I’m sorry for the click-bait title, but this article is written just for you.
Why? Because you’re on this page. Most likely you’ve googled “Reasons to Use WordPress,” “Why should I use WordPress” or “Does WordPress Really Cure Cancer?” and you ended up here. Which means, you’re thinking about using WordPress for your website.
And why wouldn’t you consider it? It is used by 33% of all websites. That is a content management system (CMS) market share of 60%. The kind of market share monopoly shared only by Microsoft’s Internet Explorer for browsers in the 90’s, or Apple’s early 2010’s US smart phone dominance.
WordPress has many great things going for it. It’s open source, it’s well supported, it’s SEO optimized and most importantly it’s free. But the internet doesn’t need yet another article about how fantastic it is. What you’re here for is the truth.
It’s time to take the red pill and see how deep the rabbit hole goes with my 5 important reasons why you should not use WordPress for your next website.
Even though WordPress actively encourages users to upgrade to the latest version, only 32.3% of users have actually done so. All users who hesitate to upgrade their website are jeopardizing their security and putting personal information of users at risk. Furthermore, most businesses will buy a website with a shared web hosting company such as GoDaddy, where their website is likely on hosting that is shared with one of the 68.7% of sites that is running an outdated version of WordPress. And while many web hosting companies have security measures in place to keep shared hosted sites from infecting each other it doesn’t remove the reality that…
That is a scary statistic. Sucuri states that in most instances, the compromises that they analyzed had little, if anything, to do with the core of the CMS application itself but more to do with improper deployment, configuration, and overall maintenance by the website owners. And to further add to that, many compromised WordPress sites, don’t show their true colors to the website owners. Many of the compromises I have seen have implemented scripts that determine if you’ve hit your website directly, or the admin page first and white list your IP so that you are shown your website, while your customers who will have come in through a google search or a social media network, will instead see a web page selling prescription medications for male erectile dysfunction. So why does WordPress, which technically is quite secured by itself, get compromised so quickly and so often? It might be because…
WordPress is the America of CMSs, it’s free until you actually need to do something. WordPress does one thing really well, and that is blogging. Everything else? Well you’re going to need a plugin for that. Want to sell some “Make America Greaterest” hats? You’ll need to install one of the 680 shopping cart plugins available to you. Want your customers to subscribe to get a different color of that hat every month? You’ll need to buy a $200 extension plugin to go on top of your shopping cart plugin.
WordPress has (as of writing this article) 54,458 plugins available. This seems all great and well, and it’s nice to be able to have so many options in a convenient central location, similar to the Apple App Store, or Google Play Store. But there is a major flaw with this. The plugins in the directory are all free, and thus the plugin submission guidelines and the review process lack the scrutiny that would otherwise be funded by a commission-based app platforms. And many of these free plugins that are on the directory are limited versions of fuller featured, more premium plugins that are sold on third party code-markets or individual websites. And these third party markets require practically no code review. So you might pickup a plugin from the WordPress Plugin Directory, find out you need a special feature that is only available in the paid version and pay for it from the third party market, where the full featured plugin has more security holes than Swiss cheese.
It’s really easy to determine if your website is built with WordPress. In fact, most of the time it’s announced in the footer of your site. This is why WordPress sites get over 132 million spam messages every month. The number of spam comments on a WordPress site is 24 times higher than the number of legitimate comments. If it’s that easy for spammers to know your site is WordPress, it’s just that easy for malicious bots to find out as well. As it turns out, the majority of WordPress websites are hacked by bots. So you’re not really being targeted because of something you said, or because of your great business success. You’re WordPress site is being targeted by hackers because it is WordPress.
If you’re a small business I really would encourage you to use a hosted CMS solution instead of a self-hosted system. If you’re not doing anything that’s complex (such as a regular website or an online store) then I would highly recommend using Wix, Squarespace, Webflow or Shopify. For a low monthly fee they handle the hosting, security, design and development and all you have to do is write in your content and upload your products. Those sites are too generic looking you say? Then hire a web agency that specializes in headless websites that use Hugo, Jekyll or VuePress. While not as inexpensive as any of the above mentioned hosted CMSs you’ll get exactly what you want. Need to have your cake and eat it too? I understand that WordPress is very easy and familiar for some and the time and cost to learn a new CMS isn’t worth it. There is a last resort option for WordPress, and that’s called decoupling. WordPress can be used as a back end to power a static front end. You will once again need a web developer to do this, but if it’s critical you need both WordPress and security, then decoupling is your best option.
I am the newest security consultant here at Keep Secure, but for the past 15 years I have been building websites and web apps for all sorts of businesses (including those in WordPress). Having done work for Suncor, Husky Energy, IBM, HP, and freelancing for countless small businesses in the Calgary area for the past 6 years, I bring a unique developer focus to Keep Secure. Find me on LinkedIn and if you have any concerns about the security of your website, computers or business, just feel free to message me.