We need to talk about WordPress

WordPress was released in 2003 and has achieved an incredible success story since then. It is based on open source software and is natively supported by every hosting operator. Although the unbeatable spread there are some points that need to be considered before someone decides to use WordPress. Annoying updates and missed revisions of the core system are just drops in the ocean.

Web development

WordPress CMS

WordPress is the best known and most used CMS system on the whole internet. WordPress was conceived as a blog website and is used today for all imaginable sites, even for e-commerce solutions.

The aging system, however, has some downsides that make both visitors and developers not exactly happy. Apart from the fact that the underlying technologies do not exactly belong to the leading you have also overslept to revise basic areas to meet today's requirements.

Let's dive into some WordPress issues in more detail in the next few minutes.



To meet today's requirements, probably all WordPress sites have plug-ins. They offer practical extensions and are often provided for free. As helpful as they can be, they bring their own dangers with them.

With every update there is a risk that something broken goes and needs to be fixed. WordPress is known that this happens relatively often. This causes some administrators not to install updates automatically and only quarterly or worse, never to install.

An average WordPress website has dozens of plug-ins. These extend the core system with additional functionality. By design, it can happen that two plug-ins get in the way and have a conflict with each other. This depends among other things also on the implementation. WordPress administrators tend to install plug-ins for everything, no wonder, there is also for every conceivable extension its own plug-in.

With each page load, all plug-ins are run through so that they have the chance to do their job. The more work-intensive plug-ins are activated, the longer it will take until the website visitors can see or interact with the page. So the website gets slower with every installed and activated plug-in.

Every developer who has already written and released a library or plug-in knows that it doesn't take a week until the first security patches for the internal dependencies come out. Maintaining a plug-in and keeping it secure takes a lot of time and resources. Now there are thousands and thousands of plug-ins developed by private people in their spare time and available for free. You cannot and should not expect them to update their plug-ins weekly to include the latest security updates. Often plug-ins are installed that have not been updated for years. These plug-ins quickly become a security hole and door opener for the entire system.


WordPress Themes

Analogous to plug-ins, themes from the Internet can complement a WordPress site to realize a certain layout and design. Unfortunately, it is also so here, what can be loaded from the Internet harbors dangers. 

WordPress Theme Development is certainly not known for developer friendliness. After a stubborn complicated start to find your way around at all, you dive a little deeper and quickly realize how elaborate and complicated the whole thing is, in contrast to more modern solutions.

Problems while developing are quite normal and occur felt every few minutes, actually not tragic, you take a look at the documentation, realize what is wrong and continue programming. WordPress is known for the fact that the documentation does not exactly shine, often crucial details are missing or it is simply wrong or outdated. Unofficial documentation sites are often preferred to the official documentation.

Many would also like to see more set structures in the development of plug-ins and themes. There are some standards that have been established over the years, but are often only used by professional theme creators. Many themes and also plug-ins contain so-called spaghetti code

Come to the paid premium themes, which promise perfect customization options. In reality, however, there is always some customization that requires custom PHP/CSS and must be inserted directly into WordPress.

Even if a paid theme has been purchased it needs some handiwork to put conscience. Let's assume that we want to install a carousel for images as a plug-in and integrate that on the home page. Both the theme and the plugin have some customization options that can be configured in the settings. It may well be that this is enough for you, but the rule is that exactly one small specific detail cannot be edited. It is possible that it will take longer to implement this small detail than if the developer had implemented a carousel without a plug-in. And whether the small detail after the next update still works the same? You never know.



Let's get to a precarious topic, the security. There is felt no day without that a vulnerability in WordPress is found. After every core WordPress, theme or plug-in update, there is a potential for backdoor exploits. External plug-ins and themes can open door and windows into the WordPress system for hackers.Look at some of the most common WordPress security issues:


1. Brute Force Attacks

In a brute force attack, a system is bombarded with all imaginable possibilities until the desired result is achieved. In the case of a login mask, a malicious person can automatically try all username and password until he achieves a success. This usually takes some time until all conceivable entries have been tried. Often, pre-made lists of frequently used usernames and passwords are used to speed up the process. Usually the login screen is located at the default URL /wp-admin, this lends itself well to automated bots that scan the internet for WordPress vulnerabilities. WordPress has not yet managed to limit the number of login attempts and thus provide protection against automation. In addition, many login requests can slow down the entire site.

2. Cross-Site Scripting (XSS)

The principle is relatively simple. A potential attacker places malicious JavaScript hidden on the page, for example in a comment field. The next visitor who calls the page with the comment field automatically executes the malicious JavaScript. For example, login information in cookies can be read and sent to the hacker. WordPress has here from itself no or only a small protection integrated.

There are mechanisms to make Wordpress pages secure against XSS attacks, whether these were also integrated in all plug-ins and themes from the Internet is questionable.

3. File Inclusion Exploits

Every file that is loaded from the Internet can potentially be malicious. No matter if the user uploads an image to the WordPress site or if a plug-in dynamically loads files from an external source. Since WordPress is written in PHP and PHP is an interpreted programming language, malicious code can be added directly if a vulnerability is found and exploited.

4. SQL Injections

Behind every WordPress site is a database. SQL is the language used to query, add or modify data. WordPress sends SQL commands to the database to manage persistent data. On each page load, WordPress loads data from the database and displays it to the user.
In a contact form, the input fields are usually written to the database so that they can be processed from there.

A malicious person could add an SQL command to an input field and WordPress will send it on to the database. The database only knows SQL and does not understand what is good and bad. With a SQL Injectin can be sent so beispielsweite about an input field additional SQL commands, which is processed by the database and causes damage.

5. Malware

In a hacked WordPress site can be a malicious code. There are different types of malware. Either it continuously transmits all data to the hacker and thus also sensitive customer data. Or the additional code forces the user to enter his credit card information. The damage potential is unlimited.



Most common reasons why hacks occur:

  • Weak passwords
  • WordPress on the default configurations (Eg. Login on /wp-admin)
  • Don't update WordPress core, plug-ins, themes regularly
  • Plug-ins and themes installed from untrusted source



These were now some of the more known WordPress issues, but we could easily add quite a few to this list. Have we aroused your interest, I advise you to google something, that Internet is full of more points.

I would like to explicitly mention here that WordPress has its raison d'être and has also done a good service for years. Before you decide to use WordPress you should find out which is the most suitable CMS for your needs. There is no CMS which covers all needs one hundred percent, there are always compromises that must be plugged in. 



  Back to Overview