Why I refuse WordPress projects

For several years, I’ve created my own websites both for personal use and for friends’ small businesses. Always working directly in HTML5, CSS and JavaScript and never, ever using WordPress (WP). I’ve even turned down paid opportunities to create WP sites and I’d like to share some of my reasoning behind that stance.

The main reason that people ask for WP sites is because they’ve heard that this means they can easily update the site themselves after its initial creation. Reality is that if creating websites is not a core competence, it will not magically become simple or enjoyable just because you’re working with WP – stick to your own core competence as a small business owner and leave your site to a professional. I like to compare this to the DIY electrician – go down to your local hardware store and buy a few hundred meters of cable and suddenly you can wire you own house, right? For most people, that simply will not be the case. Why would web-authoring be any different?

The idea behind WP is that it is portal based, so you log in to your site’s source, edit stuff on screen and save/update, and your modified site is now live. WP was originally created for blogging with frequent text updates and no emphasis on looks. You need (lots of) plugins and a theme to create a look-and-feel and add functionality like form processing. There are thousands to choose from, and that’s not necessarily a good thing. Most are created by hobbyists with no programming background so they break easily and are riddled with security holes. Just search the internet for ‘WordPress security issues’ and you’ll see what I mean. Being open-source, WP is updated frequently and there’s no formal verification program in place to check that all those plugins stay working as intended after an update. Many people with a working WP site today will discover tomorrow that their site broke overnight because their hosting provider updated something. Do you really want to have to check your site on a daily basis to see if it all still works as designed? Will you even know how to resolve an issue where an image that used to align perfectly with your text is now 100 pixels shifted left, for some obscure reason related to a plugin-update?

Back in June, the Dutch newspaper ‘Het Parool’ ran an article claiming that dozens of websites linked to the Dutch Government were vulnerable because they were based on WP and had guessable username/password combinations on that edit-portal. On any WP-based site, just append /wp-admin or /wp-login.php to the end of the URL and you should see a login prompt. That’s simply not there with a native HTML website – an important distinction. On the subject of security, because all WP websites make use of an underlying SQL database, they are vulnerable to what are called SQL-injection attacks. Expert programmers usually know how to code around that but ordinary business owners editing their own site do not, a major reason why WP-based sites are often riddled with malware. A HTML5 site does not use a CMS for the basic site data (it may do so for storing customer account data, but that is a separate thing) and is thus not vulnerable from this perspective. HTML data is stored in files, not databases.

Then there’s the issue of speed. Browsers work natively with HTML, CSS and JavaScript, so a WP site (based on PHP and SQL) has to be translated before it will render. Loading themes and plugins takes time, especially when plugins are poorly written by amateur programmers. The translation/loading is done by the site’s hosting provider, not the browser. Cheap hosting usually means up to 100 sites run on the same mini-server. When you first sign up for hosting, you’ll probably be assigned a newish server that can make your site reasonably responsive, but bets are on this quickly goes downhill as more sites pile on. A workaround is to pay considerably more for faster hosting, but that makes a WP site silently more expensive as time passes.

Perhaps the real reason not to use WP and not to do-it-yourself for most small businesses is that your site is static. You may think you’ll make weekly or monthly changes but you either never will or that habit will die quickly. Because it’s harder than you think. If you really need to have dynamic content on your site, it’s trivial to embed an iFrame to display your FaceBook/Twitter/Instagram feed – where it’s also much, much easier to share text snippets and photos and get the look and feel you want. Oh, and without security issues for your site.