Anton McClure • October 21, 2020

(Why) You Should Not Use WordPress

Technology, Internet, Alternatives, Security
Estimated read time: 15 minutes, 30 seconds
22 Views • 0 Comments
Screenshot showing Wordpress being deleted on an old GNU+Linux VPS.

“Most startup website companies I see seem to really like using WordPress for some reason, and as someone who knows how to code themes and set up sites in WordPress, I've grown a distaste for it the more I see it show up.”

Lily Winter (neko) - Why I Don't Like WordPress, originally designed for blogging, currently remains the top free software CMS platform, powering about 38% of websites. According to, whose number of online websites is quickly increasing: "There are over 1.5 billion websites on the world wide web today" but out of these sites, although, "less than 200 million are active."

WordPress-powered sites fall into both categories by the nature of its large user base.

With how fast the number of online websites increases, and for the sake of simplicity, I rounded the number of websites to the nearest 100 millionths, or 1,800,000,000. Applying WordPress's claim of 38% to this number will give us a total of 684,000,000 WordPress sites, many of which may not be up to date, an issue I have unfortunately seen with a lot of active and inactive WordPress sites alike.

Back when I used to home-host a server with Ubuntu LTS, which is a part of the reasons why I recommend against home-hosting servers), one of the things I used the server for was to run some personal and project websites. These sites used Freenom domain names, were served with either WordPress or styleless static HTML, along with Cloudflare's DNS, Proxy, and caching services. WordPress was still the best option I knew about at the time, and I did not know how to make good-looking and standard-compliant web pages for the life of me. It was easier to download and extract a .zip file and then speedrun through the famous 5-minute WordPress installation process, downloading a pre-existing theme, making either webpages or placeholder pages, and so on.

I was extremely fortunate to not get hacked, given the poor security choices that were made at the time. Unfortunately, many people and organizations alike are not as lucky. Regardless, millions of people decide to use WordPress for their sites. WordPress's millions of users is not necessarily an indicator that it is good, considering Facebook had over 2.7 billion monthly active users in the second quarter of 2020.

To test some theories, I decided to temporarily switch to WordPress. The transition process to WordPress from my self-made CMS ("Luna", formerly "Summit CMS") was as painful as I expected it to be since WordPress does not make importing from other platforms that easy. Regardless, it was done, and my site was now WordPress. I tried to set up the WordPress site to match how the site was with my CMS, but I quickly reached the platform's "limit". More and more plugins were added to compensate, and performance decreased quickly as a result. To fix this issue, I had to resort to various caching plugins, taking up more disk space than I had anticipated. A short while after the trial period abruptly ended, when something went wrong during an update, I switched the site back to Luna, uploaded the few new pages that were on WordPress but not the old site, and made the custom CMS the live site again.

If you are (or were) considering using WordPress for at least one or more sites, I recommend against doing so. Here are some reasons why you should not use WordPress for your sites.


WordPress is not exactly the most secure platform out there. Its open-source nature, along with its popularity, makes it a huge and easy target for attackers who can look through its source code to find vulnerabilities, and simply exploit them. By its very nature of being open-source, good users can also look through the code, find the same vulnerability, and submit a patch for it, but there's a really good chance most users are not going to look at WordPress's code, assuming there is no need to since "WordPress just works". Besides, it has been around since 2003, so it must be secure!

Over time, new features have been added. What we have now is a security nightmare, riddled with extra holes for plugins to add potentially essential features that WordPress surprisingly lacks, such as SEO (Search Engine Optimization) which I will cover more on later, minifying HTML, CSS, JS, optimizing content delivery for things such as JavaScript, images, et cetera, along with other issues. You can see we have just installed what was supposed to be a quick simple site, and a full install is already going to take more than 5 minutes.

Plugins & Themes

If WordPress itself is not bad enough, plugins and themes (yes, also the site themes) can put your site and your site/server data at risk. If you decide to go ahead with using WordPress, fully knowing the risks: good luck, and be incredibly careful with what you install. Just because a plugin or theme is in the official repository, just like with the Microsoft Store, Apple App Store, or Google Play Store, being included is not a guarantee they will be worth your time, or potentially safe to use.

Third-party repositories, which should be avoided anyway, typically do not take the same steps before allowing plugins and themes to be listed, leading to many low-quality listings or malicious plugins or themes. Using them can be a great way to find that your site got hacked and its data, login info, or other devices on the same network have been compromised. This may be worse for home-hosted servers, given the frequent lack of hardware firewalls, and a significantly larger chance of other devices containing personal information.

Look around a bit on the developer's website. Low-quality sites, unknown developers or developer names, no terms of use/service or privacy policy, or a lack of contact information are red flags you should look out for when looking for WordPress plugins and themes, like with any software.

All plugins and most functionality aside, a large aspect of a website is the design. Regardless of how you want to design your site, it is possible to use PHP to create a website with server-side functions. A basic PHP-based site can literally just be an included header, body, and a footer, like shown in the example below:

echo('<p>Hello, world.</p>'. PHP_EOL);

If you wanted to make the site more advanced, you can replace the html files with php files like so:

echo('<p>Hello, world.</p>'. PHP_EOL);

The more PHP scripts, however, the larger a site's potential attack surface becomes. Like with plugins, themes include additional PHP files. Many of these define page layout, but others can add theme-specific features and functions, define variables for use by other plugin/theme files, and more. If your theme uses low-quality code, all pages may load slowly, not respond properly, or have other problems that affect the site's user experience.

Over the last few days, I have been going through the code for my CMS and the webserver error logs to look for and "bash" any bugs and errors I found. The errors that needed to be fixed were mostly code issues, or sometimes, deprecated PHP functions. Fortunately for me, having full control over the codebase, I was able to swiftly fix the issues. For many WordPress users, however, given the size of WordPress, and the fact that there will most likely also be 3rd party themes and additional plugins, the codebase will grow larger than anticipated. Vetting the codebase for a WordPress site with all installed themes and plugins may become a difficult task.


Since WordPress is an open-source project, run by people that have their own plans, agendas, and/or choices for how they want the WordPress core or theme/plugin to work, future updates to the WordPress core may eventually break your once-functioning plugins and/or themes. As a result, themes and plugins will constantly need new updates, even if the offered features are not added or changed, for security and functionality. If you wanted to make your own plugins or themes for personal or in-house use, maintaining them can end up becoming time-consuming, or expensive if you are paying for professional-quality plugins and themes.

Even if you keep everything updated, you will eventually have plugins and/or themes break from or during updates. You do not have to worry; these breaks were technically out of your control since you or your company/organization does not maintain the program. However, it becomes your responsibility to fix the problem as soon as possible, even if it means forking plugins and themes, making a "temporary" fix, and then either trying to get your fix pushed upstream or waiting for the maintainers to create an "official" patch. Regardless of how you go about handling the issue, it should not have had to happen in the first place.

If I were to change the names of variables and functions, but not update any references to the variables or functions, portions of the site will break, and it would be my fault for doing poor maintenance. If WordPress's maintainers would change variable names or functions, and plugins and themes break as a result, it would be the webmaster's responsibility to try and fix the issue or remove the broken plugins and themes.


As written by Lily Winter (neko): "WordPress has horrible loading speeds," and that "most themes and add-ons are way too bulky, and poor knowledge about WordPress optimization combine to make most WordPress sites sluggish and slow." Slow websites have many negative effects. For example, research by Google found that 53% of mobile website visitors will leave if a webpage doesn't load within three seconds, and the average load time for sites is 19 seconds on a 3G connection and 14 seconds on a 4G connection.

Given 3G's and 4G's slow speeds, it is ridiculously hard to get a site to load within a desirable time frame. WordPress, as a bonus, also includes extra CSS for things like emojis, which may cause your site to slow down further. This can be avoided if you use a plugin to "remove" this potentially unneeded code, still causing the site to slow down in other ways.

Apart from the potential bulky code spaghetti of plugins and themes, or network-related slowdowns, your biggest problems may come from your server or web host itself. You will need to make sure that the connected MySQL databases, webserver software, and PHP applications are not using too many system resources. A past WordPress site I ran, unfortunately, ran into the issue where it was using up the VPS's available CPU and RAM, yet it still needed more of both. If CPU and RAM get used up, processes will slow down due to the bottleneck that formed from the lack of resources, and eventually, processes (including system processes) will start hanging, potentially causing more problems in additional areas.

For businesses and individuals alike, a slow site can cause a lot of damage to the overall user bases and customer bases, with many people potentially unwilling to return to your site.


WordPress as a platform feels like it is trying to use a "one size fits all" approach, by providing a bare-bones program, and relying on plugins and theme-based features for functionality. While this means slightly more personalized sites, it just shows that WordPress lacks essential features. Even if you get dozens of plugins to make up for these shortcomings, you may end up with the same issue that I always did with WordPress: you've reached the limit of what WordPress as a platform can do.

You can either start looking for existing plugins or make your own from scratch. Both of those are not ideal and may end up being expensive if you want to have more than a basic version of a freemium plugin that makes your site exactly like thousands or millions of other sites.

My custom CMS, like any other self-made CMS, proprietary or not, solves this issue in at least a few ways. The code is maintained by me and I'm proficient in my code, which makes it a lot easier to develop additional features without resorting to plugins and add-ons, additional features can simply get added into the core program, the code will not have surprise changes from any upstream groups that may not even fully understand the code they just contributed to, among many additional benefits.

Search Engine Optimization (SEO)

Neil Patel once wrote that "WordPress users alone publish over 2 million posts every day. That comes out to 24 blog posts every second. That means that users published around 216 blog posts while you were reading these five sentences. And that's only counting WordPress users. If we were to count all blog posts, that number would surely be higher." Patel continued by writing that "this makes it kind of tough to stand out," which is true, and "you have to if you want to make your blog a successful one."

For many, simply showing up on the first page of Google results is enough to make or break a business, personal blog, or other websites. The exact importance of SEO is a topic for another day, although, the important thing that needs to be focused on now is WordPress's lack of control over SEO or even the inclusion of essential SEO functionality altogether. Without fine control over SEO, even with one of the many freemium plugins available, full SEO is simply impossible. Without full SEO capabilities, it may become exceedingly difficult to get a good search ranking.


When I took over YourTilde, one of the first things I noticed was a long-time lack of updates for the server's OS and WordPress website. Both the OS and WordPress, as well as other programs, were all updated to the latest versions, and that was where problems started.

While seeming harmless to some people on IRC, the theme the site used received no updates since 2019, and its age was beginning to show. Multiple people advised against keeping the theme due to a lack of all updates, and it got replaced. Things were good for a bit, until a larger issue finally struck, leaving me unable to log on to the site. The issue was traced back by auto-generated emails reporting that a plugin Deepend had installed so YourTilde users can log in with their tilde usernames and passwords had stopped functioning. As a result, new logins could not happen. Fortunately, I was still logged in on a different PC and was able to go on there to remove the plugin. Unfortunately, for users, it removed their site login functionality, but technically there was no reason for them to log in anyways, as the logged-in only pages were getting phased out in exchange for generally-available pages that are more readily accessible to more people.

The limit of WordPress was once again getting reached. As more and more plugins started becoming more incompatible, more and more functions had to go. The displeasure that is left from the maintenance of a relied-upon plugin abruptly stopping is very understandable. Nobody wants to wake up and find that their site has broken.


Neko also wrote that "you can make a WordPress site that can handle a lot of traffic, but it takes too much effort and money to make it really worth it" and that "you'll most likely end up hiring an expensive WordPress expert, and it'll cost you almost as much as the rest of web development," which is also true. WordPress takes strategies to scale properly, and many users will not have a clue of what these strategies are.

No application or CMS can scale as well as static files, Luna included. My CMS is designed to be noticeably light on resources, but it still uses more than the site would if I used only static HTML files. In this case, low overhead is the tradeoff for functionality and SEO control. Unlike WordPress, it does not require third-party plugins for what should be considered as standard CMS functions.


Moving to WordPress was not necessarily easy, but I was able to copy and paste page content from the old site into WordPress's WYSIWYG (What You See Is What You Get) editor, which is a type of editing software that lets you edit content in a way that resembles the finished page or document. WordPress's editor automatically converts the HTML code in the clipboard into code usable by the WordPress editor. It is easy to convert pages to WordPress pages or posts, but harder to migrate from WordPress to another platform.

No matter if you want to switch to Jekyll, Hugo, Medium, a custom CMS, or any other CMS application, there would typically be some way or another to migrate between platforms. WordPress makes it easy to migrate only between different WordPress installs, excluding themes, plugins, et cetera. Additional work will always be involved unless you use a third-party plugin, which just goes back to the plugin issues.


While WordPress makes it easy to set up a basic website, the extra costs tend to outweigh the benefits in ways such as securing the site and keeping it secure, bloated plugins and themes, various parts of the site breaking during program updates, speed issues whether server-side or client-side, the server or host hanging and crashing if or when WordPress requires more resources than what you have available, the lack of essential features such as SEO, plugins breaking causing chain effects of problems, the difficult and expensive tasks required for scaling, and so on.

Using a custom CMS has its benefits, such as improved functionality, scalability, performance, security, design, usability, and can put you or your business in control of your own code. If you do not want to make your own program though, many great CMS platforms and static site generators already exist under some type of free software or open-source licenses.

With the number of programming languages, hosting options, and the general availability of cloud-based servers, the possibilities are virtually endless when it comes to creating or using a better CMS for a better website.