6 reasons why you shouldn't use Wordpress for your business website
 

Performance, security and SEO issues

Haz clíc aquí para la versión española.

I know that Wordpress is an easy target to criticise, and has already been criticised ad-infinitum, but I'm new to blogging so Wordpress bashing seems like a good place to start.

Of course, Wordpress is a content management system which runs on PHP (and its own framework) with MariaDB or MySQL. It's free and open-source, and by all accounts the most popular CMS in the world.

Wordpress is one of the first tools that come to mind for quickly creating a content-managed website which can easily be extended through community plugins.

However, it's also full of strange and dangerous default behaviours, which are not evident to people without IT experience. Out-of-the-box, to the untrained eye, everything seems very clean and nicely optimised. However, it requires a high level of technical literacy to remediate various security flaws, performance issues and SEO unfriendly practices.

So what's not clear to me is: Who is Wordpress actually for? For the layman, it's a minefield as I will explain below. And for web developers - unless using Wordpress is a part of the specification - there are so many superior alternatives.

This is not an exhaustive list. Just what I consider to be the main issues.

Plugin chaos


In PHP there is Composer. In NodeJS, there are NPM and Yarn. The only dependency management from Wordpress is ensuring that the plugin you are downloading is ostensibly compatible with your current version of Wordpress.

While some of the plugins are excellent, the quality does vary. And once you have installed various plugins, you will start to run into issues due to Wordpress's lack of dependency management.

Some plugins will clash with others. Some have security flaws which are not updated. If they are updated, the update may be incompatible with the other plugins you have installed.

When you update Wordpress, which you will need to do often, you may find that the plugins you had installed previously have stopped working, or that your entire site has broken.

Security flaws are regularly found in plugins, which are often the entry point for many Wordpress hacks. Each plugin you install increases the surface area for a hacker to find an entrypoint into your website.

Odd default behaviour causes vulnerabilities


The widely-known '/wp-admin' login page makes it really easy for hackers to find an entrypoint to your backend. Wordpress doesn't make it easy to change this, without installing external plugins (with their own risks as mentioned above).

Then we have the really strange default behaviour from Wordpress: it tells you when the username is incorrect. No generic error like any other security-minded software. It actually tells you the username doesn't exist. This is a huge security flaw as it indirectly exposes the usernames in the database. You can try the default 'admin' (which many people will not change) and most of the time it will tell you that this username exists.

If 'admin' doesn't work (it frequently does), it is extremely easy to enumerate the usernames using widely-available Linux Kali tools and minimal hacking experience. Often, you don't need to go to these lengths: Wordpress exposes the usernames through the author tag on posts. Just go to the author page (/author/username) and it's exposed in the URL.

Knowing the username wins half of the battle, and since Wordpress alone doesn't limit the number of login attempts, the only real limitation to a brute force attack is the capacity of the server. CDNs like Cloudflare provide security features which prevent attacks like these, but the setup requires DNS changes which is a sensitive thing to touch if you don't know what you're doing.

So in these cases it's actually necessary to install external plugins in order to fix this default behaviour. The plugin you end up choosing could be buggy and actually provide more surface area for hackers to exploit.

File permission vulnerabilities


If you gain access to the backend, you also have write permissions in various directories on the server. This is because you can directly edit files in the 'appearance' section. If you host other things on the same server as your Wordpress installation, other things on that server are also at risk.

Client-server interaction


Wordpress doesn't make use of modern front-end Javascript frameworks like Vue and React. No asynchronous functions, route prefetching or preloading. Time to first contentful paint is therefore slow, which is a big factor in SEO. Many 'pages' in Wordpress change rarely: they are essentially static. But Wordpress queries the database each time the page is accessed.

With the introduction of Static Site Generation in many production frameworks (I use NextJS), it seems inefficient to query the database on each request for essentially static data. Even if the content is dynamic and changes regularly, Incremental Static Regeneration solves that.

Using these technologies could save €10,000s per year in hosting costs for high-traffic websites.

Default post URLs


Wordpress displays the unique post ID as the 'permalink' by default. This means your default post URL will look something like this: /?p=123. The fact that this is the default behaviour makes almost no sense. In the real world, this format would almost never be used for GET requests. Firstly, it exposes the name and value of a primary key in your posts table. This is very useful to know if you're a hacker. Secondly, and more obviously, this URL is not human or search-engine friendly. It provides no context to the human or the bot crawler about the content of the post. This will negatively affect SEO.

Duplicate content by default


Most Wordpress themes show an excerpt of each post. In my experience the excerpts are far too long by default but that's a question of design and personal preference. The problem arises with the 'author' and 'category' pages. These pages don't include a 'noindex' tag by default, yet they purely consist of duplicate content.

This is a really important point. Directly from Google:

Understand your content management system: Make sure you're familiar with how content is displayed on your web site. Blogs, forums, and related systems often show the same content in multiple formats. For example, a blog entry may appear on the home page of a blog, in an archive page, and in a page of other entries with the same label.

Without technical knowledge, it's not easy to correct this default behaviour without the use of 3rd party plugins.

Conclusion


It's not evident to me who Wordpress is actually for. If you are not a web developer, it looks like a good solution on the surface, but as mentioned above, there are many, many flaws that need to be remediated manually. Its security issues could actually cause significant legal issues for a company in the event of a hack and leak of personal data.

If you are a web developer, Wordpress is overkill for most use cases and requires a lot of fiddling and little hacks to get working how you want it to. I found Frontity which uses React for the front-end and treats Wordpress like a headless CMS. I haven't really looked into it too much but it looks like a nice solution to get Wordpress up-to-date with modern frameworks like React. There are also a multitude of purpose-built headless CMSs like Strapi and Ghost. Check out Ghost's blog post about this subject if you'd like to learn more about the pitfalls of Wordpress.

About

I post in English and Spanish mainly about React, NextJS, PHP and SEO.

About

I post in English and Spanish mainly about React, NextJS, PHP and SEO.

Copyright © 2021 Jack A.