Relatively speaking, WordPress is old for a Free Software application. It has a lot of history, and over the years has fully developed a full range of opinions in the world of developers about its quality, worth, and relevance. There’s a strong contingent that believes WordPress is a scourge on the web, and an equally strong contingent that thinks it’s the most wonderful thing they’ve ever used. And of course the full gamut in between.
One problem with opinions is that they’re often not based on fact, or at least not on full facts. A common one is “WordPress is not secure.” There’s an enormous amount to unpack in that statement. Are they saying WordPress core is not secure? Plugins aren’t secure? Themes? The update process? It’s not difficult to prove BOTH that WordPress is tremendously secure and ALSO that it’s very easily broken into.
Throughout this article, we get right to the nuts and bolts of the facts to acknowledge both the costs and benefits of using WordPress when building a website.
WordPress: The Pros
WordPress’s extensive hook, filter, and gettext functions make it relatively easy to dramatically change the behavior of WordPress without editing core. This allows for significant customizations while keeping it easy to update.
Additionally, while it has its flaws, the database structure allows for nearly any type of content to be easily created and managed.
Lastly, it’s easy to simply use WordPress as a shell for other content. You can bring data in via API and render it seamlessly with the rest of your content. This means that if you don’t want to deal with WordPress at all you don’t really have to.
Not all third party code is solid, to be sure, but there’s so much third party code available that there’s almost certainly something written that is quite solid that you can use in your own project. This can range from high quality commercial plugins to well written libraries to accelerate your own code.
Additionally, since much of that third party code follows the WordPress extensibility models, that code is also very extensible. That’s why you see hundreds of add-ons for things like Gravity Forms, WooCommerce, and others.
Does this mean you don’t need to write code? No. But it does mean you won’t have to write as much.
Ubiquitous, Specialized Hosting
As the web moved away from static HTML sites and into database driven sites, specialized hosting came into being. No more did a vanilla LAMP install fulfill our needs. Heroku was invented first to serve the Rails community. Drupal has its specialized hosts, as does Django. But the sheer scale of WordPress makes it commercially viable for there to be many specialized WordPress hosts, and indeed for them to have niches inside that sphere. Some hosts specialize in enterprise WordPress, some in budget WordPress, some cater specifically to designers, etc.
Regardless of your specific need, there’s probably a host out there that is structured specifically for that need.
Solid Security Systems
As mentioned in the cons section, WordPress has a big target on its back. Because of this, it’s commercially viable for more than a few specialized services, companies, and software packages to exist to lock it down even more. Companies like Sucuri, Wordfence, and plugins like iThemes Security are very robust solutions for mitigation of risk, and remediation when an attack is successful. Do these protect you from bad decisions, poor hosting, or other issues? No, but they can help you both understand what real security means, and provide tools to maintain it.
Because WordPress is so big it makes sense to integrate with it. If you have a product like an email list service, or an inventory management system, or a content SaaS, you want 40%+ of the web to be able to use your service. This means that if there’s a service or platform out there that you use, there’s almost certainly an integration plugin for it. If there’s not, and that service has an API of any kind, it’s not that hard to make an integration plugin.
WordPress: The Cons
It Can Be Slow
Because of the way the database is structured, complex queries using multiple meta fields can be very very slow. Can this be mitigated? Sure, but the fact that you need to is an issue.
Plugin Upkeep Can Be Painful
Contrary to popular belief, the number of plugins installed in WordPress doesn’t inherently have an impact on performance. 1000 well-written plugins would be barely noticeable, while one poorly written one can bring the site to its knees. There ARE some real issues with a high number of plugins though.
Good plugins get periodic updates — new features, security updates, compatibility adjustments, etc. If you have one plugin, you might need to update it once a month, or even less. If you have 10 plugins, that obviously could go up by a factor of 10. But what if you have 100 plugins? Some developers will tell you that’s ridiculous, but my own site has over 60.
Updates should be done promptly, so that real issues aren’t introduced. This might mean you need to log into your site every single day to update things. Can this be mitigated? Sure. WordPress has automatic updates built in now, but that’s generally not considered wise in enterprise applications. There are services that will take care of it for you, but that costs money. The fact remains that it’s something that needs to be taken care of.
I recently had two separate instances where plugin dependencies caused real problems. A common scenario is where there’s a very popular plugin that has multiple third party addons. My two examples were Elementor and WooCommerce. A new version of the core plugin came out, but one or more of the third party plugins weren’t updated yet. When will they be updated? Will they be updated at all? How long do we wait to see? Do we patch the third party plugin ourselves?
Something that makes this problem unique is that it’s not really anyone’s fault. It’s not the core plugin’s fault that the third party plugins aren’t up to date. The third party plugins might be working their hardest to get an update out as quickly as possible, OR they may think “this was a free plugin, I’m not interested in maintaining it anymore” and you need to remove or replace it.
Regardless, it can be an issue.
That Giant Target For Attackers
A common argument against WordPress is that it’s more targeted by attackers because it’s used more. If you can break something used on 40%+ of the web, you’ve really accomplished something.
I can’t dispute that WordPress is a big target, but I will say that there is a commensurate effort into securing it. WordPress core has very rigid security requirements, and a very fast turnaround time when security releases need to happen.
What about third party code?
As I mentioned above, security is a big, vague topic. Plugins, themes, libraries, etc. could come from almost anywhere and the quality of this code is extremely wide ranging as you can imagine. I’m going to look at this issue from the standpoint of a well funded project. An enterprise company for example.
When incorporating third party code, you can do a security audit of both the code and the history of that code. Does the creator reliably use secure methodologies? Do they reliably release updates and fixes in a timely manner? If the answer is yes, then you carefully use it.
If the answer is no, and you really need the feature, you build it from scratch. Any competent enterprise level agency can build it for you. If you chose another platform because of this issue you’d probably have to build it from scratch anyway.
This topic is in the section of WordPress Issues only because it’s a commonly raised issue. I honestly don’t believe WordPress inherently has any more security issues than any other platform.
WordPress values backward compatibility to an extreme level. Depending on who you ask, this is either terrible, or glorious. Being able to seamlessly upgrade a 10 year old codebase to a current one with the press of a button is an amazing feat of engineering. Having to maintain support for 10 year old add-ons can be a nightmare.
Can this be mitigated? Yes and no. If you’re writing for core, then no — you need to maintain the standards of the codebase. But on the other hand, WordPress is 100% compatible with the latest versions of PHP, MySQL, and other vital tools. You can write your own third party code with the very latest tools and frameworks if you wish.
The fact remains that core has some very old patterns and methodologies in it.
Additionally, similar to PHP, WordPress was built on an “as needed” basis for a long time. There’s a mix of functional and OOP code, oddly named functions, duplicate functions, and all sorts of odd things. Just like PHP, which runs 78.9% of the web as of this writing.
Is it painful and annoying? A little. More if you’re used to a more engineered language. Does it make it unusable? No.
This is a tough one to put into the ‘cons’ category because of the outrageous success of WooCommerce. That said, Woo has its issues. It leverages the Post Type model with the same Meta Query issues that can make WordPress slow. It can run into PCI Compliance issues. It has some of the same technical debt issues that WordPress core has. It leverages many plugins, which can have the problems mentioned above with dependencies.
There are alternatives of course. BigCommerce for WordPress is probably the newest contender, but it has its own issues.
Can all these issues be mitigated? Sure, and many people already have, and work is being done to resolve them for everyone, but that’s for another day.
Is WordPress perfect? Not even close. Is it powerful? Absolutely. Is it right for your project? No-one can decide that but you. I’ve been using it for 11 years now to build sites ranging from those with 5 viewers to enterprise level sites with millions of viewers. Very very rarely have I thought “well, maybe I should use something besides WordPress for this.” But you can also learn about the ways you can level up your Wordpress site.
The old saying goes, “if all you have is a hammer, everything looks like a nail.” But what if WordPress isn’t a hammer, but a toolbox?
Hexagon tumeric banjo bicycle rights. Deserunt commodo try-hard taiyaki marfa, live-edge cardigan voluptate pork belly hexagon laborum 90's poutine bespoke. Hella asymmetrical offal skateboard chia DIY actually mukbang flannel magna messenger bag 3 wolf moon letterpress minim coloring book. Voluptate vexillologist raclette pariatur vinyl. Post-ironic chicharrones irure jianbing incididunt mustache etsy organic PBR&B. Do cillum vaporware ennui venmo adaptogen cloud bread.
Sriracha tweed gatekeep ennui, messenger bag iceland JOMO magna in tumblr la croix.