WordPress websites have been created continuously since 2003. During this time, it has gained the status of the most universal, flexible, almost ideal solution in the field of web design. By many programmers it is called the No. 1 CMS in the world. Is it right?
In the following post I will present my own observations on the implementation of projects using this solution. These are the conclusions resulting from involvement in many projects that were created internally, but also those that we took over as technical support.
- What is WordPress really and why is it so popular?
- Anyone can implement a WordPress site, but not everyone can do it well
- WordPress has many advantages. However, it can also cause many unexpected problems.
Table of contents
What is WordPress?
WordPress is by far the most popular content management system (CMS) in the world. It is free software, built on the basis of PHP and MySQL. The creators' assumption was that this system was created as a blogging tool. Over time, however, thanks to the large community around the project, it has evolved into a CMS for all applications. It is known for its versatility - to such an extent that to this day it is created with its use:
- Blogs
- Websites
- Internet shops
- Landing page
- Information services
- Other, uncomplicated applications
I am convinced that you have read the content of the website based on this tool many times. This is due to pure statistics, according to which, according to a study by W3Techs, WordPress has as much as 64.3% of the CMS market share (as of September 23, 2022).
WordPress has a very intuitive interface. The user can manage entries (news), static pages, media or users. In addition, it allows you to create the so-called taxonomy within the aforementioned elements. Until recently, it was equipped with an editor similar to the classic Word; today, however, its main tool in the field of content processing is the Gutenberg editor.
Gutenberg contains a number of predefined blocks, which make content editing by clicking on the appropriate blocks, such as a paragraph, headline, image, etc. And then completing the content within the selected blocks. These blocks are automatically converted to the HTML version and then displayed on the page. In practice, it is a very pleasant solution. But what if we need non-standard blocks?
Plugins, themes, filters and actions
When the features offered by WordPress are no longer enough, then… Plugins! And there are plenty of them.
Plugins are the main reason why WordPress is so popular. Plugins for forms, graphics, SEO, and even for removing the so-called "Orphans" in the text. Literally for everything! And each of them affects how efficient WordPress becomes. Each plug is connecting a separate logic to the so-called. actions and filters within the theme. This means that each plugin performs at least one additional operation.
For example, let's look at a situation where we have a freshly installed project. Did you know that each time the page is refreshed, 61 actions and 238 code modification filters are triggered? And this is just a "clean" version, without any plug!
Is WordPress difficult?
Using WordPress to implement simple websites, we can say that it is not particularly difficult to learn. With the support of the Gutenberg editor, anyone without excessive knowledge of programming principles can create their own blog or original website. However, as the complexity of the design requirements increases, the difficulty of implementing WordPress increases significantly.
Knowledge of PHP is an absolute minimum when it comes to preparing pages based on this CMS. And although the core of WordPress itself is very well secured (here, in my opinion, public access to the API should be turned off by default (see: "Black hole. Rest api and WordPress"), the real problem may arise when using untested plugins or your own implementations But more on that a bit later.
What are the advantages of WordPress?
The absolute value of the CMS is that it is based on an open source license. The result is a very large community focused around the project. In effect:
- Many plugins are created, reducing the cost of software development (many ready-made solutions)
- Everyone has access to the code and can contribute their improvements to it,
- There are many specialists on the market (but also people who consider themselves to be them).
Undoubtedly, the popularity and intuitiveness of this software are its main advantages. Are they sure that they do not obscure the disadvantages that affect the final page performance?
What are the downsides of WordPress?
WordPress, despite its popularity, also has some significant drawbacks. And although these disadvantages can be easily eliminated by being aware of them, I often encounter situations when the implemented website is not optimized, inadequately secured and / or not ready for cooperation with integrated solutions. In my opinion, the most important problems are:
- Suboptimal table structure in the WordPress database
- No forms are secured by default
- Invalid response codes from API
- Use of visual editors
Table structure in WordPress
By default, the structure of the WordPress database is based on 12 tables. And as long as the service is not too extensive, that's not a problem at all.
The problem occurs when at least one of the two basic scenarios occurs:
- The site map will be greatly expanded
- The excess number of plugins will be installed
Why are these issues? Well, despite having 12 default tables, WordPress puts most of the data in two: wp_posts and wp_postmeta. This is the case for most of the content on the website, for the media and for additional fields created at the stage of website development (e.g. by plugins). Entries are distinguished by the post_type column and their attributes are placed in the wp_postmeta table.
What is the effect of this? With each new entry, several records are created in wp_posts (content, media, custom post types), and each of them, in wp_postmeta, is supplemented with a specific number of attributes.
The result of this state of affairs are slower and slower queries to the database. Therefore, it often happens that a programmer who is unaware of the problem can create a plug-in which, when calling up the page, polls such a database. So when, for example, a woocommerce plugin (store) has been installed, thousands (tens of thousands?) Of products have been added, and the store has a lot of traffic, and in addition, an ineffective query to the database has been created, displaying some parameters, an explosive mixture is created, preventing the normal use of the website (online store).
There is no default form security
It was not uncommon for us to work with inherited projects that had various types of AJAX (asynchronous) queries for the backend in WP. This is normal practice to obtain the effect of dynamic data processing, without the need to reload the page.
And just depending on how much the programmer was aware of the threat, he could take into account securing the transmitted data against one of the most common threats in web applications - SQL Injection.
By default, WP functions are not secured in any way. The unconscious programmer can therefore accept the data as it is and further process it (e.g. contact details). When the user decides to send the code instead of contact details, there may be a situation where, for example, he gains access to data in a database. Hence, as you may have guessed, a short road to catastrophe.
Invalid response codes from API
This problem often arises in similar situations as with forms.
The task of the backend is to answer the query with the appropriate status (for the sake of simplicity, 2xx - correct, 4xx-5xx - incorrect, where x is a number 0-9). What is the effect of this? When working with such functions, there is often a situation in which we process a form, send it to the backend, and despite an error (e.g. validation), we receive the code 200. As a result, we can receive a response that the form has been sent and an accompanying message, e.g. "incorrect e-mail". Based on the statuses, the user will be prompted with a message that everything was fine. However, the message will never reach the addressee...
{
status: 200,
message: „Invalid email”
}
Failure to secure default API endpoints.
A standard WordPress installation has publicly available endpoints from which you can pull basic data. The problem, however, is that in addition to publicly available data like pages or blog posts, it is also possible to download the list of panel users. All you need to do is go to endpoint:
/wp-json/wp/v2/users
and we will get their list. Then we can already either try a brute force attack - either at the browser login stage or through another endpoint, such as with the command:
curl -X GET --user username:password -i http://yoursite.com/wp-json/wp/v2/posts?status=draft
If we get results on any of the attempts, we know we've hit the login credentials and can perform any operations on the other secured endpoints.
Visual editors
At a time when the use of graphic templates based on visual editors became extremely popular, their incorrect implementations made websites, apart from the problems mentioned earlier, even less efficient.
Visual editors, through their structure, added a huge amount of redundant, resulting HTML code, which makes positioning attempts of such a website to be ineffective. It turns out then that even the largest budget allocated to optimizing search engine results may not bring the expected results - Google simply does not like slow pages.
Evaluate your project for free.
What alternative to WordPress?
To say that WordPress is the "No. 1 CMS in the world" is, in my opinion, a huge abuse. Of course, it is second to none when it comes to popularity. However, it is not popularity that determines whether it is the best solution for companies. Incompetent use of the advantages of WordPress can often result in positioning errors or even make the website never appear in the search results for the phrases we want.
Over the years, we at Mits have used a really wide set of CMSs and we can say that we have finally found a CMS that meets all our requirements. Unfortunately, it is not that popular, which is why many of our clients (including perhaps you 😉) do not want to decide to change it. However, we know that it has all the features that characterize WordPress (and even more!) And at the same time is much more efficient.
So I decided to share my opinions on WordPress with you, and in the next post I will present our proposal. A proposal that changed our approach to creating websites.
Update:
Ps. The shoemaker walks without shoes. But not us. At Mits we are just using this, in our opinion, the best CMS at the moment. Meet Sulu! 😉