When WordPress Is the Right Tool, and When It Is Not
We do a lot of work on WordPress sites. We also sometimes recommend that clients move off WordPress entirely. Both pieces of advice come from the same principle: the right tool depends on what the website actually needs to do. WordPress is powerful and flexible, but that power has ongoing costs, and not every site needs to pay them.
Two recent projects make the case better than any abstract argument would. In one, WordPress was clearly the right tool, and the work was to make it safe again after years of neglect. In the other, WordPress was the wrong tool from the start, and the right answer was to replace it with something far simpler.
The case for WordPress, done properly
A nonprofit came to us after their website had been hacked. Random visitors were being redirected to malicious sites, and the source of the problem was not obvious at first because the malicious code was hiding inside the database rather than the files. That is a common pattern with WordPress compromises, and a deliberately sneaky one. Such hacks are very hard to detect since the code only activates occasionally, and most security scans focus on file integrity and completely miss it.
When we audited the site we found the cause. The attackers had used an SQL injection vulnerability that had been left open for a long time, because the WordPress core, the theme, and several plugins had not been updated in months. There were no backups to restore from, so a clean rollback was not an option. We had to clean what was there.
The recovery took time. We worked through the file system carefully, auditing each piece of code, then updating it. Then we went through the database row by row, meticulously sanitizing every entry that had been touched and confirming the site was clean before bringing it back online.
The recovery was the easy part to talk about. The harder, more important part was making sure this could not happen again. We set up automated backups so a future incident is a setback rather than a disaster. We tightened the file system permissions so even a compromised account cannot rewrite the parts of the site it should not be touching. And we moved the site to a hosting setup configured properly for WordPress, with the security and update controls a site like that needs.
WordPress works well for this nonprofit. They publish regularly, have multiple people editing content, and benefit from the wider ecosystem of plugins for things like donations and event registration. The CMS earns its keep. What was missing was the maintenance discipline that WordPress requires. Once that was in place, the site became a working tool again rather than a liability.
The case against WordPress, when it does not earn its keep
A small consulting business came to us wanting a redesign. Their site was running on WordPress with a very basic homepage. The whole purpose of the site was to introduce the business and funnel visitors to either send a contact request or visit the social media pages. That was it. A handful of pages, almost no content updates, no commerce, no logins, no plugins doing anything specific.
Our recommendation was to stop using WordPress entirely. Not migrate, not upgrade, not redesign within it. Drop it.
We built them a new site as plain HTML and CSS. Colorful, modern, fast, with the contact form handled by a third-party service the way most modern small-business sites do it. No database. No CMS to log into. No core software to keep updated. No plugins to audit. No attack surface beyond the static files themselves, which sit on a server with nothing to compromise.
The result is a site that loads almost instantly, costs less to host, and requires effectively zero ongoing maintenance. The business owners do not need to remember to log in and apply updates. There is no admin panel for someone to brute force their way into. If they want to change something, they ask us and we change it, which for a site that changes a few times a year is far cheaper than the cumulative cost of running and securing a CMS the business never actually needed.
WordPress was the wrong tool for them. It was the wrong tool the moment the original site was built. Replacing it with the simplest thing that does the job removed a category of problem they did not realize they had.
The principle
The point of these two stories taken together is not that WordPress is good or bad. It is that the question to ask first is whether you need a content management system at all. If you do, WordPress is a fine choice, but you have to budget for the work it requires: regular updates, automated backups, sensible hosting, monitoring, and proper file system permissions. Skipping that work is how the nonprofit ended up where they did.
If you do not need a CMS, you do not have to use one. A simple business site with a handful of pages and a contact form does not need a database, an admin panel, or a plugin ecosystem. Plain HTML and CSS, with one or two well-chosen third-party services for the dynamic parts, is faster, cheaper, and far more secure than any CMS could be for that use case, because there is almost nothing for an attacker to attack.
The wrong answer is the middle ground we see most often: a CMS that the business does not maintain, hosting that is not configured for it, and a site that runs without proper care until something eventually breaks. That is the failure mode both stories above share, even though they ended in different places. Either commit to maintaining the CMS properly, or do not have one in the first place.
Want help with this?
If you run a WordPress site and you are not certain whether the maintenance discipline behind it is what it should be, we offer a WordPress security check. We look at how the site is updated, backed up, hosted, and locked down, and tell you honestly where the gaps are, including whether WordPress is the right fit for what your site needs to do. If you want one, or need help switching away from it, get in touch.