other, producing errors or security concerns. This makes keeping the site as a whole up to date, secure & stable increasingly difficult.

It’s no accident that some of the most popular WordPress plugins are around security, backups & rolling back your site to an earlier version when it breaks.

Other systems are easier to use for content management
This is, of course, entirely subjective. But, we have had many clients tell us they’ve enjoyed using modern systems like Squarespace & Shopify over WordPress.

While WordPress has made some major improvements to their content management system over the past few years it struggles with an administration panel that was originally designed for blogging over 20 years ago.

The usability issues can be compounded when multiple plugins have been installed - each with their own approach to the admin interface can be a confusing & disjointed experience.

 

The hidden costs of WordPress

WordPress is often held up as being cheaper to host than paid commercial platforms. This is only half the story.

If WordPress is using the core functionality then hosting costs should be minimal. However the more customisation & plugins that are in play the more care & attention is needed to keep the site secure & stable.

Commercial platforms incorporate their upgrade & security costs into a monthly or annual fee. For custom WordPress builds hosting should include active monitoring & management of security vulnerabilities. This means WordPress maintenance costs can come as more of a surprise when new vulnerabilities come to light, plugins fail or updates cause conflicts with other parts of the system.

There is also the underlying risk of data loss & reputation damage. An example of this was the Tuia 250 website that was built on WordPress & exposed personal data of over 300 people. While data breaches can happen on any system this was a case of storing private information on an insecure system that was never designed to store private information in the first place.

 

Why is WordPress still used?

WordPress has been around a long time & many people are familiar with it. The use of procedural programming means there is a low bar to people who’d like to dabble in writing code. It is also popular in developing nations, which makes it easier to outsource development.

Using the older procedural programming method & the plethora of available plugins it can be quick & easy to build in WordPress versus more modern systems that encourage or enforce security & structure. It is certainly easier to take shortcuts in WordPress, but that impacts the end quality of the product.

 

What are the alternatives to WordPress?

There are too many alternatives to WordPress to list, especially in areas like e-commerce, business systems, event management, video content, online communities etc. that aren’t covered by WordPress’s core functionality.

Over the past decade we’ve seen the rise of cloud based web platforms. Instead of a website running on a single server that needs manual updating, these systems run across thousands of computers in multiple countries & centrally maintain the all important backend components like user authentication, payment handling & security. The frontend can be customised without affecting the backend security or stability - from code-free drag-&-drop interfaces like Squarespace through to completely customisable frontends like Shopify. Plugins/ apps/ extensions are carefully reviewed & monitored before they are allowed access to the backends of these systems.

We currently use Squarespace for blogging/ article/ content solutions for its ease of use. For e-commerce we tend to use Shopify which has proven to be stable, secure & flexible. For more custom projects we use open source platforms like Silverstripe, Strapi & Laravel, that offer incredible amounts of flexibility & functionality over older content management systems. For our custom work we are often creating a complete separation of frontend & backend allowing for completely dynamic web & mobile app frontends.

 

In summary

While WordPress was a good content management system to use in the 2000s it has since been overtaken by more secure, stable & easier to use systems that embrace modern technology, thinking & methodology.

One of the reasons we enjoy working in the technology industry is being part of the evolution as computers continue their journey from expensive oddities in the 1970s to everywhere in the 2020s. As technology & humanity’s use of technology change so should our tools. Some tools will evolve to keep up, some will be left behind.

Instead of settling on a comfortable option & sticking with it past its use by date, the UpShift team are regularly assessing the platforms that we use & asking ourselves what will give the best experience, performance, scalability, stability & security for our clients.

Photo by Elisa Ventur