Wordpress is the world’s most popular content management system (CMS). It’s estimated that it runs approximately 35% of the entire internet, close to 20 million websites in total. However, this great popularity, along with a reliance on a vast community of open source contributors, is not without its drawbacks - drawbacks that can be particularly worrisome for businesses who rely on their websites. During our recent rebrand, we looked critically at our systems, including our CMS of choice, and ultimately decided to move away from recommending Wordpress.
Wordpress is what we would consider a traditional content management system. It’s a self-contained framework, deployed on a server, with its login, administrative functions, and design all governed by the same core code. Wordpress is fully open-source, meaning that any and everyone can contribute to its community.
Headless CMSs are different from traditional content management systems in that the login and content management are kept apart from the website’s core code. The website makes a request to the platform to retrieve the content it needs (and only the content it needs for that particular page) using a secure key. It is not open-source, and its administrative platform is maintained by a company whose sole purpose is to manage, update, and maintain it.
There were a variety of components through which we analyzed and compared various CMS options to uncover which would provide the best value for our clients. In this post, I’ll be focusing on three of them: security, customizability, and performance. For each, I’ll discuss our concerns that arose with Wordpress, and how our move to headless CMS systems addresses those concerns.
Wordpress is a popular target for hackers for a variety of reasons which largely stem for its widespread use and popularity.
- Wide scope - If a hacker can find a vulnerability within the Wordpress core, or a popular plugin, that vulnerability is likely to exist across thousands, potentially millions of websites to exploit.
- Maintenance - The fact is, most Wordpress owners don’t keep their website, themes, and plugins up to date. We’ve historically offered long-term support plans for this exact reason. Many entrepreneurs and business owners alike simply don’t have the time to stay on top of their website’s security, providing ample opportunity for hackers to exploit weak points that have since been identified and resolved in newer versions.
- Developer expertise - Wordpress is a powerful tool for both developers and non-developers alike. This ease-of-use attracts both novice and expert developers seeking to add their themes and plugins to the global Wordpress repository, and it can be impossible to determine if a plugin has been built well without analyzing its core code. When a poorly written plugin becomes popular, it can essentially be a thousand open front doors for an enterprising hacker.
- Self-contained - While the idea of having a self-contained platform might seem more secure at first, it actually works to Wordpress’ detriment when it comes to security. Due to the login, site management, and core code all existing on the same platform, if a hacker gains access to your site, they gain access to your entire site. Going back to our house analogy, a hacker walks in the front door and immediately has access to all the home’s valuables, rather than keeping your most valuable items in a safe deposit box off-site.
These security issues, specifically in regards to maintenance and developer expertise, were made abundantly clear by the recent release of Gutenberg, Wordpress’ new page editor. Despite considerable advanced warning, most Wordpress developers (both experienced and novice) failed to adapt their plugins to the new editor, wreaking havoc on Wordpress sites across the world, including many of our clients’ sites.
Headless CMS platforms, by their very nature, either address these concerns or don’t create them in the first place.
- Headless CMS platforms can be deployed in any number of code languages built on any number of frameworks due to the fact that they are driven by an API. There is almost no way for a hacker to know which one a particular website is utilizing.
- Headless CMS platforms don’t rely on plugins or themes to function, so there’s no need to continuously login and keep things updated or risk vulnerabilities in your site’s code.
- Headless CMS sites are built by Arise developers, with no outside reliance or risk associated with using plugins or themes by developers that haven’t been vetted. This means we can provide a warranty against bugs, defects, or hacks.
- By their very nature, headless CMS platforms keep the login and content management separate from the website’s core code. Login information and content is never stored on the website’s server.
Wordpress is a highly customizable, robust platform that many people find easy enough to use and navigate. However, at its core, it’s still primarily a blogging platform. Over the years, many themes, plugins, and features have been developed or implemented to extend the platform to be suited for uses other than blogging. Gutenberg was, in large part, meant to address this as a response to the high prevalence of users using “page builder” plugins to give them more control over creating pages outside the confines of blogging. This inflexibility in content architecture robs you of managing your content in a more streamlined and effective way.
If you want to add a new employee to your “About” page in Wordpress, you’ll likely need to navigate to the page, duplicate another employee’s module on the page builder (that you’re stuck with because the theme you like uses it), move it into the layout column next to it (or create a new row because this one is full… or rejig your whole layout because having two full rows of 3 and one dangling employee looks weird), then swap out the employee’s name, title, and headshot, then click Preview to make sure everything looks okay on the site, then hit Publish.
On a headless CMS, you’d simply create a new item of the “Employee” type, upload a headshot and type in the employee’s name and title, then hit Publish.
Wordpress is notorious for being a bloated content management system, meaning that the platform in its entirety, combined with any plugins, themes, or add-ons in use, adds a woefully unnecessary amount of added page load time that can severely adversely affect the behavior of the visitors to your site. This is often true or false on a case-by-case basis, but there are certainly aspects of Wordpress which lend itself to poor performance that are not present in headless CMS systems.
- Plugins - Whether you’re on the admin screen or on your website, Wordpress needs to run through each of your plugin initialization sequences. Often these sequences involve validating the plugin via a license key, which requires the plugin to make an API call outside of your website. Depending on how responsive the server is - or worst case, if the server is down - your site’s load speed can be significantly impacted. Most sites we’ve seen run 5 or more of these licensed plugins at any given time. Maintaining and updating themes and plugins is also a culprit here - outdated plugins or themes are far more likely to make calls to API points that no longer exist, thus increasing the likelihood of server timeout and ultimately page slowdown.
- Image/Asset Optimization - Images can be a massive source of page load slowdown. Wordpress doesn’t compress or optimize images on its own, nor does it provide an option to swap different images at various screen widths (for when you don’t need a 2600px wide image for a 480px wide mobile phone). You can address this with (yep, you guessed it) plugins, but most reputable headless CMS systems will offer CDN or compression functionality by default, and provide you the means to serve your users different image sizes based on their screen size.
A typical business Wordpress website loads in anywhere from 3-5 seconds, perhaps more if the site is particularly complex, rich in plugin usage, or is using a particularly robust and customizable theme. With statistics showing that users are more likely to leave your website if content isn’t shown to them within 3 seconds, this is playing a dangerous game that could have serious negative consequences on your visitor behavior.
On the headless CMS sites we’ve built since the switch, most pages load in 1 to 1.5 seconds, with some fully-styled pages loading in as fast as 460 milliseconds (less than half a second) on 4G mobile. Additionally, when performance issues do arise, it’s significantly easier to trace them down to a specific issue, and the troubleshooting steps are far fewer without needing to take the various concerns of Wordpress into account.
Should I be worried about my Wordpress site?
If you have an existing Wordpress website built by Arise, you are updating your themes and plugins when prompted, you are happy with the website's performance, and you find editing the site to be simple and straightforward - then you have nothing to worry about at this time.
If all of the above isn't true, then either switching to a headless CMS could be something that has a real, positive impact on your business. This is especially true if it has been several years since your most recent website redesign.
As part of a longer term plan, however, we are now recommending a transition away from Wordpress.