WordPress is a prevalent, popular and capable solution for web content management. It's free to deploy and can be extended with a vast range of 3rd party plugins to provide all manner of functions. For years WordPress was our management system of choice. Yet this experience became the key driver to switch to Adobe BC (and now TreeplCMS) to provide a far superior website management solution.
The thing that gives WordPress its strength is its extensibility. However this is also its greatest weakness and an inherent flaw that's been a death trap for many small web businesses.
Remarkably, most WordPress site owners aren't made aware of the issues in advance because they do not generally occur in the short term. Over time, however, WordPress site owners confront either... "increasingly unsustainable maintenance costs" or "an unacceptably high risk of being hacked". It's only possible to mitigate one of these issues. But you must then endure the other.
In this post we're going to dive into the pros, the cons and the problems you need to be aware of. There's a lot to unpack. So if you'd prefer to simply cut to the chase then take a look at this Google Search query and its results ("wordpress percent hacked"):
(WARNING: Plain English Knowledge below. No added sugar/No artificial sweeteners)
To understand the problem it's important to first distinguish between the three software distribution models:
- Online SaaS Platform (e.g. Xero, Zoom, Gmail, TreeplCMS, SalesForce)
- Traditional Desktop Boxed Software (e.g. MS Office, Outlook, Adobe Acrobat, Corel Draw)
- Downloadable Open Source Software (e.g. WordPress, SugarCRM, Joomla, Drupal)
SaaS ("Software as a Service") .. versus .. Boxed Software (Programs as a product)
A simple "SaaS vs Desktop" example that many NZ businesses/professionals can identify with is Xero versus MYOB. (Specifically, the historically ubiquitous MYOB desktop product that dominated the accounting software market in NZ before realising too late they'd missed the paradigm shift to SaaS).
SaaS: Xero is a typical SaaS platform (i.e. Web-based Software as a Service). It does not require you to buy it or install any software on your computer. You do not need to update it or troubleshoot it. You simply access it in your web browser and it works (Or, on the rare occasion that it doesn't, you are safe knowing that Xero's propeller-head's will likely fix the problem before you know it). In other words, when you use a SaaS platform you're entirely removed from the underlying technology. Errors, issues, or bugs simply aren't your problem and they get rapidly resolved. As time goes by the capability of the software evolves and new features magically appear (requiring no specific action, upgrading, or additional investment on your part). Plus you don't need to backup your data to an underground bunker every night in case of armageddon.
Desktop: MYOB's desktop software was a typical PC installed program. Buying it required a large investment and new versions needed to be periodically purchased and installed. Occasionally patches would be necessary to resolve bugs and fix vulnerabilities. When you purchase desktop software it's your license to use the application, that you need to maintain, on your computer, containing your data. If it malfunctions, gets hacked or your data gets corrupted.. it's entirely your problem.
Open Source: Open source means you have full access to the software source code. This allows anyone to extend or modify it however they wish. Whether that's to build on its strengths or to exploit its weaknesses. Open source software, like WordPress, is free to download and install on a web server to use as your website content management system. There's a common misconception that, because it manages something on the web, it's a 'web-based service' (i.e. like SaaS). NO. THIS IS NOT A WEB SERVICE.
Just because it's on the web doesn't mean it's 'software as a service'. Installing open source software on a web server is literally the same thing as installing desktop software on a PC. While web servers are generally of higher specification than the average office computer, they are fundamentally the same thing. The only tangible difference is that your open source software is installed on a remote computer (instead of the PC under your desk) and you allow other people to interact with the software over the web (all of whom have the ability to learn the code base).
Generally speaking, open source software works great... until it doesn't!
The web is organic and always evolving and your software needs to keep pace with that. Left alone the software will eventually break. More importantly, its open source nature means vulnerabilities are constantly being found and exploited by bad actors (hackers) to cause harm. Whether it's to take over, vandalise or destroy a website, launch malware, steal data, or straight-out try to extort you, being hacked has many possible outcomes. None are good.
Whether you buy software and install it on your computer, or you find open source software to install on a web server, what you have is 'standalone software' that requires updating (versioning), patching and troubleshooting.
With WordPress that means updating it every 90 days. Doing this has its own set of technical challenges. and when it goes pear shaped it's entirely your problem. When this occurs (and inevitability it will) you'll be understandably pissed! You might call your web developer to say ... "The website I paid you to build is broken" ... and ... "Clearly you built it poorly, because we haven't touched it so it must be your fault" ... and (the kicker) "you must fix our site immediately at no cost".
Understandably, billing is a tough conversation to have at these moments and it doesn't always go well. If you're a competitively priced designer/developer/agency striving to keep clients happy then this can see workload increase exponentially while billing hours plummet. If you build sites in WordPress then you need to provide a transparent maintenance plan and process that your clients accept in advance. If you're a WordPress site owner without this insight and foresight, then you need to find a new developer.
If the thought of enduring constant maintenance costs and system upgrades isn't your cup of tea, there are managed services available to keep your WordPress site safe. E.g. WordPress.com is a hosted service built using WordPress.org open source software. However, unlike running your own WordPress install, the hosted service is restricted to offering a limited cluster of plugin options. If your site doesn't need specific custom functions or advanced plugin capability then this is no problem. But that also means your WordPress CMS offers no benefit over multiple SaaS CMS solutions. In fact, SaaS platforms tend to offer considerably more functionality than the limited plugin extensions available on WordPress.com.
Alternatively some WordPress hosting providers offer managed, fixed-cost services to update it for you. Some plugin limitations will also exist. Plus, using a managed service comes at a high cost and it isn't a fail safe guarantee. The risk is much lower but issues can still occur that require expensive modifications.
Risk versus benefit
The common experience is that WordPress maintenance costs reach a tipping point where versioning becomes unsustainable. This is why the vast majority of WordPress sites cease getting updated and patched at some point in time (usually within a few months of deployment). While an unpatched site may still make it to the end of its lifecycle and then get replaced with a new site using the latest version, the cold hard truth is that the vast majority of WordPress sites running a version that's 2 years old or more, are increasingly vulnerable to being hacked and many will be.
Ultimately, owning a WordPress site that isn't upgraded every 90 days is a gamble. Although your operating costs will be much lower (initially, at least), being vulnerable may result in you paying the highest price.
Of course, the above is a broad overview and the full story is far more technical and complex. Below describes why maintenance is so problematic. But here's the upshot: While risk can be managed and mitigated to some extent, it simply isn't possible to solve this inherent and fundamental problem: By its very nature, Open Source software has vulnerability baked into its DNA.
That's why, for me at least, WordPress isn't worth considering unless it's necessary to deliver specific, well supported functionality that cannot otherwise be built within the budget constraints.
If requirements can be meet using a SaaS solution then this will always provide a vastly superior outcome.
The Maintenance Nightmare
WordPress maintenance and risk mitigation is problematic due to 4 recurring issues.
- Version Frequency
- Plugin Support
Every 90 days WordPress.org releases a new version of the WP core software to resolve any vulnerabilities discovered since the previous version release. The 'one-click update' button in the WP admin panel is misleading as this only applies to updating the core software. However, you cannot update the core unless all the plugins have first been updated to their latest versions.
Unless your site is just a basic blog, then everything your WP site does relies on 3rd party plugins. Most WP sites have between 8 to 20 plugins installed. Plugin developers 'should' release new versions of their plugins to support the latest WP version release. But that's not always the case. If a plugin has no update available you either have to wait until it's released or replace it with a different plugin (= development time/cost).
Once the plugins are all up-to-date with the new version release you can then update the WordPress core software.
At this point, any custom scripting, php coding, styling or modifications coded directly in the plugin or WP core files will be overwritten. If your developer has done a good job then modified files will be separated and programming modifications will be well documented for rewriting. But don't expect this to be the case. Updating can be a disaster if not done properly.
If the update succeeds you can then re-introduce any custom changes. After that you 'should' be back in business.
But, even though your plugins played nicely together in previous versions, this is no guarantee of ongoing compatibility between the future versions. This can lead to hours of development time to figure out the problem and find a workaround to solve it.
When all of the above is complete you can return to business as normal until you are forced to rinse and repeat in 90 days time (and every 90 days thereafter).
If your site is well built, on a well developed theme, well supported, and well documented, then updates will usually take about an hour, but not infrequently 2hrs to 5hrs. But occasionally and unavoidably there will be times when things go wrong and a one hour update can quickly become a 10 hour nightmare. Or worse, days of effort may be necessary to resolve an issue following a bad update.
So you have a choice.. You can either:
- Live with this recurring 90 day nightmare knowing that sometimes it's going to sting (= downtime + costs + stress)... Or...
- Just leave it be! Everything will work fine for a period of time and you can hope and pray that it will stay that way.
If your WP site reaches 2 years old, but not kept pace with versioning, then your risk of being hacked becomes real and increases over time to become extremely high.
There's a lot I like about WordPress for building complex sites. But there has seldom been occasions we were not be able to build a site in Adobe BC to perform the same high-level functions provided by WP plugins. The key advantage of a SaaS CMS is that it does not require constant versioning or ongoing investment to fix the problems that versioning creates. This means running costs over time are comparably low, always consistent, and have no nasty surprises. It also means that your monthly operating costs are focused on improving the site. Rather than constantly paying to keep it from breaking.
Using a SaaS platform mitigates the maintenance and hacking risk inherent with WordPress. Knowing my clients sites are safe is a prerequisite I have come to expect. Selling clients into WordPress as a CMS solution while knowing the hidden flaws and risks it presents to their businesses simply fails to meet my ethical standards.