An idea for this article came quite recently when I accidently stumbled upon a YouTube video of one guy (apparently seems to be a quite popular affiliate marketer – a YouTube influencer with 250+k subscribers) who was yelling out loud that everyone should stop using WordPress in 2021/2023 by giving a completely invalid reasons as a baseline of his opinion – just for his own personal gains to get this own subscription based product into the market.
Bottom line: Do not believe any of this stuff. In this particular case it is paid, it is sponsored and WordPress is still a great platform for developing any kind of projects, you can make it secure, you can make it fast, it is easy to maintain it, it is still up to date and still kicking. All it takes to do it perfectly is a KNOWLEDGE!
Under this link you can watch the video he posted (if you like) and then read my arguments why most of what he says about WordPress is a complete and utter BS. This “flame war” with recommendations to stay away from WordPress is a popular topic often driven by myths and cry-outs of people who are too lazy to learn on how to do the things properly, so I consider this article important in fight against these invalid and misleading opinions. The problem with this particular video is that it has been viewed for more than 700k times and it is poisoning the community with lies and false information about WordPress.
Myths vs facts about WordPress – In-depth analysis of the statements presented in the video
Statement: I’ve used WordPress for over 8 years and it that time the WordPress has stayed stagnant or in many cases has gotten worse.
Facts: WordPress has been constantly evolving since the 2003 when the first version of was released. Almost each year there has been updates and innovations in the platform to improve the site editing experience, error handling, overall UX, website performance, etc. There is a good article, which more or less sums up everything about how the platform has evolved. The last major change was in 2018, when WordPress introduced a Gutenberg block editor in their platform, which was a long awaited feature because of content editing possibilities and from that time it has only gotten better.
Each year all around the world there are hosted regular WordCamp conferences which bring together the WordPress enthusiasts and cover everything related to the WordPress.
Statement: The main issue lies with WordPress being so gigantic as an open source CMS running 40% of the Web today, that it is no longer excellent at just one specific business use case or a solution. There’s a saying – “When you try to please everyone, you end up pleasing no one.”
Facts: WordPress platform is indeed running 43% of the Web today, which makes it still the most popular choice of content management systems in the market.
From the first years of its birth WordPress has been evolving as an all-purpose content management system and this has not been changed ever since. While it is truth that you can’t efficiently apply one solution to everything and custom-coded or niche-specific solutions will certainly be much more efficient, in the end it all comes down on how fast you can get the certain things done and what is the cost of upkeeping and maintenance versus profit. Along with many solutions already available in the WordPress and its plugin repository you:
- Do not need to spend extra hours of development on solutions which already exists;
- The system can be customized in any way you like, because it is a self-hosted solution;
- There are no subscription fees to the WordPress platform itself. The platform is free and open source;
Statement: The first reason is maintenance! Over time I realized I was actually spending more time simply maintaining my WordPress websites than actually building my business or even creating content. This is a huge time suck and energy drain! So with WordPress you have to worry about updating your plugins, your themes, your WordPress core and even your PHP version! If anyone of these is incompactible with the other it has the potential to either break your website, cause formatting and usability issues or leave you vulnerable to hackers and security exploits.
Facts: First of all and once again – WordPress is a self-hosted solution and not a system for which you pay a subscription and get all of these things silently done by developers and technicians behind it. It is like a framework for web developers on which you build and develop your own stuff. With each and every software solution you have to deal with the updates, have to deal with the compatability issues and have to face security issues from time to time – that is the usual development process. In the software development world, there is not one Kim Jong Un who drives the whole country – the whole web and computer industry consists of independent solutions which will often have updates, compatability and security issues, because they are actively developed, nobody can make a 100% perfect product compatible with each and every solution, and every developer will face security issues in their product from time to time because of a simple human factor.
Let me put it in simple words: If you do not want to think about web development stuff while maintaining your WordPress based website, do not even read further – get a subscription based service or hire a web developer which will take care of these problems.
In the exchange of using WordPress you get a complete freedom how to drive your web project, because you can always add your own custom solutions to your project and you are not limited to what the subscription based service offers to you.
Statement: True story: My security plugin which I payed for a premium version and is one of the most downloaded and highest rated plugins on WordPress actually got a security exploit. Now the reason why this is an ongoing mess, is because all of the independent plugin developers do not talk to each other! So there is always compatability issues between a hundreds of thousands of plugins and themes available! All it takes is just one outdated plugin or theme for your site to get hacked.
Facts: WordPress is an open source platform which is developed by its core team of contributors and WordPress plugin repository consists mostly of plugins which are developed by other / independent web developers and companies for which the WordPress does not hold responsibility. While you have the right to install each and every plugin you like, you also have the right to create and use your own plugins and themes and as a user of open source software you have the right (which I personally see more like a moral obligation) to submit all of the issues you face with the plugin to the plugin authors.
While to get the plugin into the WordPress repository it has to comply with certain guidelines, the WordPress team can’t inspect and be responsible for each and every line of code the plugin has. Facing some sort of security issues in a product at one time or another is also nothing to be wondered about.
It is a part of normal software development process and nature of human factor, plus there are tons of examples of hacked large business and enterprise websites to prove that everyone can run into mistakes at some point – a premium version of some highly rated WordPress security plugin is no different.
The argument about “all of the developers who don’t talk to each other” is a bold lie.
For each of the plugins you can find in the WordPress repository, they have they own page on the WordPress website where you can find all of the information you need, including the support forum. This support forum is often used by other developers to report various kind of issues with the plugin. Famous WordPress plugins like WPML even offer a programs for other developers to deal with the compatability issues between plugins and themes or have their own communities and developer forums for this purpose.
Statement: Also there are dozens of plugins for the same exact feature. How is the newbie supposed to know which is the best choice?
This certainly is a funny argument. Let me give you an example – when you go shopping there are dozens of different brands of dark chocolate bars available on the store shelf. How is the newbie supposed to know which is the best choice?
You look at the reviews and you try it out! You compile a list of plugins which have more or less good reviews and you try them out and find the best suitable one for your needs. That’s how it works!
Remember: WordPress is not a subscription based service for end users, but an open source platform to develop things on. Its plugin repository is like an open market with a bunch of different products from independent vendors.
Statement: I actually have a plugin to update all my other plugins, but even then, it actually breaked one of my websites due to an incopatability.
Fact: From the developer point of view this is just a plain stupidity to update plugins automatically on a production environment, because of many things that can go wrong. It is ignorance to even consider this as a con of WordPress CMS. When you update your WordPress website (just like any other web project), it must be tested and adjusted on development and (if necessary) staging environments before you release the updated version on live. It is a part of normal software development process.
Statement: Also look at this – it says, that my site is running an insecure version of PHP. Now here’s the thing – with a lot of web hosting companies you actually can’t update the PHP yourself, you have to contact the support. Now the question is – if the newer PHP is usually more performant and higher security, why can’t we just update this automatically? Oh that’s right, because of the incompatability issues when it comes to your plugins, your themes and WordPress core.
I don’t know about the “lot of web hosting companies” part, but the feature of client being able to switch to the most recent PHP versions is kind of a must have for a shared hosting provider. A decent shared hosting package will almost always come with some kind of web hosting management system (often Plesk or cPanel) where you should be able to switch between PHP versions. Personally I would not recommend the shared hosting for business / ecommerce WordPress websites and go for a well-configured VDS / Dedicated server which is much more suitable choice for speed and stability.
Why can’t we just update PHP automatically? – again, one of the most stupid things you could ever do on a production environment. A question which often comes from a person which do not know nothing about web and software development in general. PHP is a hypertext preprocessor and with each of its major versions some of its old functionality gets deprecated, some of its backwards compatability gets taken out. By configuring it to update automatically not only for WordPress based websites, buy for any PHP-based websites in general, it is like shooting yourself in a leg – website first needs to be adjusted and tested before you can run it on newer PHP version in a production environment.
Fact: Specifics of web hosting should not be taken in account when judging how good or bad the WordPress is.
Since WordPress is more like a framework – platform which eases up web development and NOT a paid, ready-to-use tool where everything will work straight out from the box just like you want, you must have a good understanding of web development if you want to create and maintain a successful WordPress based website technically. You don’t have the knowledge? Hire an asset!
Statement: Second main reason why I’m moving away from WordPress is the lack of performance and security. Let’s face it – WordPress is an 18 year old software. The technology, the tech stack and the infrastructure available today, such as with Amazon Web Services, Google Cloud Platform, Microsoft Azure is vastly different from when the WordPress started 18 years ago. Most WordPress sites I’ve personally tested and seen are slow and vulnerable to hacks and exploits. Now this does not mean – all of them and I’ll get to that in a second. Let me give you a simple exmple of a security issue that affects all WordPress websites from installation. Here we have a WordPress website. If you want to access the login to any WordPress website, all you have to do is add forward slash and wp-login.php. It will take you to this page. Now here’s the thing – with every WordPress website the first initial user is always “admin” who has access to everything and can do everything with your website.
Fact: Cloud Computing Platforms started to appear as early as in 2002 or 1 year before the initial WordPress release. While you can use any of the mentioned services to host WordPress based websites, there is nothing to compare or refer to in terms of WordPress versus Cloud Computing platforms. It’s an apples != oranges topic.
The statement from this guys personal experience about “most WordPress sites being slow, vulnerable to hacks and exploits” is also unsubstantiated. With a network of more than 60 WordPress based sites under my provision and history of developing even more WordPress based websites before, I can surely say that this guy is talking nonsense. For a proficient web developer there is absolutely no problems of building a stable, fast and secure WordPress website which can rank well in Google.
Next dumb thing is him mentioning the default “admin” user – there is no such thing. As you see in the screenshot above, upon the installation of WordPress it asks you to provide username and password. It is completely your choice what username you provide for the administrator / super-user account.
Statement: …So now looking at this (the WordPress login form), all we have to do is guess the password or bruteforce this and we are basically already halfway there because 1) we have the access to the login page and 2) we also know what the super user is, which is the “admin”, so all we have to do is guess the password and we’re in. Now if you want to have a two factor authentication, that is actually going to require a premium security plugin that you’re going to have to pay for.
FACTS:
Default user: As mentioned before, there is no default user with a username “admin”. It is just a common thing for people to use such username for their administrator accounts and it does not have anything to do with WordPress and its security.
Password guessing: With the default configuration, the WordPress login page url is indeed /wp-login.php which can be brute forced, but in the core it again comes down to the stupidity of using weak passwords. You have learn to use strong passwords! If you like to use weak ones – not only your WordPress website can get hacked, you face these risks everwhere.
A password made up of upper and lower case letters, numerals and punctuation, gives 96 possible characters. A 14 character length password (NIST recommended) gives you 4.8 x 10^27 combinations. Even at 100,000,000 per second, that would take you more than a million years to guess if you had to try every possible combination. Since, on average, youโll guess the password after trying only half of the possible combinations, weโre down to 500,000 years.
Source: https://netcraftsmen.com/how-hard-is-it-to-crack-a-password/
Default login page: It takes just a little knowledge of what’s around in the market and few minutes of your time to install and configure a plugin WPS Hide Login which is meant to change your WordPress login page url, therefore strenghtening the security of your WordPress website. It is already around for 8 years, so not a recent solution. There are couple of other easy adjustments which you can do to further improve your website security, but I will cover them in a separate article.
2FA authentication: You do not need anything premium. There are also numerous solutions available straight from the WordPress repository to get this thing working. Just install the Wordfence Login Security plugin (available from 2019), it will take 2 minutes of your time to configure it with your Google Authenticator app, plus additionally you can enable additional security measures for the login page (e.g. disable XMLRPC authentication – another vector for brute force attacks)
Statement: So here I’ve run both a Google Lighthouse test which is a built-in performance testing tool that’s built into Google Chrome and you can see here we’re actually failing two of the Core Web Vitals. …I’ve also run this through GTMETRIX.COM and you can see, when it comes to the web vitals we are actually failing all three of the web vitals on this test. And you can see the “fully loaded” time is 5.2 seconds.
Fact: WordPress is a self-hosted platform for creating websites and by default it does not come with all the optimizations needed for good or near-perfect Chrome Lighthouse or GTMetrix scores. It’s the thing you have to optimize for yourself (by installing necessary plugins, optimizing your WordPress theme), as well as server configuration. WordPress as a platform cannot decide in your place how you want your content to be loaded on page, what kind of optimizations you want for it and guide you how to do things properly. It is all about knowledge! The platform is not bad just because you do not know how to work with it!
Personally I, who recently started the DoInWP project haven’t invested much time in its development. I used a theme from the WordPress repository and put maybe 1-2 hours of development into it. While this guy is constantly complaining in the video about how poor the WordPress is and how he’s having a hard time with maintaining his WordPress site, I spend most of my time here writing articles and without a lot of optimizations (I haven’t even started yet!) this very article already has the Lighthouse scores close to max while the site is being hosted on cheap 5$/month shared hosting server.
Lighthouse scores? Here you have it!
Statement: Now the question is – can a WordPress website become fast and secure, and the short answer is yes! But, you will always have to continue maintenances to make sure it stays that way. To make WordPress fast and secure, you will gonna need the following: you’ll need some sort of premium managed hosting (like WPEngine or Kinsta), you’ll need a premium performance plugin that you’re going to have to configure, you’ll also need a premium security plugin to make sure that your site is secure, although the issue is adding all these plugins is actually slowing down your website. And the last but not least you’ll probably need a CDN subscription to like a CloudFlare or StackPath. But at a time you spend all this money on all these premium plugins and subscriptions, you may as well have gone for one of the alternatives, that’s gonna take care of all of this for you, right out of the box. Not to mention all the time and energy you’re gonna have to spend to configure these plugins.
Fact: There is not a single premium plugin or subscription I use to run DoInWP which is also WordPress based. The site is fast and secure and it does not ask for a lot of maintenance. It is true – I use CloudFlare as the CDN for this site, but it is nothing more than a free plan. Most of my energy has went into writing the quality content. And that is just one example of many which proves that all of this smear campaign is just a cry out of unjustified complaints, just because the person does not know how to develop sites with WordPress. ๐
Statement: Now the third reason that I’m moving off the WordPress is honestly a lack of innovation, bad product design and too many tutorials. WordPress does not make sense for average people who are non-developers or non-web designers. So the first thing I learned from helping over a 6000 people create a WordPress website is there is a too steep of a learning curve for non-technical people. It does not make sense to me that every single person has to learn how to completely build their site from scratch by watching hours of tutorials. An analogy would be – you don’t need to know how to rebuild an engine in order to drive a car.
Oh and finally we are spilling the beans! While again this starts with a lot of unsubstantiated facts, WordPress has never positioned itself as a “click-and-go content management system for nannies who does not want to learn anything, but produce”. It is true that the WordPress can be hard to learn for non-technical people, but if you really want a website for which you do not have to pay a regular subscription for – learn it and make one, or there’s always an option to hire a WordPress developer or a consultant. The same way you pay for a locksmith, plumbing or car repair services! In fact from my personal experience I can say – there is a lot of non-technical people who are actually interested in learning how to build WordPress websites, because it is just a good free time hobby for them or an opportunity to earn an extra buck.
Conclusion on: STOP using WordPress in 2023!
While this and bunch of other Woo-woo! opinions exist on the internet, WordPress was and still is one of the best website content management systems out there, which is proven by its consistently growing market share over the years and TOP1 choice of web content management systems. It is utterly wrong to compare it with a “click and go” subscription based solutions like Shopify, Wix, just because they do not need maintenance or development.
WordPress (as a self hosted solution) is built for technical minded people who has at least some sort of experience in the web development industry or who are at least ready to learn something new. If you struggle to be successful and efficient with it, hire a professional WordPress developer which will help you to solve all of the problems you’re facing with – in return you will get a complete freedom of further development choices and independency of subscription based services.
The fact that there are a lot of such people who compares and complains about WordPress being a bad choice just means that the platform is so simple that even regular people can somehow manage to set it up and use it.
In this particular case, as I said in the intro – it is an artificial opinion, based on false information with a purpose of personal gains.
A simple representation of WordPress vs Shopify kind of comparsions :):