Businesses Beware the Dangers of WordPress and the Allure of Free

Content management systems, such as WordPress, are a critical tool for business websites. However, WordPress is also a double-edged sword. Yes, it might be free and open source, but that also means it opens the platform to significant security vulnerabilities.

• 

  Posted by Chas Wyatt, Gladstone, Oregon | Sep 19, 2011

  Thanks for your insights about security. I was thinking about using a WordPress platform and theme for my next site. I have had trouble with Google Analytics, though, and use StatCounter, instead.
• 

  Posted by Tea Silvestre, San Jose, California | Sep 19, 2011

  WordPress is great if you know how to use it properly. There are other precautions that should be taken during set up, etc. I just posted a short piece on my blog about what needs to happen: http://thewordchef.com/2011/09/stay-safe-in-the-kitchen-7-tips-to-secure-your-wordpress-blog/
• 

  Posted by Matthew B. Olson, Delavan, Wisconsin | Sep 19, 2011

  Good luck with the blog, Charles! The best suggestion if you're going with WordPress is to keep on top of the updates. Might not hurt to change passwords occasionally, too.

  Thanks for sharing your tips, Tea. All very good ones!

  Learn More About Signalfire's Web Strategy
• 

  Posted by Jules Nesenblatt, Snoqualmie, Washington | Sep 19, 2011

  Thank you for those words of wisdom!
• 

  Posted by Justin Parra, Seattle, Washington | Sep 20, 2011

  i have worked with a lot of other CMS platforms. I couldn't name another platform that is easier to update and more intuitive (back end and front end) than WordPress. If you have a specific example I would love to hear about it.

  Another subject worth noting is the talent pool around the CMS. If you choose a lesser know CMS, how many other developers will be able to work on the site should you choose to switch developers?
• 

  Posted by Justin Parra, Seattle, Washington | Sep 20, 2011

  I have worked with a lot of other CMS platforms. I could not name another platform that is easier to update and more intuitive (back end and front end) than WordPress. If you have a specific example I would love to hear about it.

  Another subject worth noting is the talent pool around the CMS. If you choose a lesser known CMS, how many other developers will be able to work on the site should you choose to switch developers?
• 

  Posted by Matthew B. Olson, Delavan, Wisconsin | Sep 21, 2011

  I appreciate the comment Justin. I am not arguing the merits of WordPress' interface. It is truly beautiful in simplicity. We had been passionate fans up until the last year.

  While I would recommend other platforms ranging from Concrete5, Drupal, to Expression Engine and MojoMotor; we always look to choose platforms that have an established development community. We continue to support our WordPress sites, but find the level of maintenance required is higher than that of some of our other platforms.

  My larger point was to be cautious with WordPress. Like many other things, free is nice, but may have other costs.

  Learn More About Signalfire's Web Strategy
• 

  Posted by John Locke, Seattle, Washington | Sep 22, 2011

  Hi,

  I think you're right on target to point out that there's a big down side to using a content management system: the cost of keeping it properly secured. This cost is basically ignored by vendors pitching web site projects.

  However, I think you've got the cause wrong -- it's not because Word Press is free, it's not because it's popular -- it's because it's powerful, flexible, and easy to use -- for both you and your potential attackers.

  Proprietary content management systems (e.g. programs you have to pay for) suffer the same issues. I don't care if you use Movable Type or Word Press, Sharepoint or Drupal, Joomla or Expression Engine -- there is some risk associated with running a content management system, and cost involved in keeping it up to date. The paid programs aren't necessarily any better than the free ones in this regard.

  You only avoid that cost by using a static web site -- but then it's much harder to update.

  In many cases, you get much better security by using a free, open platform, because there's a lot more developers looking at the code, identifying potential problems, and coming up with good fixes. I would highlight Drupal as being particularly strong in this area -- which is part of why it's our platform of choice.
• 

  Posted by Dawud Miracle, Boulder, Colorado | Sep 22, 2011

  Matt's written a nice and important post. People should be aware that there are vulnerabilities in WordPress - as there are in all web-based software. Let's say that again - all web-based CMS's have vulnerabilities and can be hacked. So WordPress is not alone.

  As John said, being online at all has inherent risks. And we can spend hours debating their significance or likelihood.

  Yet, as a WordPress developer and security specialist, I can tell you that with a little coding and a few key plugins and being careful which themes (designs) and plugins you choose - you can make WordPress highly secure. And this is coming from someone who had his 8 sites hacked about a year ago - which is how I became a security 'expert.'

  For the great majority of users, WordPress isn't so vulnerable through 'forced hacks' (where a hacker gets your login). This does happen, but seldom in comparison to the other methods of hacking.

  The biggest two are hacking through add-ons like plugins and themes. Sometimes hackers even put out themes and plugins just for this purpose - to lure you into installing them - giving them access. So only use themes and plugins from reputable, trusted sources - that solves that one.

  The second biggest vulnerability you have is your web host. If a hacker can get into your host's system then they can wreak havoc on tons of WordPress sites at once. And the vulnerabilities here have much more to do with how secure things like your database server are. That's why I'd recommend using a well-known host or one that specializes in WordPress.

  All of the suggestions in this post - good host, stay updated, use Google Webmaster Tools - these are essential for not having problems or catching any problems immediately.

  But don't be afraid to use WordPress just because of a post like this. Rather, know that all systems have vulnerabilities - it's just part of being online - and that often many of those vulnerabilities have patches.

  For the record, I've installed more than 400 WordPress websites for clients and only 1 of my clients has been hacked. We caught it quickly and everything was fixed in 48 hours. I mentioned above that my 8 sites were hacked, but my host stopped it before any major damage was caused - though it did lead me toward learning how to secure WordPress more than it is normally.

  As I said, I highly recommend WordPress. It has no more vulnerabilities than any other CMS out there. I don't second-guess using WordPress myself or recommending it to my clients. And if you want to talk about how to enhance the security on your WordPress site, happy to chat about it.
• 

  Posted by Mark McLaren, Seattle, Washington | Sep 22, 2011

  Great post, Matt. Lots of food for thought. Your basic security tips are all on the money. I would also stress the importance of a strong (15-character) password and of deleting the "admin" user (and/or creating a more unique username).

  Although I do social media and search engine marketing more than I build or manage websites, I currently manage or work with clients on about 40 self-hosted WordPress sites. The flexibility and power of WordPress is what makes it such a great online marketing tool. Over the past five years, I have probably worked on 100 WordPress sites. Only one has ever been hacked. The web host was a small shop essentially run by one person. He alerted us to the problem immediately and we removed the hacked admin user. There was no damage to the site.

  I sounds to me like you and your commenters are on the same page about security. Dawud makes some very good points about vulnerabilities in plugins and themes. The idea that WordPress software is free does not mean that WordPress websites don't have to be managed in a professional manner. This is true for security and it's true for backing up data.

  As long as we are talking about sites being hacked, we should remind readers that they need to backup their sites on a regular basis - both their files and their database - whether they use WordPress, Drupal or whatever. If someone else handles your website for you, ask them where they keep your backups and how often they make them.
• 

  Posted by Dawud Miracle, Boulder, Colorado | Sep 22, 2011

  Right on, Mark.

  What I usually recommend for my clients is that they manage their content, their widgets, their navigation and have someone else manage the technical updates, maintenance, backups and security.

  WordPress makes it easy to upgrade the WordPress core and plugins from the admin area. Yet I find that it's good to have a techie-type that takes are of these bits and others for you so (1) it's done and (2) it can be monitored.

  This is exactly why my biz partner and I will be launching a service to do just that. More on that soon.
• 

  Posted by Mark McLaren, Seattle, Washington | Sep 22, 2011

  Sounds great, Dawud. I totally agree. Something else we haven't really touched on is the fact that WordPress has become more technically complex as it has evolved into a powerful business tool. WordPress 3.2 looks very little like the WordPress 1.5 I started using. We shouldn't expect it to be as easy to maintain.

  It makes much more sense today to hire a professional to do the heavy lifting. This is more an admonition than a sales pitch. I am one who is looking for professionals to do the work. Most of it is too difficult/risky/time-consuming for me to do myself anymore.
• 

  Posted by Juan Carlos Gomez, Nevada City, California | Sep 22, 2011

  Great comments. My 2 cents: WordPress is a great platform but you need good knowledge of it and good knowledge of HTML as well as PHP to avoid intense headaches. For small business that don't need a lot of maintenance or updates we recomend custom made static HTML sites that creawlers love.
• 

  Posted by Nando Caban-Mendez, Austin, Texas | Sep 22, 2011

  I am thankful for the comments by Tea, Justin, Dawud, and Mark. Hopefully readers of this article will go on to read these comments and get a more balanced point of view. I fully agree with their take on WordPress and won't add to that.

  What motivates me to write is the inaccurate portrayal of WordPress and the negative impact this may have in small businesses. The online marketing landscape is already plenty confusing for small business owners. The start-up entrepreneur, the mom-and-pop, teh micro-businesses (<10> to create and manage a great WordPress theme. Low-cost, premium themes (and even some customizable free themes) allow for great flexibility in layout and branding. However, clients would certainly need to know coding, or call their developer, to update something as simple as a telephone number.
• 

  Posted by Dawud Miracle, Boulder, Colorado | Sep 22, 2011

  Thanks Nando. I don't build websites - I build business platforms online and I've found WordPress to be the best CMS solution - of the dozen or so I've tried - for my clients.

  Most of my clients are not techie at all - many have avoidance and even anxiety when having to think about being 'technical.' WordPress gives them the best balance of staying away from the tech stuff while giving them power and control over their websites.

  Juan, I couldn't disagree more. 90% of my clients never will learn a lick of HTML - or PHP for that matter. And yet every one of them can add, edit and update content; have some basic control over their sidebars and footers and have full control over the navigation bar. What more does the 'average' user need?

  WordPress isn't perfect - not by any measurement. Yet it is the best platform for the great majority of small business needs. And as I said above, you can secure WordPress with little more effort making it harder to crack.
• 

  Posted by Silvia Reed, Bellingham, Washington | Sep 22, 2011

  Thank you for sharing your expertise Mat. It's rather important that we are aware of the pros and cons of working with technology. WordPress is a great way to build a website for free or low-cost, however it all has a price; it doesn't make it a bad platform but we must be aware of the risks and how to better use it so we don't compromise sensitive information.
• 

  Posted by Brent Pohlman, Omaha, Nebraska | Sep 22, 2011

  Have you heard of akismet. This plug-in will guard your site from attackers. At one point, my plug-in got turned off and I had all kinds of hackers. This plug-in is the best plug-in for securing your Wordpress sites.

  I manage 8 different Wordpress sites and I do not have any issues.

  Wordpress is very secure and it has come a long ways in the last 4 years as long as you keep up with the updates and have the right plug-ins in place.

  If you take the step
• 

  Posted by Bob Dunn, Seattle, Washington | Sep 22, 2011

  This is some great conversation and wish I had gotten in a little earlier...

  Both Duwad and Mark said it all and were right on. I don't need to add anything to that. I also maintain numerous sites and have coached and trained hundreds of people how on to use WordPress effectively...

  All I can add, is where the problem lies, is in the title of this article, as Duwad also pointed out. Basically a scare tactic to get people to read it : )
• 

  Posted by Dawud Miracle, Boulder, Colorado | Sep 22, 2011

  Hey Silvia

  Mat does have some good points here. And all systems - not just WordPress - are going to have the same problems. What I appreciate about WordPress is first it's pretty light weight so finding and fixing problems doesn't have the complexity as, say, Drupal.

  Secondly, there isn't a more tight-knit, active community developing CMS than the WordPress community. This means that tons of folks want to help out whenever trouble arises. AND, more importantly, it means that there's tens of thousands of people who are finding issues and posting fixes constantly. It's the community around WordPress that I find to be it's strongest benefit.

  Finally, there is a cost to having any business service. But with the right bits of information those costs can be negated.

  (apparently I've become the defender of WordPress...and I'm not even sure how that happened)
• 

  Posted by Bob Dunn, Seattle, Washington | Sep 22, 2011

  And Dawud, sorry for the misspelling!
• 

  Posted by Dawud Miracle, Boulder, Colorado | Sep 22, 2011

  Just to clarify Brent's comments - Akismet is a nice plugin for stopping tons of comment spam. Yet it's not a security solution against hackers who can infiltrate your site and add malicious content and links. Basic distinction.

  And be careful about plugins. Akismet is developed and managed by Automattic - the company that oversees WordPress - so it's safe. Yet there are plugins that are more security risks than others. So you always want to find out a little more about any plugin you add before activating it.

  To make, perhaps, this whole 'WordPress isn't safe' conversation clearer let me offer what I share with my clients:

  When you install WordPress on a web host a number of 'doors' are opened. This is necessary to get WordPress working. Then, once the install is complete, those door close. Sometimes there's a door that doesn't close and the WordPress team will send out updates to fix that. But most often what happens is that while most of these doors close, only some of them 'lock.' So if you're a hacker and walk along the corridor giggling door knobs you may find some unlocked and can enter. The additional security protocols I've used go through and lock as many of those doors as possible so it's much harder to get in.

  So think of WordPress security as being doors that open, close, lock and unlock. The goal, then, is to close and lock all the doors - just like you would in your house before you leave.

  Does that help?
• 

  Posted by Boris Krumov, Prague Czech Republic | Sep 22, 2011

  Ironically, GA and GWT ( google analytics and webmasters' tools ) are also free to use software with way too many "hidden gems" and unpleasant surprises to be recommended in such an article.

  And yes, security does matter. Thankfully evolution ( read many many defaced sites, stolen financial data and more ) brought us to a relatively stable stage, not to forget that nowadays most of the once "innocent pranks" are punishable by the law.

  And if you want to be serious as a business you don't do FOSS( free and open-'sauce' software ) not because it doesn't work or has got so many caveats, but because then you invest in propriety, customized systems. Ah yeah, it costs money. No, wait ! It pays !
• 

  Posted by John Locke, Seattle, Washington | Sep 22, 2011

  I take it, Boris, that none of the Fortune 500 are "serious businesses?"

  All of them use FOSS. Every single one uses LInux in their environment. Are you using an Android phone? You've got FOSS in your pocket -- it's built on top of Linux.

  And for CMSs, Drupal and Word Press each power a huge number of web sites for very "serious businesses" - or at least serious organizations. In the case of Drupal, there's NASA, the White House, CNN, NY Times, and many, many more.

  If you're starting up a business and not using FOSS, investors these days will ask you why you're wasting money?

  Let's stop confusing the issue -- the issue about security applies to all systems, and there are a lot of very good arguments to be made that open systems are more secure than closed ones -- there's certainly far more opportunity for people to discover and fix any issues that arise -- and in popular projects like Word Press, this happens very quickly.

  The main point of the article -- that you need to pay attention to security even if your software is free, most definitely applies. And if you're not going to do it yourself, it's going to cost you something -- either to pay somebody to do it for you, or in cleaning up the mess after you've been attacked. This is true of closed systems as well as open ones...
• 

  Posted by Allen Snook, Snohomish, Washington | Sep 22, 2011

  You have put WordPress in your article's title and yet the recommendations you made apply to just about any website. I feel trolled.
• 

  Posted by Brent Pohlman, Omaha, Nebraska | Sep 22, 2011

  John is right! Security is the main point of this article whether it is commercial or free. Security applies to all systems and proper precautions need to be in place to make any system secure.
• 

  Posted by Karen Lewis, Texarkana, Texas | Sep 22, 2011

  One additional note on security from a developer's perspective - WordPress has the default login name of "admin" - always change that to something more obscure in PhpMyAdmin - that, and a really good password will go a long way in helping safeguard the dashboard section of your website.
• 

  Posted by Robert Stoeber, Sausalito, California | Sep 22, 2011

  Matt,

  I agree 100% with your recommendations - those apply to every piece of software and online system, not just Wordpress. Selecting the proper products, maintaining them in good working order, and consulting experts on a regular basis makes sense whether you are talking about dental checkups, oil changes on your car, or websites.

  But, I don't agree at all with your apparent conclusion that Wordpress is "a victim of its own popularity" and therefore Wordpress should be avoided, in favor of some less popular CMS. That's like saying hackers target Windows more often, so don't use Windows. Bad guys rob banks because that's where the money is, but that's no reason for us to avoid banks.

  Open source products like Wordpress and commercial products like Windows and Adobe Acrobat are all subject to security problems. In each case there is a serious effort to make these products as reliable and secure as possible, but the users have to take responsibility for updating any software they use.

  Here's a few things I always recommend:

  1) Don't use a content management system (CMS) if you don't need it - you can avoid a lot of "security" problems and maintenance costs. Be honest with yourself about how much time you will REALLY invest in "managing your content." If you only expect monthly, or even weekly updates to post a new press release or other minor changes then you don't need a CMS.

  I've seen people that spend a lot more time fighting with Drupal, Wordpress, or some other system than actually doing useful work. Don't fall into that trap.

  2) If you do need a CMS-type system, hire a professional for a few hours to help you evaluate your needs, set up an appropriate system, and teach you how to use it. If you own/manage your own business your time is valuable, and irreplaceable. Invest your time wisely.

  3) Regardless of the tools you use, manage your passwords carefully. Always make complex passwords. Don't ever write them down. And don't share accounts/passwords with anyone.
• 

  Posted by Dawud Miracle, Boulder, Colorado | Sep 22, 2011

  @Bob - no worries & thanks.

  The point here is security. It's just inaccurate to paint WordPress as being not secure while not comparing it to other systems and their lack of security too.

  I hope Matt's point here wasn't to create a fear of using WordPress. My hope is that he was trying to bring light to the issue of security on websites as a whole.

  I know WordPress is extremely popular these days and so whenever something is written about there being 'issues' with it, it gets attention. I'd just like to be sure we're not throwing the baby out with the bathwater. WordPress is the best go-to CMS (content management solution) for the great majority of coaches, alternative practitioners and service professionals of all sorts who don't want a simple, easy-to-use system for managing their websites themselves without having to deal with code.

  That's what WordPress is and that's how it best serves its users. So don't be afraid of using WordPress. It is more secure than this post leads on - it's not like people can just walk in the front door; they have to put in effort to hack in. But that's what hackers do - they put in effort to breech systems - WordPress or otherwise.

  So don't let this post steer you away from WordPress. If you have specific questions, I'm happy to answer them.
• 

  Posted by Matthew B. Olson, Delavan, Wisconsin | Sep 22, 2011

  Thanks to everyone for such wonderful discussions! Dawud, Robert and so many of you have brought up excellent points.

  It was not my intention to throw WordPress completely under the bus, but more offer up some caution as we've seen so many businesses flock to the platform only to have their sites subverted via security.

  Many of you are exactly correct that I should not have had the "run far and fast" tone about WordPress. I sincerely hope readers of the article have had the chance to read all of these comments!

  Thanks to each of you for contributing!

  Learn More About Signalfire's Web Strategy
• 

  Posted by Salar Salahshoor, Portland, Oregon | Sep 22, 2011

  Nice comment by John Locke.

  Here is short list of companies that use Wordpress for their official blogs: http://en.wordpress.com/notable-users/

  Granted these websites are highly customized, but they are built on top of Wordpress.

  The more plugins you use (especially unknown plugins) the higher your risk of running a clunky website or opening it up to attack. That is true.

  Whether you go with a paid or free platform will not solve the risk issue, the only thing that will solve that is a good developer building your site (and frankly, unless you are running the WSJ, it likely doesn't pay to hire a security expert to optimize your site. As long as you maintain a backup through your host, the risk is very minimal. Your small business will not be impacted if your site is down for two days due to a hack).

  I really wish small businesses would start to realize the value of having a descent looking website that functions well. I know business owners who spend more money on their business cards than they do on their website. Don't expect a $40 website to perform for you. It won't. Whether you go with a paid or free platform, if you aren't going to invest in the design and function of the site, you're better off using a Facebook Fan page. Out of the box websites that do nothing to differentiate you or communicate your value proposition just don't add much value. Save your time, money and energy.

  When you are ready to make a serious investment in the branding and marketing of your business, hire a professional. It doesn't have to be expensive. You can get a quality design and functional website built on Wordpress or another CMS for as little as $3,000 using freelancers. If someone tells you they'll build you a custom Wordpress site for any less than that, well then they're probably just charging you to do what you could have done yourself. They will simply purchase a theme, add some free plugins, change the colors a bit and add some pictures. (There is value in this service, but just know that it is not a custom website).

  $3,000 to $5,000 may sound like a lot of cash, but in the world of cheap websites, especially in small business circles, it is a small price to pay to stand out and shine.

  The reality is that you get what you pay for. If you simply install Wordpress and purchase a $40 theme or use a free theme, your site will be worth about $40. What does that say about how you think about your business? But I digress...

  I think Matthew and the rest made some interesting points, but they are not Internet security experts, so you would be wise doing your own research on the matter.

  Here is what the Wordpress development community has to say about security: http://codex.wordpress.org/Hardening_WordPress

  Here is a post by Matt Mullenweg, the founder of Wordpress, who discusses his views on security: http://wordpress.org/news/2009/09/keep-wordpress-secure/

  Lastly, here are some really solid tips on securing your Wordpress site, by Matt Cutts (a real expert on the issue): http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/
• 

  Posted by Harmony Coburn, Vancouver, Washington | Sep 22, 2011

  Hi Matt, though there can be some security issues with WordPress I would be much more concerned about having a site built by a programmer from the ground up. I did not set out to be a web designer - but I had many friends get so ripped off by "developers" that I finally had to learn how to build websites. I started back in 1997 so you can imagine I've seen a lot change in the last 14 years. I've used many platforms, including building sites from scratch in HTML. I am a firm believer in using open source for one major reason - a site built from the ground up by a "programmer" is very difficult to save if your developer disappears (and I've seen this happen to many many clients). Since I wanted to build my clients websites that they could find someone else to manage if they lost me or wanted to leave me I invested a great deal of time in researching all CMS options. Those that were for a fee and those that were free. In the end the free ones won because I knew there would be someone to pick up the pieces if something happened to m. When I first switched to CMS systems Joomla! was the best - but I will tell you my Joomla! sites got hacked a lot (frequently because I trusted plugin developers but then I learned that free is not a very good price), required lots of maintenance and were very frustrating to the end user when it came to doing their own basic content management. Up until 3.0 WordPress lacked a lot of features that I had come to know in J! but since 3.0 I have migrated many clients over because the user interface and search engine friendliness are by far and away the best out there - better than any "custom programmed" site I've looked at (and I've had several clients come to me for help on sites that their custom programmer left them without any resources on). Since your audience is mainly truly small businesses with limited budgets I would hate to see them decline a website developed with WordPress as the base software. That being said, people do need to understand that nothing is really free. In order to make WordPress a truly effective solution "someone" has to know about plugins, maintenance and security. As a developer I spend thousands of dollars on professional plugins to insure that my clients have a complete solution. If you are not prepared to become a WordPress expert I would agree with Matt - think twice about WordPress or any other "free" solution - you get what you pay for.

  Search Engine Optimization | Website Design
• 

  Posted by Harmony Coburn, Vancouver, Washington | Sep 22, 2011

  @Salar - looks like we were posting about the same time with the same general thought - however I would like people to know that you can get a very good, search friendly website built by a pro for less than $3000. We focus on Truly Small businesses that often don't have a start up budget that high. We work with these clients to lay a foundation that can grow as their business grows. That is the beauty of a WordPress platform if you have the right developer - it allows you to "grow into" your website.

  Search Engine Optimization | Website Design
• 

  Posted by Oliver Bodnar, Los Angeles, California | Sep 22, 2011

  The security problem isn't really with WordPress itself, it's more with all the free templates that people make. The sites that have these free WordPress templates don't check them, so often times the scumbags who add malicious coding to them just upload a templates and wait for people to download and install!! I advise having your developer look over the templates first...that is, if they know PhP and what to look for...or have your developer add the skin to the original WordPress theme...thus, making sure no malicious code is added!!

  Oliver

  OneArmedSEO . com
• 

  Posted by Mark Brent, Seattle, Washington | Sep 22, 2011

  I have been using Wordpress for years now. I will every now and again run into someone who smugly attacks wordpress as a security problem. I distance myself from them. Here is why:

  1) Security Is Important. However, Content Is King. King's have their security requirements, but they are still king. When it comes to serving up quality content in an SEO friendly and user aware way, nothing beats Wordpress. IMHO.

  2) The Wordpress community works tirelessly to make a better product. What we use today is not even close to what we used only a year ago.

  3) Finally, search Wordpress Security Hacks. Look at how old all those articles are crying that Wordpress is a security problem.

  Security people always try to make themselves the only important people in the room. They forget that if they had their way, everything would be locked down and provide zero access. That is true security.

  So what we really do is balance this very real need with real info and practical solutions. I don't care what Mathew intended with this article, but if a lazy business owner only read part of it and avoided the comments which actually were the more informed parts of this page, they are now difficult people to provide proper solutions for. They will cite some poorly thought out document on Biznik and require extra work to bring them around and usually not be worth the money we can charge.

  My 5 cents worth...

  Full disclosure.. I am a content producer and content marketing consultant that learned to program PHP sites from scratch until I met Wordpress. Now I build everything on Wordpress. I can affordablely sandbox any idea and then do what is necessary to bring that idea home properly. Wordpress Rules!!!
• 

  Posted by David McKim, Bellingham, Washington | Sep 22, 2011

  This one actually compels me to opt into the conversation here. I'm glad to see someone pointing out that there's a wide range of available CMS's to choose from, and that WordPress isn't always the ideal solution.

  While WordPress might be easy, it's user-friendly design often imposes a lot of restrictions on what features are available. Since WordPress is so basic, most of your designs end up being pretty cookie-cutter with 2-3 columns and simple features like a product showcase or laying out a pricing table can become incredibly difficult if the theme wasn't documented properly (which they usually aren't) or the plugins you choose don't like how that theme works from the programming level perspective.

  WordPress in it's simplicity can also have trouble presenting some of the most simple features, like linking to another website from your main navigation. Or having different widgets for different pages. Often achieving these goals requires additional plugins or hacks to be done, where a more full bodied CMS is configured to do these things out of the box.

  When considering which CMS you really want backing your website, I would strongly consider getting multiple bids from niche developers. You might find that the level of modding that WordPress requires might exceed the same time to develop the website under another platform, such as Joomla, Drupal or Concrete5 and it could restrict your sites growth down the road.

  On the other hand, for blogs & simple brochure sites with little to no advanced functionality, wordpress is a quick & simple way to go about it.
• 

  Posted by Mark Brent, Seattle, Washington | Sep 23, 2011

  Most if not all of the negative or neutral comments against Wordpress here come with a helping dose of I really don't know what I am talking about.

  For example, you can make a Wordpress site look, and behave anyway you want. I don't have this example I refer to next anymore due to the timely end of the project. But for an event I once produced a flash site with animation and video that was backed by Wordpress. Each character in the video said their tag line when you moused over it and when you clicked on them you went to a Wordpress category that responded to their part of the on going site dialog. Does this sound like your big brother's Wordpress site. No. But, all it took was a little imagination and some can not can't.
• 

  Posted by Mark McLaren, Seattle, Washington | Sep 24, 2011

  Matt - I left a longer comment above, but I want to add that I'm disappointed by the (current) 6.6/10 rating for this post. It suggests that the content is not instructive and that it's barely worth the time to read. This is hardly the case!

  I want to commend you again for writing a thoughtful post that raises good questions and (obviously!) spurred a lot of great discussion.
• 

  Posted by David Bullock, Oceanside, California | Sep 26, 2011

  Matthew,

  My perspective is as an IT professional with 20 years experience and 15 on the web. Several of those years working specifically with closed source IT security systems for military applications.

  Wordpress being free and open source does not in any way contribute to it's insecurity. It may seem counter-intuitive but having an open source system may be more secure than a closed source system. Closed source systems are no more secure than open source ones and are just as often the successful targets of hacker attacks, and closed source systems benefit less from community support and peer review to find and eliminate bugs and security holes more quickly.

  When considering a CMS, some of the things I look for are the size of the developer community, the breadth and depth of the plugins or addons available for it, the age, and the rate of fixes and updates that are put out. No software system is bugfree, or immune to every attack that will come along. Having many fixes is a signal a cared for system with a development team that's staying on top of things, whether it be open source WordPress or closed source Windows, etc.

  I found the rest of your article helpful as were many of the comments below it, but opening the presentation with a statement as misguided and damaging as open source creating security problems had to be called out and corrected.
• 

  Posted by Matthew B. Olson, Delavan, Wisconsin | Sep 26, 2011

  Mark McLaren and Mark Brent, I really appreciate all the comments and so many of them have been right on point.

  David Bullock makes a great comment on the dangers of speaking in generalities. Especially when dealing with specific platforms.

  I know CMS security (not just WordPress) is a really hot topic and our community has a ton of experienced web security veterans. There is just as much to be said on each CMS platform and I am flattered that there are so many comments.

  Harmony's comments on Joomla! are exactly in line with my feelings on that particular platform.

  Salar, your comments are simply fantastic. If small businesses realized the dramatic return on investing a little more in their website, I believe those small businesses would be incredible success stories.

  Learn More About Signalfire's Web Strategy
• 

  Posted by Dawud Miracle, Boulder, Colorado | Sep 27, 2011

  @Matt, thanks for starting an excellent - and very important conversation. Be looking for more posts from you down the road.

  @Salar & @Harmony - I have to agree with Harmony on this one. You can easily get an excellent, business-ready, fully-functional and highly secure WordPress website without spending $3000-$5000. I do build sites in that price range (and higher) and it comes with a bunch of business coaching and marketing help.

  Yet I know there's tons of small biz owners who don't have that sort of budget. So after about 6 months of development, my partner and I are launching WPforCoaches.com in a couple of weeks. Our basic package - turnkey theme - $150 and a moderately customized theme will be $500. Hosting is $25/mo and includes all tech stuff - installation, setup, plugins, all ongoing maintenance and upgrades, support, training in WordPress AND all our security features - which are extensive.

  Sorry for the shameless plug - of course it's intentional, though normally I wouldn't add something like this to a post conversation. I wanted, however, to give an example of a service that will not only build sites are rock-bottom pricing but fully support, upgrade and protect those sites from hackers as well. Between my partner and I we have somewhere around 600 WordPress sites we've developed still active on the web and both of us have dealt with security issues and hackers for ourselves and numerous clients so we feel well prepared to launch this.

  @Oliver - EXCELLENT POINT!!! Don't use free themes for WordPress if you don't absolutely know the source. The big theme developers (StudioPress, iThemes, etc) they do free themes - trust them. And the ones you find on WordPress.org (or inside your WP admin theme search) - trust them. Otherwise be very cautious of installing any other free WordPress themes. Check your sources or have a coder check your theme first before you install it.

  @Mark B - excellent points. There was a version of WordPress pre-3.0 that had some security issues and was exploited by hackers. But that was at least 3 full version upgrades ago. So you're right, most of the security scares for WordPress are old. This is the whole reason I say it's important to work with a developer since they know (or should know) about these things.

  @Mark M - agree which is why I changed my vote. Talk to you soon.
• 

  Posted by Salar Salahshoor, Portland, Oregon | Sep 27, 2011

  Dawud, I don't think Harmony and I are really talking about the same thing. I am talking about marketing and the value of branding, and she is talking about websites for the sake of having a website, so it seems.

  I try to educate my clients on the purpose of having a website and provide them a strategy to win, not just set up a Wordpress site because that's what they think they need after hearing Mark Zuckerberg talking to Oprah about blogging and Facebook.

  For a lot of small business owners, it's a waste of time to blog and try to run a social media content strategy. What they would be better off doing is having a "nicer" looking, well branded static HTML site (low maintenance for them), and focusing more on their business at hand (growing the good old fashioned way through great service and delivery and word of mouth/review sites and local listings that have real SEO value).

  I'm sure many of you will disagree with me, but I have yet to see a small business owner that got any measurable value from posting an article once a week on their Wordpress blog (in fact, many small business owners don't produce any content at all once they are set up with the system).

  The first impression (look and feel) of a site is often more important than if it has an active blog. I think if the small business owner can save money by avoiding a CMS in order to build a prettier website, the trade-off in setting up a brand is worth it at that early stage.

  I do like your idea to provide SaaS solutions to small businesses, I've thought about doing something similar myself, but more directed to the developer community.
• 

  Posted by Dawud Miracle, Boulder, Colorado | Sep 27, 2011

  Hi Salar

  I fully understand your approach. I also do way more than just website development. I teach/train/coach/advise my clients on the best strategies and tactics for them to get the results their looking for from their websites.

  When people work with me, they get a business partner with knowledge of marketing, sales, productivity, growth strategies, positioning and branding along with SEO, social media, etc. My goal, then, is to find and teach them the best methods for their style, technical know-how and amount of time. So we're on a similar page when it comes to the sales process, I think.

  Where we differ a bit - which is completely fine - is that I think an easy-to-use CMS is vital to any small business owner. They need to have simple control over their website's content. Without it, they're simply at a disadvantage when it comes to making changes to copy.

  WordPress, interestingly enough, is actually less time consuming to develop on then static HTML (unless you're using a visual editor that writes code for you - which I don't recommend doing). And since WordPress can 'wear any dress' then as a developer you actually have more time to develop gorgeous design. And since content and design are separate there's no major time issues with developing a large site over a small one.

  I also disagree a bit on design being so important. The web is about content and design should always take a backseat to content. Some visual design can be so stunning that it impedes the digestion of content and the sales process just like some really slick navigation structures make finding things difficult. Successful business websites make it easy on their audience because they understand their audience, their wants and their expectations and deliver a site that meets them. I know you know this already, just keeping the conversation moving.

  I do agree with you that just writing a post each week isn't going to get your much on its own unless you hit a long-tail SEO term.

  However, while I can't speak to your clients, I've seen numerous clients of mine leverage a blog to increase visibility, grow a list, develop relationships and land clients. I know this because I taught them how. I've done this myself for years. But it has to be more than just writing weekly and sending a couple links out through Twitter and Facebook.

  Content marketing has to fit into your overall marketing plan and needs to have defined and measurable goals. With that, there's needs to be a evaluation period so you can make adjustments to, say, your blogging efforts. Again, these are the bits I teach my clients how to do.

  Content is the most vital part of a business online. So why would you want to limit how content is produced, published and distributed? Blogs provide a limitless platform for publishing content and should be used as part of an overall marketing plan.

  You and I don't know each other so please forgive any presumptions. I'd be happy to have a chat about the flexibility and power of WordPress, answer any questions you might have and show you how freeing it can be for your clients. Perhaps you already know, perhaps not. But I'm happy to help. Just let me know.
• 

  Posted by Mark Brent, Seattle, Washington | Sep 27, 2011

  Content Marketing is not a waste of time. It is the only Internet strategy that really works when done right for most small businesses. I have a client who is up by 30% business and never has a fall off or down period any more. Their active clients are more active and their new clients are more ready to participate and ultimately spend money.

  This client has stopped all forms of advertising. I have shown them how to publish blog and video in a way that makes them very relevant to their market. They even snipe traffic from competitors and hot products because they have followed my techniques for publishing. Recently, a hot fitness trend emerged and they were in position to write articles and be a part of that very hot stream. BTW - they fired their SEO person, because the content is winning that war too.

  Wordpress is the only tool that could have made this happen for this client. Especially, on their budget.

  I agree completely with Dawud and David. Your comments and insight are very close to mine.

  Mark M - this post would have a better rating if it's premise wasn't so wrong. Instead of telling people how Wordpress can be properly used, it appears to warn one from using Wordpress. As a person that has both been using Open Source and working in content production since 1997, I feel it is important to stand up for the tools and techniques I've come to know. I gave this post a four. And that was for it's ability to get a very interesting conversation going.

  Finally, for those that claim Wordpress is simple and can't do things I have two things to say to you. 1) Use your own template pages, you can do anything with them if you "know" Wordpress. 2) Stop thinking simply.

  For those of you that think I am being argumentative and pushy. Try having a client's IT guy start a problem by interjecting something he picked up in the past and telling your client that Wordpress is unsecured. Think about the extra work I had to do and not get paid for when that happened. Then you'll know why I think this type of opinionated pundentry is useless. Ultimately, the guy backed down after he realized that what he was referring to was in a past version and that the "Open Source" community had fixed it. However, the damage was done.
• 

  Posted by David Bullock, Oceanside, California | Sep 27, 2011

  @Mark,

  I think you're drawing a line between content publishing and SEO that shouldn't necessarily exist.

  In my experience the best SEO is built around solid, indexable relevant quality content that's engaging to the audience. SEO's role is merely to help that quality content be as visible and attractive as possible to the search engines. If people don't find you, then it doesn't matter how good your content is. Search Engines are just the point of introduction, as social media often is. Please just don't get me started on the ROI black hole that social media represent for most businesses just because anyone can "tweet".

  Wordpress and other CMS's can help automate some of the mechanical processes of good organic SEO which is why so many people say "Google Loves Wordpress". Things like proper nav structure, friendly URL's, auto-updated sitemaps, consistent H1 tags, related content links, and other optimizations all contribute to making content created for humans attractive to the search engine as well. WordPress helps these things happen by nature of it's design and conventions.

  The end consumer is always the visitor, and visitors are about human readable content. Search engines don't place orders, and a perfectly optimized page won't keep your audience coming back, but a poorly built page may never be seen in the first place.

  Dave
• 

  Posted by Nando Caban-Mendez, Austin, Texas | Sep 27, 2011

  I think I'm going to increase the rating of this article based on the nature of this discussion alone. Great contribution guys.
• 

  Posted by Dawud Miracle, Boulder, Colorado | Sep 27, 2011

  On David's Point...

  The old school SEO is also changing. It's clear that social is now a big part of SEO. Google results are influenced by likes and retweets. And watch what happens to your page/post if you get a handful of shares on Google+ in search results.

  SEO isn't just keywords and backlinking anymore. It's evolving. So content becomes even more important as does having a CMS.
• 

  Posted by Leisa Good, Front Royal, Virginia | Sep 27, 2011

  Great information about WordPress. I have been very happy with my experience with it as a CMS as well as very happy with the overall ease of use.

  My traffic definitely improved from when my blog was on Blogger. Between the plugins, traffic building tools, and social media tools -- WordPress does offer ways to grow a blog or web site. Not offered much outside of the control panel by other software.

  While no web site is without security concerns, a good reputable web host and your own virus protection are always a must.

  When I download anything "free", I always ask how "free" is free and how safe, secure, flexible, and complicated is "free". I think free WordPress themes should be treated the same way.

  Really enjoyed this article.
• 

  Posted by Salar Salahshoor, Portland, Oregon | Sep 27, 2011

  Dawud, I think there is a misunderstanding between us. I want to make it clear that I love using Wordpress, and I am an evangelist for the platform. I've used Drupal, Joomla and Expression Engine in the past, and EE and Drupal are probably the most scaleable for high functioning websites and ecommerce applications, but Wordpress dominates for brochure style websites and blogs, as David McKim mentioned above.

  I wanted to clarify something else to see if you'd change your position on the statement you made that the "web is about content, and design should take a back seat". I do appreciate your view on "content as king", and I too understand the value of a good content strategy. Another way we might look at this is that content without context (i.e. design) is not that valuable to a business (David Bullock expertly made this point when he said that search engines don't place orders, people do).

  I understand the importance of content and SEO that can help drive traffic to a website, but unless that traffic converts into a lead or sale, it was all wasted effort. So I would argue that the web is about context (design & content, art & copy), and they should both be held in high regard for running a successful online strategy.

  The initial article written by Matthew, and the initial comments it received were about small businesses. I've seen the value of content strategies working for businesses that have the resources to produce quality content, on a consistent schedule, and actively manage their online community development efforts, but realistically, I don't know many small business owners that have the resources to do this effectively.

  Whether or not a content strategy will produce ROI for a small business really depends on the industry and the resources that business has available. Assuming the small business owner does not have time to blog (and also assuming that if they don't have a budget for a website, then they can't hire a company to manage their content production), then what's left? I think that is the reality of most small businesses out there.

  All too often, I see consultants promising the value of SEO and how great Wordpress is (which I agree that it is the most search friendly platform out of the box). Whether it's Wordpress or straight HTML, for MOST small businesses I think it is less about the quantity of content and more about the quality of the copy and design to set the right first impression. You might say that awesome blog content sets the right tone, but I think sometimes too much information (i.e. blogging) can hurt a brand (again, depending on your industry). I think what is more important for a small service business, or very small product company is to look at their website as a brochure, and use other channels that rank high in search engines to drive traffic.

  MOST small business owners are not going to vlog or blog, that is the reality. I think if you find a client that is capable of producing quality content, and willing to invest the time, then great. Let's be real though, that is rare.

  What MOST small businesses would benefit from is leveraging other websites that already rank high (like Yelp, Etsy, Avvo, RealSelf, TeachStreet, GooglePlaces, Facebook Pages, Yahoo! Local, CitySearch, etc.). There is really an endless list of these sites that are specific to each industry. They would probably benefit more with whatever limited resource they had if they optimized their profiles on those other sites, and had a simple, elegant splash page that drove people to take action (i.e. fill out a form, or call, or purchase).

  Plus, I usually don't trust the blogs of people who are trying to sell me something. If I'm doing research on the best web camera, or if I need a crown on my tooth, I won't look to the manufacturers blog or the doctors blog for info because I know it's biased. I'll first seek out third party resources like TechCrunch or the ADA. Better to get listed on those sites somehow, or produce content for them as a guest blogger than write that content on your own website.

  When I look for a local service provider I almost always use one of those third party sites. I don't care if my dentist blogs, or if my favorite restaurant blogs. What I care about is if other people have used them and if they are any good. With some services, like dog training, I might care more if the trainer blogs great content, but again, I'll mainly be interested in third party validation.

  I also look at the quality of their website (i.e. the design and copy (ideally not too much)) to see how established they are and how much they care about their business. If a website looks vanilla, I have less trust in anything they are saying. Even if my dentist blogged, and I happened to come across him through some long tail search, I'd be keen to judge the quality of the presentation of the site, because if it not designed well, it gives me a bad feeling about the experience I might have in the office. Just like a restaurant owner might consider the finer details of the dining experience in their restaurant, they would be wise to apply that level of care in designing their website (which is often the first touch point for their future customers). Again, some industries more than others rely on good content vs. high quality design (and there is always a balance), but to say that it's all about having a content strategy is false and misleading in my opinion.

  Here is an example of two doctors that both blog. Which one would you be more likely to contact after spending 2 minutes on their sites?

  1) http://www.drphilipmiller.com/

  2) http://www.rejuvalife.md/

  Both are pretty well optimized in their category (from a SEO perspective).

  Hope some of the additional thoughts help clear up my view on the topic.

  If you still think branding and design should take a back seat, do yourself a favor and watch http://www.artandcopyfilm.com/.
• 

  Posted by Dawud Miracle, Boulder, Colorado | Sep 28, 2011

  Hi Salar

  First, and most importantly, thank you for taking the time to respond in such a thoughtful way.

  Much of what you've said I already agree with. I think we're taking different approaches toward the same ends for the most part.

  For instance, I'm actually not one of those 'content is king' people. Content is important, but not king. Conversion is king. Without it there's no business. Conversion should drive everything - content, visual design, social marketing, SEO etc. What's the point of focusing on any of this if it doesn't lead to business? May as well save yourself a whole bunch of money and time.

  The queen - for those who are curious - is engagement. Now, let me qualify this for a minute - I don't work with product companies, I work with service providers so the sales approach is a little different. That's why I say engagement is the queen. Without her there's no leads, there's no prospects, there's no clients, there's no sales, there's no revenue.

  Now let's also be clear - I'm not saying visual design and site architecture aren't important because they are. I think you can have both. But when you have to decide between them - when one has to win out - almost always it should be content because content leads to the king and queen more so than design.

  But all this talk about design vs content is really moot without context. How is the site used? Is it a known brand? What's being done to drive traffic? What's the primary call-to-action? etc... All of this, at least for me, comes into play in deciding what's the best approach for business goals, audience's expectations and desired results.

  So I'd never debate that certain business types have audience expectations that require truly elegant visuals. Just as there are business types that require the content to lead well in front of the visuals. I try to put my cookie cutter away whenever I can.

  Again, for the most part we agree mostly. I just see us coming at it from different perspectives.

  And you're definitely right about what clients are capable of and willing to do. That's why, in my opinion, a good business advisor will guide their clients toward solutions that best fit them. The bottom line is you have to 'do' some marketing and sales to get clients online. No shortcutting that.

  The last thing I want mention is about my expectations in a website versus my client's target audience's expectations in a website. I have very specific things I look for when I look at a site - and visual design is one of them. I appreciate well designed graphical layout and often put emphasis on things that few other people really notice or care about. I wonder if that's the same here?

  For those of us that work in the industry it's easy for us to bring focus to things that our clients or our client's clients never see. And so while I want to view websites in a specific way, I find that the people in the target markets I work tend to be less concerned with the same elements. Sure, everyone wants an attractive, well-designed website. Yet I wonder how often we put strong emphasis on the visual design because of our personal preferences rather than the needs of our client's market.

  Let me be a bit clearer - I'm not at all saying you're doing it wrong so there's no need for a debate here. What I'm suggesting is that we all tend to focus on what's important to us (human nature) and I wonder if that can sometimes lead to sites being more of what we want rather than what our client's audience needs and expects. And please keep in mind I'm well aware of that tendency in myself.

  The bottom line for me is that it's all about results. Regardless of visual design, use of content, blogging, social media, SEO, etc it's all about getting results. I think that's the place you and I agree we just go about it in a little different way.

  Either way, I do respect your opinions and am actually quite pleased to make your acquaintance here. I think we have compatible ideas and it would be fun to put our heads together one of these days.
• 

  Posted by Dawud Miracle, Boulder, Colorado | Sep 28, 2011

  One more bit from my last comment...

  Interesting where these conversations go. We start with WordPress isn't secure and end up talking about the importance of design. Fascinating tangent, no?!??