Powering more than 25% of the web (over 75 million websites), WordPress is the most popular CMS in the world. But if you are (or are thinking about) trusting your business to WordPress, you had better know these 8 things.
Before I get into what those 8 things are, let me fist say this: do I think you should use WordPress for your business? Absolutely. At AdPlugg we work with thousands of sites using dozens of different platforms and CMSs. In addition, the core of our staff are all web developers and marketers. We’ve worked personally with many different types of websites both as users, marketers and developers. WordPress’ combination of high ROI, low cost of ownership, flexibility and ease of use make it a great choice for most sites. Anything from a personal blog to massive news sites like The New York Times and the BBC can (and do) use WordPress.
However, in addition to the often lauded success stories, the web is littered with thousands of stories of downtime, “white screens”, scaling issues, hacked sites, massive revenue losses and more. Before getting involved with WordPress, you had better know the common problems and how to make sure that your site and business are safe.
8 Things You Need to Know About WordPress for Business
So here are the 8 things that you absolutely need to know if you are going to trust your business to WordPress.
1. WordPress is a Major Target for Site Hackers
Malicious hackers target the efforts at the biggest possible sample size to maximize their effect. This is why most viruses target Microsoft Windows. Similarly, WordPress now has the largest share of the web. Hackers scanning the web for sites with vulnerabilities are putting the bulk of their efforts into targeting WordPress. If you were on a more obscure or homegrown CMS before, you may find that as soon as you are on WordPress you have increased risk, simply because of the volume of hackers and scripts that are specifically going after WordPress sites.
As a quick example, we’ve seen access logs of non-WordPress sites showing millions of access attempts at a url of “/wp-admin” (this is the location where the admin page would be if the site were running WordPress).
2. Never Hack WordPress Core
Being able to quickly and safely update WordPress core is essential for keeping your site up to date with the latest security updates. Hacking (modifying) the WordPress core files is a big no no for many reasons but primarily because doing so limits your ability to get the latest updates.
3. You Take A Risk With Every WordPress Plugin You Use
You shouldn’t hack/modify WordPress’s core files but that doesn’t mean that you can make significant customizations to your site. In fact, WordPress’ hook system makes WordPress extremely flexible and customizable. The way that you make modifications is with plugins. However, keep in mind that with every plugin that you add, you are taking a risk. Any plugin that you install is running code on your server and has unrestricted access to your server files and database. Even if the plugin isn’t malicious or poorly designed/coded, plugins can eat up your server’s memory and cpu. They can also cause your whole site to “white screen” or just crash.
4. Your WordPress Site is Only as Good (secure, stable, efficient) as Your Weakest Plugin
Your WordPress site is only as good (secure, stable, efficient) as your weakest plugin. You can have a great site, on premium hosting and with the latest version of WordPress and a premium theme and if you have just one bad plugin, it can compromise the whole thing.
5. WordPress Plugins Are the Wild West
Open source is a great thing. The world would be well behind where we are today if not for the availability of free, open source code. However, not all open source code is created equal. In fact, it’s not even close. While many open source projects are created and run by major software firms, with teams of professional developers, others may be created by one person with no formal training or experience. It’s up to you to vet the code.
With some open source ecosystems, the vetting is done for you. For instance, Linux come in “distros” (distributions). Linux distributions such as RedHat and Ubuntu have picked a bunch of different Linux packages (and package versions), vetted them, put them together and tested them. RedHat tends to be more conservative with the code that it will put into its distro while Ubuntu is much more liberal (putting newer code that has been less battle tested). You can choose where you want to fall on the scale of latest/most stable when you choose which distro you want to use.
No such system currently exists for WordPress. When a WordPress plugin author updates their plugin, it just goes right out and is immediately released. It can then be downloaded and running on millions of sites within minutes. This is great if the code is good but it skips over all of the safeguards built into linux distros. It is totally up to the plugin developer to test the code.
6. By Default, WordPress Sites Are Incredibly Inefficient and Slow
WordPress is designed to be flexible and extendable. It does a great job of this but these very goals are contrary to those of efficient code. WordPress’ use of denormalized database table structures, dynamic code, uncompiled code (PHP), etc mean that it can’t perform at nearly the speeds of other systems (at least not by default).
7. Having Your WordPress Site Under Your Primary Domain, Puts Your Whole Domain At Risk
If you have more than one site operating under a single domain (ie. example.com/intranet and example.com/blog) even with separate hosting and databases, all of your sites may be at risk from bad code in just one plugin of one site.
Sites operating on the same hostname are susceptible to a number of different client side attacks. If your sites are all running at the same hostname, they may be susceptible to Session Hijacking Attacks and Session Fixation Cookie Attacks. Even if you put your sites under different subdomains, you may still be vulnerable to Cross Subdomain Cookie Attacks, Cookie Jar Stuffing Attacks, and Cookie Tossing Attacks.
8. WordPress is Licensed Under the GPL (Use At Your Own Risk)
WordPress is licensed under the GPL (GNU General Public License). This license explicitly states that you are on your own. If things go wrong, there is no one to fix it and no remedies other than those that you come up with on your own.
Solutions and Recommendations
1. Stay up To Date
As soon as WordPress learns of a vulnerability they will patch it. They will then announce the vulnerability in coordination with the launch of the patch. At that point it is a race to see if you can patch your site before the hackers break in.
Use a plugin, script or managed hosting to ensure that you are getting the latest security updates as soon as they are released.
2. Vet Your Plugins
Make sure that the plugins that you use are well coded (and ideally with a software company behind them). Have a developer check the code out. Make sure to check the following:
- Does the plugin have unit tests?
- Is the code well organized and look like it was programmed by an experienced developer?
- How often is the plugin updated?
- How many support issues does it have? How many are still open? Have their been previous complaints of new releases having bugs?
While it may be tempting to use free plugins from an author that gives the whole thing away for free, keep in mind that if the plugin has no monetization strategy, the author likely built it as a hobby and likely has little to no incentive to fix the bug that is costing your business thousands of dollars a day.
3. Performance is All About Caching
The key to WordPress performance is caching. If your site gets a decent amount of traffic you should have a page level cache (like Varnish) in front of WordPress. Even better is to distribute the cached pages by using a CDN.
WordPress makes thousands of computations to render each page. There is no point in doing this work for every visitor only to return the exact same page. By using a cache, WordPress renders the page once and then it is served to potentially millions of people by the cache. Caches are how the New York Times and the BBC are able to use WordPress successfully.
4. Keep An Open Relationship With A Development Firm or Use Managed Hosting
Things may go wrong with your site and when they do, the best you can do on your own is to post to the WordPress forum.
If you are trusting your business to WordPress, you should have a relationship with someone who you trust to be there to fix it.
You can either use a managed WordPress host such as WPEngine or you can contract with a local web development firm that specializes in WordPress.
While the choice to use WordPress over other CMS’s may seem like an obvious one, you need to understand the risks.
Used carefully, WordPress can help your business achieve new levels of success. Used recklessly, WordPress can quickly become a liability.
Have comments or questions? Please post them in the comments section below.