Duct Tape, Bubble Gum, and WordPress

These days it's hard to get very far, when considering a new site launch or refresh, without coming across WordPress. Which is no surprise, considering it powers almost a third of the internet.

What is surprising is how often it's considered for larger organizations, especially when security and compliance with regulations like the GDPR can create significant risk.

Duct Tape and Bubblegum
Source: ducttapeandbubblegum.com

I get it though. It looks easy. There are a gazillion themes available and a plugin for everything under the sun. Not only that, but developers are a dime a dozen. And no one gets fired for choosing WordPress, right?

Not exactly.

WordPress may be easy to stand up in the short term, but for the enterprise and larger organizations, the total cost of ownership, risk, and opportunity cost can be significant.

Justin Page Wood frames it this way:

"WordPress is designed so loosely, that all the pieces, plugins and technology fall apart constantly. You'll need to hire a WordPress developer on roughly 1-3 month basis just to make sure it's all still working properly...And that's not including any website changes, improvements or modifications..."

WordPress is not a CMS

While many like to use WordPress as the foundation of the digital experience, it's a blogging platform at heart. This is evident in the UI and in the fact that you have to use plugins to achieve even the most basic CMS functionality. Content owners often feel pressure to choose an "easy" platform that all of their contributors know how to use, so they gravitate toward WordPress without realizing they are choosing a blogging platform.

From a UI perspective, there's a reason why editing content on the front-end of a WordPress site is often cited as a requirement — once you have more than a handful of pages, finding content in the admin isn't easy.

There's no logical structure. The WordPress back-end is a dumping ground that gives no context for where your content lives in within your site. That's why it's easier to browse your site on the front-end, find your content and edit it there.

But, even that presents challenges.

WordPress isn't as easy as you think

Wood goes on to state, "...even I get frustrated and confused with WordPress. That's because [WordPress] was not designed with clients or business people in mind. It was made for coders. The backend of WordPress is so confusing, so annoying and frustrating, that all my clients refuse to attempt to edit it on their own after their first few attempts. WordPress is not user-friendly, no matter what any WordPress developer claims."

And what if you have hundreds or thousands of pages of content, with a robust taxonomy, like many large organizations?

Are you resigned to browsing your site, bouncing between two different views, one for finding your content and another for editing it?

Ah, but there's a plugin for that you say? Let's talk about that!

Plugin mayhem

One of the things WordPress has going for it is the multitude of plugins available to extend functionality. This is also perhaps its biggest downside.

"7 Reasons  You Should Not Use WordPress for your Small Business Website" puts it this way:

"WordPress is designed so loosely, that all the pieces, plugins and technology fall apart constantly. You'll need to hire a WordPress developer on roughly 1-3 month basis just to make sure it's all still working properly...And that's not including any website changes, improvements or modifications as your business grows."

Oh brother, where art thou?

Adding crucial functionality is all well and good until the developer decides they're not going to support that plugin any longer. And when that happens, guess who gets to support it? You do. Or at least your developer does. They'll need to either fix issues and maintain compatibility with WordPress or swap it out for another plugin. Until next time.

Insecure much?

In last year's annual report on malware infected websites by security firm Sucuri, they found WordPress infections rose from 74% in 2016 Q3 to 83% in 2017.

As CMS Critic notes, "...plugins are not tested by any WordPress core developer to ensure they pass some form of QA before entering the plugin repository." As a result, WordPress is particularly vulnerable to security issues such as this one.

The problem is not that WordPress itself has security issues — all software does at some point — and they do get addressed by parent company Automattic. The problems arise when using plugins developed by a third-party, which expose the foundation of the digital experience to the internet equivalent of an STD.

Ugly, but true. A third-party library with security flaws within a plugin can present vulnerabilities all on its own. Even if the plugin developer doesn't introduce vulnerabilities themselves, anything they use in the plugin can, hence the unsavory analogy.

And because WordPress is so ubiquitous, it makes it an easy and desirable target for exploits.

Indeed, WordPress is at the top of the list of targets, as Illustrated by a record number of vulnerabilities in 2017.

In fact, early last year an estimated 1.5 million WordPress sites were defaced as hackers exploited an unpatched vulnerability.

Update or pay

And herein lies the challenge. Even if the developer of a plugin fixes the security flaw, you still have to update every plugin individually and hope nothing breaks in the process. If you have several plugins installed, you have to make sure every single one is updated or risk being exposed. It's a lot to manage to say the least.

Did someone say GDPR?

Yep. And you've probably heard a lot about it lately — for good reason. If you not familiar with it yet (and you need to be), you can learn more here. The General Data Protection Regulation may be the single biggest change in how we do business on the web and lack of compliance comes with a steep cost— a minimum penalty of 20 million euros.

As such, maintaining compliance is imperative and WordPress plugin developers "...may not be able to adequately answer some of the questions about the personal data that their plugins collect and use. Many plug-in makers are individual developers or small companies that lack their own legal teams to advise them.", according to this article from digiday.

It goes on to say, "One of the most popular plugins, Contact Form 7, runs on more than 5 million sites but was built by a single developer, Takayuki Miyoshi. He had been receiving questions asking whether the plug-in was GDPR-compliant, and in a blog post published in April, he admitted that he's unable to say."

If the plugin developer can't say whether or not their plugin is compliant with GDPR, how will you?

Automattic does offer this plug-in to help navigate GDPR compliance if you're stuck on WordPress and there's no getting away from it.

Bloat, bloat, and more bloat

Security, compliance and ongoing maintenance and support aren't the only issues that can result from using WordPress plugins. Performance is another. Every plugin you install adds more bloat, and performance will invariably suffer.

"Sadly, even plugins developed by Automattic can cause massive slowdowns in load time and performance…" laments CMS Critic.

"On top of this, a HUGE percentage of the plugins in the WordPress repository are old and out of date yet still available to install on your system. This is a huge issue as these older plugins still exist and are not removed…I attempted to install a plugin that was 6 years old on my WordPress install and it worked perfectly with no warning. This is a major security issue and a huge concern that needs to be addressed as far as I'm concerned."

Theme and done?

Think again. While the vast number of themes you can get for WordPress is truly impressive, I still struggle to understand what value a theme has for the enterprise and large organizations.

Brand design standards are going to demand that design is applied in very specific ways. Asking your dev team to do this in a theme, rather than starting with a framework and building it out based on their own conventions, is a cruel and unusual punishment that will have them pulling their hair out rather than making progress.

And being bound to a theme by a third-party developer who may have included plugins in order to provide specific functionality, and who may or may not update, or support, the theme in the future, is a risky proposition and contributes greatly to the total cost of ownership.

The instant gratification that themes provide is short-lived compared to the technical debt associated with maintenance costs, and sometimes more detrimental, the opportunity costs of simply maintaining the status quo.

In the end, WordPress is more hobbler than enabler.

Support? ...Bueller? ...Bueller?

Unless you're resigned to scour the web for answers, the only way to get WordPress support is if you host your site on wordpress.com or vip.wordpress.com. At least as far as I can tell by scouring automattic.com. This article seems to confirm this:

"There is no official WordPress support team that you can contact, and the only forms of support that exist are from plugin and theme developers, volunteer support and WP communities made up of random people around the world that use WordPress."

What this means is that, if you want to spin up WordPress in your own infrastructure or cloud, you're on your own.

If not WordPress, then what?

Fortunately, there are many options beyond WordPress. A great place to begin looking is third-party review site, G2 Crowd.

When looking at alternatives, consider a platform that:

  • Isn't dependent on plugins to offer common and forward-looking web functionality out of the box
  • Maintains functionality from version to version
  • Has a consistent security track record
  • Is easy for non-technical users to use and manage
  • Provides a path to scalability
  • Provides common frameworks that allow developers to build long-term, sustainable solutions, including business applications and integrations
  • Offers official support options