Should you get a new WordPress website?

This article will be, I'm afraid, an example of Betteridge's Law of Headlines: "Any headline that ends in a question mark can be answered by the word no". As a long-term WordPress hater I could make this article go on for a very long time, but I'm going to restrict it to one particular aspect of WordPress; security updates.

 I spend most of my time at Logic+Magic developing with a content management system called Drupal, with which I have a love-hate relationship. Both Drupal and WordPress are open-source community projects, but I would sum up their difference as follows: The problem with WordPress is that its developers don't talk to each other, and the problem with Drupal is that they do.

There's an easy rule of thumb for telling whether Drupal development is above board and suitable for the development community to use: Is it represented on the drupal.org domain? Drupal.org functions as a hub for Drupal development, providing tools for developers to discuss issues, manage their code, test their changes and give everyone a full overview of what's happening, all free of charge.

Fostering communication via drupal.org is a double-edged sword. On the one hand, developers can respond quickly to newly discovered security threats, release fixes quickly, and have some measure of confidence that everyone who needs to know about an issue does. On the other hand, fixing less important issues can feel like an endless committee meeting, sometimes taking years. Drupal can feel very slow and steady, but as a developer or customer, this should feel preferable to playing fast and loose with your changes.

The plugin problem

By contrast, WordPress development often seems to take the following form: Honest John's Plugin Company sets up their own website where they charge you $50 for a WordPress plugin that may or may not do what you want it to, with assurances that developers will fix any issues you flag up. It might be good work, and it might be worth the money. Or it might not. But while Drupal has a security team that try to alert developers to potential vulnerabilities, you have to trust that Honest John will find out about, and fix, any new problems with their code. Additionally, it is not standard for there to be any charge for community Drupal code. 

Every time you log on to a WordPress site, even if you've just updated everything, you will probably be told that there are more updates. As mentioned, there will probably be no indication of whether the updates are related to security - you will just be told that they are updates, and updates are always urgent. Therefore, you will be in a constant state of tension between two motivations:

1. Update everything so things work 'better',

2. If it ain't broke, don't fix it

Contrast this with Drupal, which will tell you which specific updates are related to security, together with links to pages on drupal.org giving details about the problem. It's important to note that not all security updates are the end of the world - often, a security issue is only dangerous in very specific cases. Nonetheless, if we at Logic+Magic see a security update, we apply it.

But back to WordPress. Now that you know your WordPress site has updates, how do you upgrade? It's simple. Log in and click the buttons that say "Upgrade". Handy, right? But wait - it's a trap! What happens if the upgrades break your site? Firstly, you can't un-click the button. Secondly, depending on how broken your site is, there might not be any working pages with buttons to click! 

If breaking your site by clicking a button is too much work, you can enable automatic WordPress updates, which can download untested code and break your site without any human intervention at all. I use the word "untested" to mean "untested when used with your particular site", but there are no solid guarantees about how much testing the plugin developer has done, either.

A robust update process is a must

Here at Logic+Magic we do things in a more professional manner. We try to follow the same process for every change we release, whether it's an update or a new feature: 

• A developer makes changes to a version of the site on their own computer

• They check their changes in to version control, i.e. they save their changes to the project as a separate set of changes that aren't yet confirmed as correct

• A different developer signs off on the code changes and they are merged to the development "branch" of the project

• These changes are released to a development site with no connection to the production site

• Changes are checked on the development site

• The changes from the development branch are used to create a release, and the final changes are signed off by another developer before being released to production.

Even this is an imperfect process, but if anyone tells you WordPress is easy to maintain, this is why - it lets you sidestep these best practices.

So while it can be quick and cheap to build a WordPress site, it puts you in a situation where you are forced to patch more frequently than you need to, accruing more billable time with each set of updates. It's a false economy, and when a developer building a site likes false economies, it makes one wonder what other corners have been cut.

I am being very harsh on WordPress, and it is of course possible to develop and run WordPress sites in a sensible fashion. We do so ourselves. The phrase "The customer is always right" was coined in order to explain that businesses should supply what customers ask for, not that the customers are making good decisions. And I won't deny that WordPress sites can look very pretty and offer a good editing experience. But hopefully I've given you a sense of why you should build your sites on a platform with a firmer foundation. There's a whole world of content management systems out there - don't just settle for what you know.