I often get a lot of slack from my colleagues over my disdain for WordPress. To be fair, I don’t actually have anything against it. Wordpress is a simple platform for managing a website and it's used by over a quarter of all websites on the Internet. Obviously, it has its place. There is a massive user community so any development problem you could possibly have has already been flushed out by dozens of posts on stackoverflow. It's easy to install, easy to add a pre-made theme and, usually, easy to add any of the tens-of-thousands of available “plugins” to embed additional functionality to your site.
So why do I cringe when someone asks me to build their site in Wordpress or add custom functionality to their existing Wordpress site?
Some of it comes down to preference and familiarity. I choose not to live in Wordpress, which means that when I do have to develop new custom functionality in an existing Wordpress installation, it adds time and complexity because I don’t know the system inside-and-out. That is, of course, my own failing so perhaps it is not the best excuse.
The most often mentioned concern people have about using Wordpress is security. Having such a large user base makes its an easy target for exploitation. The community behind the platform is quick to patch bugs and holes but this means that each individual site owner is responsible for downloading and installing those patches as well. Often, once a site is built and the developer is paid for their work, that ends the relationship between the site owner and the site builder so there is no one to make these necessary updates. Even if the developer is staying on top of the latest required updates and patches, it is not always easy or plausible to implement them. It requires testing to ensure that the update doesn’t break any of the dependent plugins that the site may be using and it may require scheduled downtime on the production website while the changes are put in place. Often a plugin used by the site is no longer compatible with the updated version of Wordpress or worse, the security flaw is due to the use of a poorly vetted unpatched plugin.
Obviously, any site can be targeted by hackers or those with malicious intents and a custom-built site can also suffer from the same concerns about the plausibility of implementing fast security patches. The difference is that a custom-programmed site doesn’t have the massive user base of WordPress and is therefore much less likely to be targeted by hackers. A determined hacker will always find a way to do damage, but WordPress is the low-hanging fruit they most often go for.
That said, security through obscurity is not really security and therefore, it's a little difficult to claim my hate for working in WordPress is based on any security risks.
Wordpress requires 100mb of disk space to run. That's not really a lot, especially since storage and bandwidth costs continue to shrink to near nothing, but, given that most files are just plain text, this number represents somewhere around 1,200 files in the code base. This overhead doesn’t necessarily translate to a slow website but it speaks to the fact that Wordpress tries (or needs) to be “all things to all people.” Its core features are plentiful, but this lends it to being a massive code base of poorly optimized bloated software. Years of community driven feature enhancements being bolted onto the existing framework has resulted in many many messy files.
I don’t see this as a failing of WordPress. Any framework you use will have a lot of files. Many common Wordpress alternatives have even more code behind them. Again, not a great excuse to hate on Wordpress but clearly it can be a point of frustration for any developer trying to delve into the code.
None of my “excuses” so far stand up very long in a serious debate. And I get it, Wordpress is fine. You should use it. Just don’t ask me to use it. So what’s my beef? It comes down to finite control and the discretion to creatively build complex functionality any way I see fit. I mentioned before that there are some 45-50,000 plugins available to add features to a Wordpress site. The problem is, I’ve never used one that didn’t require some customization or modification.
If I am building a custom web application, I need to be able to program my code efficiently and in a way that can’t be pre-made by someone else. My code needs to talk to my database and make business decisions based on my criteria which means building custom plugins every time. This is fine but it requires working within the framework, the constraints, of Wordpress. Tools must be programmed using “the Wordpress way" and flexibility is lost.
Any serious application requires custom, optimized, programming. If that functionality has to be built inside the WordPress environment, it means either accepting the limitations of the framework or bypassing them. The former is often impossible and the latter means writing hacks that aren’t always pretty.
The primary benefit of WordPress is that, once a site is developed, any user without a technical background can log in and make changes. Often, someone will come to me and say, “the site has to be in Wordpress because I need to be able to make changes.” What they are really saying is, “I want a Content Management System and Wordpress is the one I’ve heard of.”
The truth is, there are countless other frameworks and CMS solutions with simple, easy to use, non-technical tools for user’s to update their websites. In fact, because I like to program things “my way” I’ve even built my own framework with its own CMS. I personally find it easier to use than WordPress and, because I built the framework myself and know it inside-and-out, I can rapidly build and deploy complex web applications on it without being beholden to the limitations of the framework.
In the end, there is nothing wrong with WordPress. Especially if you have a simple site without the need for custom tools with any complexity beyond basic forms or out-of-the-box e-commerce. But, if you require a custom software application that is unique to how you do business, talk to me about how I can build a serious enterprise solution, without using Wordpress.