preloader


Why we stopped using WordPress?


Why we stopped using WordPress?

The WP problem in plain English

Released: 30 May, 2018

WordPress is a prevalent CMS solution so it can't be ignored without becoming the elephant in the room. Indeed, you may be curious why we don't pitch WordPress as a replacement for BC.  Well, the simple truth is that years of building websites in WordPress is what drove us to BC in the first place. There's things we miss about WordPress. Its open source flexibility and wide ranging plugins allows impressive outcomes to be achieved. But it comes with a hidden dilemma that forces site owners to endure either "increasingly high operational costs" or "increasingly high vulnerability to being hacked".  You cannot mitigate one without enduring the other.  Not being aware of that has been a death trap for many small businesses. So let's dive into this and explain why...

Before we travel down this rabbit hole its necessary to understand the differences between SaaS Platforms (Like Adobe BC, or Gmail, or Xero) versus traditional desktop software (like MS Office, or Adobe Acrobat), and open-source software (like WordPress, Magento, or Drupal).  

(WARNING: Plain English Knowledge below. No added Sugar/No Artificial sweeteners)

SaaS (Software as a Service) versus Desktop Software (Software as a product)

A simple "SaaS vs Desktop" example many NZ businesses/professionals can identify with is Xero versus MYOB (specifically, the historically ubiquitous MYOB desktop product that dominated the accounting software market in NZ before realising too late that they'd missed the cloud/SaaS paradigm shift).

SaaS:  Because Xero's is a SaaS solution it does not require you to buy or install any software. You do not need to update it or troubleshoot it.  You simply access it in your web browser and it works (or, on very rare occasion that it doesn't, then you can be safe in the knowledge that Xero's top propeller-head's are going to have it up and running again before you know it). In other words, when you use a SaaS platform you are entirely removed from the underlying technology. Any errors, issues, or bugs in the software or hardware get fixed and are not your problem! As time goes by new features get added and improvements magically appear requiring no action or additional investment on your part. You also don't need to backup all your data to an underground bunker every night in case of armageddon.

Desktop: MYOB's desktop software was typical of any PC installed programme.  New versions needed to be periodically purchased and installed, and updates or patches need to be applied to resolve bugs and fix vulnerabilities.  If the programme malfunctioned then it was 100% entirely your problem.

Open source:  Open source means you have access to all the source code to add to or modify the programme however you wish. There's is a common misconception about open source software used on the web.  I often hear people referring to it being 'a cloud or web based solution'. But, to be clear, just because it's on the web doesn't mean it's "software as a service". When you install open source software on a web server, it is the same as installing desktop software on a PC. Web servers are generally of a higher specification than the average office PC, but they are fundamentally the same thing. The only tangible difference is that your software is running on a computer across town (or on the other side of the world) rather than under your desk, and you allow others to interact with that software in some way over the internet who all have access to study the same source code.   

Generally speaking it all works nicely.  Until it doesn't. Vulnerabilities quickly get discovered and bad actors out there use these exploits to sew harm. From taking over or destroying a website, to launching malware, or to straight out try to extort you. Being hacked has many possible outcomes. None are good.

Inevitability

Whether you buy software and install it on your computer, or you find open source software to install on a web server, what you have is standalone software that requires updating (versioning), patching and troubleshooting.  With WordPress that means updating it every 90 days. Doing this has its own set of technical challenges and whenever something goes pear shaped it's entirely your problem. If this occurs (and inevitability it will) you'll be understandably pissed and might call your web developer to say "the website I paid you to build is broken" and  "You have to fix it because we didn't touch it so it must your fault". (These are the moments when developers wonder why they didn't choose a more rewarding career like sponge-bathing the elderly between Uber shifts). 

Obviously, bringing up the subject of maintenance billing at these moments is a conversation that doesn't always go well and can be the nail in the coffin for the customer relationship. If you're a designer/developer/agency focused on high customer satisfaction then your workload goes up exponentially while your hourly return drops to numbers too depressing to calculate.

Suffice to say I don't miss the good-ol' WordPress days.


Mitigation

Hosted options are available to keep your site safe. E.g. WordPress.com is a hosted platform built on the open source software from WordPress.org.  However, the hosted service is limited to using a specific cluster of plugins.  No problem if your site doesn't need specific customisation or advanced plugin capability. But that also means it has no real benefit over many SaaS solutions like Wix, Weebly, Squarespace and others. In fact SaaS platforms tend to offer more functionality than the limited functionality using WordPress.com.  Alternatively some hosting providers have services to keep WP updated for you. There will be plugin limitations around this. But whatever the options may be, mitigating the risk comes at a cost that can get expensive and mighty complicated**. 

Costs can quickly reach a tipping point where versioning becomes unsustainable.  This is why the vast majority of WordPress sites cease getting updated and patched at some point in time (usually within a few months of deployment).  While the may still make it to the end of their lifecycle and then get replaced with a new site with the latest version installed. the cold hard truth is that the vast majority of WP sites beyond 2 years old are left vulnerable to being hacked and a sizeable minority are.  Ultimately, owning a WordPress site without keeping it updated is a gamble. It means lowers costs initially. But you may end up paying the highest price.  

Of course, the above oversimplifies the issues. It's more technical and complex than this and there are ways to (mostly but not completely) mitigate the worst disasters. But this is like solving the gun crisis with more guns rather than accepting that there's a bigger problem. Unfortunately, the open source dilemma is unavoidable, unless you don't use WordPress. For me, WordPress is considered a viable proposition when it is able to deliver specific, needed functions via a well supported plugin that you cannot build or find elsewhere within the budget constraints (and is conditional on the client being fully aware of and willing to pay for maintenance and versioning).  If the same functions can be met via a SaaS solution then I would strongly argue that it's the far better choice. 

** WordPress risk mitigation is complicated due to 4 recurring issues.

  • Version Frequency
  • Plug-in Support
  • Customisation
  • Compatibility

Every 90 days WordPress.org releases a new version of the WP core software to resolve any vulnerabilities discovered since the previous version release. The 'one-click update' button in WP Admin is misleading as this only applies to updating the core software. However, with the exception of running a basic blog, everything your WP site does relies on 3rd party plugins.  Most WP sites have between 8 to 20 plugins.  The trouble is, you can't upgrade to the latest WP core without first updating all the plugins. The plugin developers 'should' have updated releases available to download for the new WP version. But, if a plug-in has no update available you either wait, or have to replace it with something else (= development time/cost).  

Once the plugins are all up to date you can then update the core.  At this point, any custom or unique behaviour coded or styled directly on the plugins or WP core files will be overwritten. If your developer has done a good job then modified files will be separated and programming modifications will be well documented for rewriting. But don't expect that to be the case. Once you finally have the plugins and core updated and custom modifications have been re-applied, then you 'should' be back in business. 

But, just because the plugins played nicely together in the previous version is no guarantee compatibility of the updated plugins will be same. This can lead to hours of development time to figure out the problem and find a workaround to solve it. Once those issues are resolved then life is good until you repeat the exercise in 90 days time.  If your site is well built, on a well developed theme, well supported, and well documented, then updates will usually take about an hour, but not infrequently 2hrs to 5hrs.  Occasionally, but inevitably, things will go sideways and a one hour update can quickly become 10 hours, or worse, days of effort may be necessary to resolve an issue following a bad update. 

So you have a choice.. Either live with this recurring 90 day nightmare knowing that sometimes it's going to sting... Or just leave it be. Everything will work fine and you won't face the recurring nightmare. That is until you fall victim to being hacked. If your WP site reaches 3 or 4 years old and has not kept pace with versioning then your risk of being hacked is extremely high

Rationale

There's a lot I miss about WordPress.  It's a great way to rapidly build complex sites. But I can only recall two occasions where we were not be able to build a site in BC to perform the same high-level functions provided by WP plugins. The key difference with BC sites is that they don't require constant versioning or ongoing investment to fix the problems that versioning creates.  The means that running costs are comparably low and theres no nasty surprises.  It also means that every dollar invested to operate the site is about improving it rather then just trying to keep it running.  Using a SaaS platform like BC eliminates the constant maintenance and hacking risk inherent when using WordPress. No BC sites have fallen victim to hacking. Ever!  This is a prerequisite I have come to expect, and selling my clients into WordPress as a CMS solution knowing the flaws that exist fails to live up to my ethical standards.