Web developers and agencies love to argue over what content management system (CMS) is best, and the name that comes up more than anything else is WordPress.
If you’re a developer, you’re almost certainly familiar with WordPress; it’s the most popular CMS in the world, powering over 74 million websites and nearly 25% of the top 100 million sites. It’s also open-source, free software, famous for it’s “five minute installation” (which is really more like 30 seconds once you’ve done it a couple of times) and its relative ease of use when compared with most other CMS software (its WYSIWYG visual editor is absolutely fantastic).
I have lots of experience using WordPress, having built and managed hundreds of WordPress sites over the years, as well as having authored plenty of themes and plugins (from eCommerce add-ons and data encryption to responsive photo galleries and image rotators) for commercial clients. I’ve even built software on top of WordPress, including intranet/project management software, CRM systems, and agency-to-client file-sharing/presentation sites.
That’s not to say that WordPress is the ideal system for every project; there are plenty of specific needs for which another CMS or even a custom-build may be better-suited (I really like the Yii framework, for example). Nevertheless, when it comes to most websites, WordPress can handle it, either out-of-the-box or with a little customization (in the form of plugins and themes, of which there are many). In fact, this website is powered by WordPress. But does that mean that yours should be?
The advantages and disadvantages of being popular
WordPress is popular for a reason; it’s great software, at least from an end-user perspective. Whereas several years ago, WordPress was primarily a blogging platform, it’s since become a fully-featured CMS which is even beginning to look a little like a framework (although that evolution is far from complete). Having worked with comparable open source, PHP-based CMSes (e.g. Drupal and Joomla), I must say that WordPress is more user-friendly and visually attractive; even though I once preferred Drupal for most projects, I’m now finding more and more reasons to use WordPress, especially since everyone and their mother seems to already be familiar with it.
The popularity of WordPress also means that there’s a large online community to support anyone who might have a question or problem; while WordPress doesn’t offer direct email or telephone support like a maker of proprietary software might, you would probably have more luck posting in the WordPress Forums, anyway.
Then again, this is both a strength and a weakness of accessible, open-source software (and even the PHP language in general): the fact that almost anyone can pick it up and work with it means that there are a lot of amateur plugin developers out there who may not have the best habits or a complete understanding of, say, website security or performance optimization. Being easy to use also means that a large portion of WordPress users are not very technically-inclined; they can update content on their sites, but they may not stay on top of updating their software or plugins.
Is WordPress secure?
One additional disadvantage of being popular is that you very easily become a target; this is true whether you’re talking about computer operating systems, content management systems, or presidential candidates. WordPress’ wild popularity (especially among amateurs and non-developers) means that it’s constantly being sought out by attackers seeking to exploit any weakness they can find. Pair that with the disconcerting fact that a large percentage of WordPress installations are either out-of-date or have out-of-date plugins, and it’s unsurprising that Wordpress has sometimes been accused of being insecure or vulnerable to things like cross-site-scripting or MySQL injection attacks.
Does this mean that WordPress is inherently insecure? Well, no. As a matter of fact, the WordPress core software is incredibly secure and constantly being audited by security firms to ensure that any vulnerabilities are discovered by the “good guys” and patched promptly. If anything, being under constant threat of attack means that WordPress is probably more secure than most alternative CMSes; it’s just more likely that any flaws in WordPress will be noticed, whereas flaws in other systems may pass under the radar.
That said, there’s a “but.” And, even if Sir Mix-A-Lot approves, it’s a very big “but.”
Simply put, a site built on WordPress is only as secure as its weakest link. Despite its ease-of-use as a CMS, when it comes to security, WordPress requires the same sort of attention as any other piece of software. You must keep the WordPress core software up-to-date, and you need to be very careful and discriminating when it comes to the plugins you are installing on your site (keeping them up-to-date as well). There are even some additional measures you can (and should) take to ensure your site is protected, from firewalls to malware scanning, especially if you’re a running a business website. The fact that your tech-saavy nephew set you up with a website does not mean that your site is safe.
WordPress can be just as safe as any other piece of software, but you must be proactive. Unfortunately, many WordPress users are either uninformed or just plain lazy. I very actively maintain the sites I build on WordPress and use a host that provides an additional layer of protection; I’m also very picky when it comes to installing plugins. If you can’t give your website this sort of attention, WordPress may not be for you.
When you’re deciding on what CMS you should use for your site, Wordpress can be an excellent choice— just make sure it’s being managed by someone with a good work ethic and who really knows what they’re doing.