5 Important Reasons Why You Should Not Use WordPress for Your Website

Author Update:
In 2020, I originally posted this article, about why you should reconsider using WordPress for your website. It’s been 4 years since I posted this article and I thought “Hey is this article still relevant?.” So I took a bit of time to fact check myself and I can safely say that things have changed… Just not for the better. In some statistics, such as WordPress versioning, things have improved. But in other statistics, it would appear that all of the reasons for avoiding WordPress in 2020 are still relevant to today. I have taken a bit of time to update this article to ensure that statistics and sources are up to date and to correct any information that was inaccurate.

I'm sorry for the click-bait title, but this article is written just for you, and I wanted to make sure you didn’t miss it.

Why? Because you're on this page. Most likely you've googled "Reasons to Use WordPress," "Why should I use WordPress" or "Is WordPress Really Made of Rainbows?" and you ended up here. Which means, you're thinking about using WordPress for your website.

And why wouldn't you consider it? It is used by 43% of all websites. That is a content management system (CMS) market share of 62.8%. The kind of market monopoly shared only by Microsoft's Internet Explorer for browsers in the 90's, or Apple's early 2010's US smart phone dominance.

WordPress has many great things going for it. It's open source, it's well supported, it's SEO optimized and, most importantly, it's free. But the internet doesn't need yet another article about how fantastic it is. What you're here for is another perspective, maybe one you hadn’t considered before.

It's time to take the red pill and see how deep the rabbit hole goes, as we look into 5 important reasons why you should not use WordPress for your next website.

REASON 1 - Less than Half of all WordPress Installations are Updated to the Latest Version

Even though WordPress actively encourages users to upgrade to the latest version, only 45.2% of website users have actually done so. All users who hesitate to upgrade their website are jeopardizing their security and putting personal information of users at risk. Furthermore, most businesses will buy a website with a shared web hosting company such as GoDaddy, where their website is likely on hosting that is shared with one of the sites that is running an outdated version of WordPress. And while many web hosting companies have security measures in place to keep shared hosted sites from infecting each other it doesn't remove the reality that...

REASON 2 - 96.2% of all Infected CMS Websites are WordPress

That is a scary statistic (it was 94% in 2020). Sucuri states that in most instances, the compromises that they analyzed had little, if anything, to do with the core of the CMS application itself but more to do with improper deployment, configuration, and overall maintenance by the website owners. And to further add to that, many compromised WordPress sites, don't show their true colors to the website owners. Many of the compromises I have seen have implemented scripts that determine if you've hit your website directly, or the admin page first and whitelist your IP so that you are shown your website, while your customers who will have come in through a google search or a social media network, will instead see a web page selling prescription medications for male erectile dysfunction. So why does WordPress, which technically is quite secured by itself, get compromised so quickly and so often? It might be because...

REASON 3 - WordPress Isn't All That Free

WordPress is the America of CMSs, it's free until you actually need to do something. WordPress does one thing really well, and that is blogging. Everything else? Well you're going to need a plugin for that. Want to sell some "Make America Greaterest" hats? You'll need to install one of the 680 shopping cart plugins available to you. Want your customers to subscribe to get a different color of that hat every month? You'll need to buy a $200 extension plugin to go on top of your shopping cart plugin.

WordPress has (as of 2024) 59,470 plugins available. This seems all great and well, and it's nice to be able to have so many options in a convenient central location, similar to the Apple App Store, or Google Play Store. But there is a major flaw with this. The plugins in the directory are all free, and thus the plugin submission guidelines and the review process lack the scrutiny that would otherwise be funded by a commission-based app platform. And many of these free plugins that are on the directory are limited versions of fuller featured, more premium plugins that are sold on third party code-markets or individual websites. And these third-party markets require absolutely no code review. So, you might pick up a plugin from the WordPress Plugin Directory, find out you need a special feature that is only available in the paid version, and pay for it from a third-party market, where the full featured plugin has more security holes than Swiss cheese.

REASON 4 - WordPress Paints a Bullseye on Your Website

It's really easy to determine if your website is built with WordPress. In fact, most of the time it's announced in the footer of your site. This is why WordPress sites get over 132 million spam messages every month. The number of spam comments on a WordPress site is 24 times higher than the number of legitimate comments. If it's that easy for spammers to know your site is WordPress, it's just that easy for malicious bots to find out as well. As it turns out, the majority of WordPress websites are hacked by bots. So you're not really being targeted because of something you said, or because of your great business success. You're WordPress site is being targeted by hackers because it is WordPress.

REASON 5 - WordPress Requires Relatively Complex Systems

I personally don't know how we got to this place on the Internet. Why have so many businesses and individuals gone out of their way to get hosting on a Linux server with Apache, MySQL, PHP, and a complex CMS for 5 pages or less of content that never changes? I am aware that the reason boils down to simplicity. Anyone can install a WordPress site on the cheapest web hosting provider with a single click. But the reality is that it's overkill. WordPress has 1,326,910 lines of code. All of that code is going to generate essentially about 1000 lines of HTML and JavaScript when it's all said and done. Adding all of that complexity opens up more points for hackers to attack your website. For example, if you used WordPress to make a 5 page website, you will be giving hackers the ability to try attacks on potential vulnerabilities within wordpress's 2159+ files and if a hackers gets through one of those vulnerabilities it opens the gateway for them to try attacks on potential vulnerabilities in PHP, Apache, MySQL and the OS your server is running. If you just had a simple 5-page HTML website, you reduce those points of entry to 5 and remove the need for PHP or MySQL.

If WordPress is That Risky, Then What Should I Use Instead?

If you're a small business I really would encourage you to use a hosted CMS solution instead of a self-hosted system. If you're not doing anything that's complex (such as a regular website or an online store) then I would highly recommend using Wix, Squarespace, Webflow, or Shopify. For a low monthly fee, they handle the hosting, security, design and development and all you have to do is write in your content and upload your products. Those sites are too generic looking you say? Then hire a web agency that specializes in headless websites that use Hugo, Jekyll or VuePress. While not as inexpensive as any of the above mentioned hosted CMSs you'll get exactly what you want. Need to have your cake and eat it too? I understand that WordPress is very easy and familiar, for some, and the time and cost to learn a new CMS isn't worth it. There is a last resort option for running your own WordPress, and that's called decoupling. WordPress can be used as a back end to power a static front end. You will once again need a web developer to do this, but if it's critical you need both self-hosted WordPress and security, then decoupling is your best option.

Previous
Previous

Start Planning: Migrating from Dynamics GP to Microsoft Business Central

Next
Next

Trials and Tribulations of AWS EventBridge