The Biggest Problem with WordPress, And How You Can Fix It

WordPress has been around since 2003 and has become the most popular Content Management System (CMS) in the world. It’s the most popular (CMS) because of its simplicity and flexibility. WordPress has been powering more websites than any other CMS for many years and the competition isn’t even close. It’s free, open-source software, meaning anyone can use it and run it without much fuss.

As the most popular and flexible Content Management System in the world, WordPress rules the Internet. But that doesn’t mean WordPress is free of problems. The biggest problem with WordPress also happens to be its biggest strength: anyone can use it.

Yep, you read that right. Most of the problems detractors have about WordPress really stem from its availability to anyone and everyone who wants to build their own website.

Why is WordPress’ Ease of Use and Open Availability Such a Problem?

First of all, before going deeper into this post, I must stress the fact that I love WordPress. I can’t imagine a better way to build almost any website a blogger or a small business might need and I’m definitely not advocating for WordPress being made more difficult to use or being removed from the world of open-source website builders.

WordPress frequently gets hate from developers who either want to make more money by selling custom development, or who push other builders (especially their own proprietary ones). That doesn’t mean WordPress doesn’t have its share of problems and issues.

When searching the Internet for recent articles about why a business shouldn’t use WordPress, I rarely find anything of substance (and I’m not giving them the SEO benefit of a link here – you can search yourself). In almost every case, the article was written by someone who specifically markets a competing product – which calls into question their motivation in the first place (and generally exposes how little they know about WordPress).

To be fair, I only do WordPress websites myself, but I also used other builders like Wix & Squarespace before getting in to WordPress and the difference in flexibility is astonishing. WordPress wins by a mile every time.

So let’s go over a few things that are said which make WordPress ‘bad’ and break them down as to why they’re either a) not true or b) stem from the biggest problem with WordPress: anyone can use it.

The Complaint: WordPress Isn’t Secure

Probably the most common critique I see about WordPress is that WordPress sites are vulnerable to hacking. And while it’s true that WordPress makes up a significant portion of hacked websites, it’s important to note that much of this is a by product of its popularity. When you consider that among websites that use a CMS, WordPress runs 65% of them, it goes without saying that malicious actors would focus on WordPress as a matter of efficiency. In other words, it’s simply a bigger target.

Is it True?

Like most things, the answer isn’t black and white. There are many layers to a website and every WordPress website is unique in one way or another.

The core of WordPress and its default themes are very secure. They’re penetration tested by teams of security researchers constantly and any vulnerabilities discovered are quickly patched.

How Does it Relate to the Fact That Anyone Can Use WordPress?

The problem with WordPress when it comes to security occurs when you take into consideration that anyone can use WordPress. The large majority of people who use WordPress aren’t versed in basic security procedures. They use default user names, weak passwords, and install themes & plugins from non-reputable sources. They neglect to install updates. Is this the fault of WordPress? Absolutely not.

The most common attacks on WordPress websites are brute force attacks on user accounts. Brute force attacks occur when someone, or more commonly an automated bot, attempts to guess usernames and passwords on your WordPress website. These attacks can be successful, in fact 8% of WordPress sites are hacked simply through guessing a password.

According to WPScan, 90% of the known vulnerabilities in WordPress come from 3rd party plugins. Approximately 80% of hacked websites were hacked due to a vulnerable plugin which was out of date. Plugin developers are generally good about releasing updates to patch security vulnerabilities, but if you never install the update, your site will remain vulnerable.

Finally, if the web hosting company you choose runs insecure servers, then you may be in danger regardless of whether you use WordPress or not. Back in November 2021, a security breach at GoDaddy exposed passwords in over 1.2 million customers who used GoDaddy’s Managed WordPress hosting package. Site owners could have done everything right to secure their websites, but due to GoDaddy’s negligence, they were hacked anyway.

How Do You Fix It?

Fortunately, there are a few things you can do to help protect your WordPress website.

First and foremost, don’t create any users with the following user names:

• admin
• administrator
• user
• test
• root

These are some of the most commonly attacked usernames by hacking bots. If these usernames don’t exist on your website, then you won’t have to worry about attacks on them.

Second, make sure that all users on your site, especially users with Editor rights or higher, are set with complex passwords. You should also consider adding 2-factor authentication (2FA) to user accounts on your site. Utilizing 2FA will require a user to also input a one-time security code from their phone each time they log in.

Third, keep your site up to date. This means installing WordPress Core updates as soon as possible as well as Plugin and Theme updates. You should also ensure that you’re running the latest secure version of PHP, the underlying scripting language behind WordPress.

Fourth, host your WordPress website with a reputable web host. Cheaper is almost never better. I use Webhostpython Reseller hosting for my sites because they keep each website isolated and they run Imunify360 at the server level to detect and kill malicious scripts.

Consider installing a comprehensive security plugin such as Wordfence. I like Wordfence because they have a firewall that checks all requests to your site against a database of known attacks to block them before they execute. They also give your website the ability to configure 2FA for users, scan for malicious scripts, and measure the integrity of your plugin and theme files against what’s in the WordPress.org repository.

Complaint: WordPress Breaks all the Time

I have seen this complaint on various forums when people ask about what they should use to build their website and on blog posts from website companies that use competing products or push their own custom development solutions.

Is It True?

I have been running dozens of sites for years with an average uptime of 99.99%. The only significant outage I ever suffered was when my web hosting company had a server failure – this had nothing to do with WordPress.

How Does it Relate to the Fact That Anyone Can Use WordPress?

Folks who claim that WordPress breaks all the time usually don’t know how to run WordPress as it was intended. They use cheap, underpowered hosting, or install a bunch of plugins increasing the chances of code conflicts and errors (which can take down a site). This is not a problem with WordPress, it’s a problem with lack of education.

Because anyone can use WordPress, there are lots of people who fall into these traps and thinking the problem is WordPress, when the problem is simply their lack of knowledge on how WordPress works.

How Do You Fix It?

The first thing about making sure your WordPress site stays up and running is to choose good hosting. Again, cheaper is not necessarily better. A host that uses underpowered servers will have errors processing requests and cause your site to go up and down intermittently.

Second, only install the plugins you need. When someone new begins exploring with WordPress, it can be tempting for them to install dozens and sometimes hundreds of plugins. But this isn’t a good practice. Every plugin adds to the code base of your particular WordPress website and increases the chance of errors. Stick with well-vetted plugins from the WordPress.org repository that are updated regularly by the developer. Do not install plugins that appear to be abandoned. In general, a plugin that has gone over a year without an update can be considered abandoned and you can assume it is likely to cause errors and problems with your site.

PHP, the underlying language that makes WordPress work can also be a culprit especially when it comes to errors. Make sure you’re running the latest version of PHP that’s compatible with your themes and plugins. All good themes and plugins list which versions of PHP they support.

Complaint: WordPress is Slow & Bloated

While it’s true that dynamic website platforms like WordPress are more heavy than static HTML sites, there’s no reason for them to be slow. There are plenty of WordPress websites that score extremely high on various speed metrics.

Is It True?

It doesn’t have to be true. But again, because anyone can use WordPress, the unknowledgeable user could do plenty of things to make their site run slow. That being said, WordPress by it’s nature isn’t inherently slow or bloated.

How Does it Relate to the Fact That Anyone Can Use WordPress?

When I was a novice at WordPress, I built my first site and had something around 50 plugins running on it. I installed anything and everything. I’ve since learned better, but I definitely made my first websites very slow and very bloated.

Because anyone can use WordPress, there’s no barrier to entry if you don’t know what you’re doing – no one was going to stop me from uploading massive image files instead of sizing them first using an image editor and installing tons of plugins.

How Do You Fix It?

First, the most important things is making sure you’re using good hosting. If that sounds repetitive, that’s because it is. A bad host with an overloaded server will absolutely run slow websites even if they’re optimized well.

Second, only use the plugins you need and when you find multiple plugins that provide a feature you want, do some due diligence to find out which one makes the most sense for you. WordPress plugins in the repository have a wealth of information in the reviews of each plugin and the support forum for each plugin can give you a clue as to how invoved the developer is when it comes to fixing issues.

Third, implement a caching solution. Website caching helps take some of the load off your server when WordPress builds a page for a visitor. This is especially important because WordPress generates pages dynamically. There are various caching plugins available and you can also consider implementing a CDN such as Cloudflare.

Fourth, make sure media is the right size when you upload it to your site. Unless you’re running a photography site, you do not need to upload images larger than 2000 pixels on the longest side. And even 2000 might be too big. A WordPress site should also never host video – if you want video on your site, upload the video to YouTube and then embed the YouTube video into your site. YouTube’s servers are optimized for video delivery, if you upload the video directly to your website, you will burn out bandwidth and CPU cycles from your web host.

Complaint: WordPress Doesn’t Have Support

I found this mentioned on a couple of blog posts that were bad mouthing WordPress and honestly, when I see someone say something like this it makes me wonder if they ever even put a half ounce of effort into WordPress at all?

Sure there’s no corporate phone number or helpdesk to call, but that’s how open-source products work and WordPress is probably the most well-documented CMS that has ever existed. Every theme and plugin on the WordPress respository has a free support forum. Even the WordPress core has it’s own support forum.

When I show my clients how to use WordPress, one thing I always note to tell them is that if there’s something they want to accomplish on their site, there’s almost a zero chance that someone else hasn’t already figured out how to do it. And there’s a good chance someone even wrote about how to do it online. You can almost always go to Google and search “How to [anything you want] in WordPress” and you’ll find page after page of good quality answers. No other CMS has this.

Final Thoughts

if you haven’t come across the solution yet to the biggest problem with WordPress, I’ll say it right out: You can fix the biggest problems with WordPress by simply educating yourself. Fortunately, WordPress makes it easy to educate yourself!

WordPress has a massive community from Reddit to Facebook. You can find answers for just about any issue you might ever come across.

While WordPress’ detractors might say that using a proprietary platform like Squarespace or Wix eliminates the need to educate yourself, it’s almost a guarantee that at some point you’ll reach the limits of those platforms (they’re very limited) and you’ll want to change. And if you want to do something that’s not part of their customer package? You’re out of luck.

When I was a Squarespace customer, almost every question I had about design was met with, “that would require custom CSS, which we do not support.” So if you have any requirement that doesn’t fix within their box, you either have to educate yourself anyway or you have to go somewhere else. But you can’t go somewhere else because those platforms can’t be used anywhere but on their own servers!

With WordPress, you can take your site files and database and host them anywhere you want – a new host, your own VPS, even a server or computer in your own home or business location. The possibilities with WordPress are endless if you educate yourself about and stop being the biggest problem with WordPress.