WordPress Worries and Warnings

Originally developed as a personal blogging platform, this content management system (CMS) has gained popularity as a standard website builder. These days, WordPress is ok as a DIY website - great for those who want a simple website they can maintain themselves, mainly for personal use. You can get by / launch your website without any knowledge of coding.

Unfortunately, just because something is popular doesn't mean it's good. WordPress gained popularity because the average Joe can easily* start a website, load a theme, and get things running. WordPress themes are readily available (free or paid) as well as plugins, which are necessary to do just about anything with the website. Do you want a banner, contact form, or anything a normal website has? Get a plugin.

Ok, so you can get themes and plugins and have a website - that's great, right? This is where the headaches can begin. Average Joe is naive, which is ok - it's difficult to realize why/how themes and plugins could ever cause an issue. They do the job (visually). Let's begin with a few of the major issues.

Issue #1: Security
Themes and plugins are developed by people. These could be literally anyone, from seasoned, well-established programmers to random, inexperienced coders trying to make a few bucks. In either case, installing multiple 3rd-party plugins has now opened up multiple points of vulnerability. Even a disabled plugin has the same vulnerabilities. "According to statistics From 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks."**

Here are a few of the major WordPress plugins bugs that were recently disclosed:

  • - ThemeGrill Demo Importer vulnerability resets the site's content to zero, effectively wiping the website, installed on more than 200,000 sites.
  • - Wordfence revealed an issue in the WP Database Reset plugin, installed on more than 80,000 sites.
  • - A stored cross-site vulnerability in the GDPR Cookie Consent plugin, used by more than 700,000 sites.
  • - A CSRF-to-RCE vulnerability in the Code Snippets plugin, used by more than 200,000 sites.
  • - An authentication bypass bug in the InfiniteWP plugin, used by more than 300,000 sites.
  • - "Popup Builder" (up to version 3.63) allow attackers to steal information and even potentially take full control, used by over 60,000 sites.

Issue #2: Compatibility
WordPress is constantly updating. All themes and plugins are not - it's up to the developer to keep up with this. It's possible that your plugin will stop working all of a sudden. Also, plugins may not play nice with other plugins. One can break the next, or two together can break the website, it's a mess and a pain to even think about. Also, if your theme itself breaks, and the developer no longer supports it, there's nothing you can do - you basically need a brand new website.

Issue #3: Unbelievably Slow
Having to load the theme and all these plugins slows down a WordPress website to a crawl. As a developer, it's amazing to see and measure how bad this really is. A quick test for a simple website shows almost a full 10 seconds to load (140 requests, 9MB transferred)! Obviously this comes to a crawl on a mobile device. This website scores a 4 out of 100 in Google's PageSpeed Insights. This is a serious issue for the end user and for search engines. A slow website tells search engines that the website will make a visitor wait - a signal not to bring the visitor here.

Issue #4: Not Search Engine Friendly
Based on the inherent structure of WordPress, it is not search engine friendly - something that should concern just about all of us. The structure doesn't allow search engines to easily understand what the page is about. Combined with the slow loading times, a WordPress website is really hurting itself. But, there are ways to improve your WordPress website's SEO - can you guess how? ...use a plugin.

It's no surprise that (in almost 20 years) WordPress has never been (and never will be) acquired by a larger corporation like Microsoft, Google, etc. Despite its popularity and money-making potential, corporations know how dangerous and vulnerable this platform really is. As a developer, I have never recommended this platform to any of my clients. Also, I have received countless phone calls to fix quite a few WordPress websites that are broken, have been hacked, etc. I had to completely redevelop a website for one customer who had a hacked theme right out of the box.


*"Easily" is relative, there is a learning curve for WordPress, it takes some time to get used to.

**Article title sourced directly from wpwhitesecurity.com; https://www.wpwhitesecurity.com/statistics-70-percent-wordpress-installations-vulnerable/

Need more? Here are just a few links (or please Google "wordpress vulnerabilities") for much more information:

Did your WordPress website get hacked? Is your WordPress website down or disabled? We’re here to help! Contact Double-Time today to discuss getting your website back up and running asap.


All Blog Posts



A real WordPress website's page speed test results - 4 out of 100. Source: Google PageSpeed insights (screen shot)

A real WordPress website loading too many resources, taking almost 10 seconds to finish. Source: Google Chrome Developer Tools (screen shot)

CVE Details website showing a list of known WordPress security vulnerabilities (294 at time of this posting). Source: https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html