[xdude]

Many people are complaining that Wordpress is a security nightmare. Specially if you use plugins with it. It also tends to cause high load, not exactly something you’d want.

I wouldn’t personally recommend it. If you want a CMS, use something such as Joomla. But avoid Wordpress if you can.

I don't know who are those many people complain about Wordpress but I can't tell you the problem is on their side, not on Wordpress. Not sure how old you have used Joomla or Wordpress but I have used both since Since 2009. I don't like changes lot so I took my time before movin to Wordpress from Static. I really should have moved to Wordpress couple years before. I have dropped Joomla long time ago. It has lost the compition long time ago.

99% of Wordpress oriented problems are users fault. If it's a hacking 99% times the reason is because people using stupidly simple passwords or not keeping the site updated. A user should never use Admin as username and also always need to use at least 12 chractors as password.

Second thing :- The first you need to do after installing a fressh wordpress installation is do a speed test and mark your site speed without any themes or plugins. (Just use the default theme). Then always check the speed when installed a new theme or plugin.  Also I would only use themes/pugins from Wordpress repository. Even thats only after reading all reviews about those.

If you do those then most of those so call problems won't ever happen. In reality those high load issues rarely happen these days. Servers are quite powerful these days so those can handle. It's something really abnormals its either you have a crappy theme/plugin installed which can easily weed out or you are getting DDOSed by someone which has nothing to do with WP. I have one server where I run more than 30  avarage size Wordpress sites along with 2 big SMF forums. If I get a high load problem that usually caused by one of those forums.

Remember Wordpress is just a tool. A good one which has been built and vetted by the best in the field. If there is something wrong with your Wordpress sites then thats due to how you manage it. Otherwise  Wordpress wouldn't become crazy popular.

[ikk157]

I don't know who are those many people complain about Wordpress but I can't tell you the problem is on their side, not on Wordpress. Not sure how old you have used Joomla or Wordpress but I have used both since Since 2009. I don't like changes lot so I took my time before movin to Wordpress from Static. I really should have moved to Wordpress couple years before. I have dropped Joomla long time ago. It has lost the compition long time ago.

99% of Wordpress oriented problems are users fault. If it's a hacking 99% times the reason is because people using stupidly simple passwords or not keeping the site updated. A user should never use Admin as username and also always need to use at least 12 chractors as password.

Second thing :- The first you need to do after installing a fressh wordpress installation is do a speed test and mark your site speed without any themes or plugins. (Just use the default theme). Then always check the speed when installed a new theme or plugin.  Also I would only use themes/pugins from Wordpress repository. Even thats only after reading all reviews about those.

If you do those then most of those so call problems won't ever happen. In reality those high load issues rarely happen these days. Servers are quite powerful these days so those can handle. It's something really abnormals its either you have a crappy theme/plugin installed which can easily weed out or you are getting DDOSed by someone which has nothing to do with WP. I have one server where I run more than 30  avarage size Wordpress sites along with 2 big SMF forums. If I get a high load problem that usually caused by one of those forums.

Remember Wordpress is just a tool. A good one which has been built and vetted by the best in the field. If there is something wrong with your Wordpress sites then thats due to how you manage it. Otherwise  Wordpress wouldn't become crazy popular.

You have many solid points there which I highly agree with.

However, the one point where you mention that it’s almost always the users’ fault doesn’t seem to make Wordpress any better in my opinion.

Part of what makes a piece of software good is how hard it is to mess up from the end users perspective. If something is so easily messed up to the point where it no longer gets secure, then that already ruins its overall quality. Bare in mind that not everyone out there is a security expert or a web developer. There are people who don’t know any of that and simply just want to host their own website. Now if the software they’re using isn’t inexperienced people proof, it already makes it unsuitable for a good amount of people. And that’s exactly the case with Wordpress! If you know what you’re doing, then you’re all set. However, if you’re just getting started, then there’s a good chance that things could go terribly wrong for you.

“ I don't know who are those many people complain about Wordpress”

Well I’m part of the heliohost community (I’m a voluntary helper in their discord). And the users are constantly complaining about the heavy load Wordpress causes. Even the admins hate it so much! And everyone that switched to an alternative such as Joomla never faced these problems again!

[Mashiro]

The Wordpress core as in the software itself with its default theme and nothing else additional 3rd party is actually quite secure because it has a somewhat big development team behind it and even the community helps a lot by reporting bugs. So if you setup a fairly stock Wordpress blog without any 3rd party themes or plugins and use a good password the chance to get hacked is really small (still might be hidden bugs that hackers might discover and you might fall first as victim to these new bugs). Of course since usually bugs and security holes are patched quite fast it is always recommended to keep up to date. That'll reduce the chance to get hacked again.

However once you add 3rd party content the chance of getting hacked is I would say turning into an unknown equation. You might wonder why? Well, all this 3rd party stuff is usually not updated and maintained so well and plugins often contain amateur security issues that could have been avoided (TL;DR: no one does proper QA on what they seem to release). And as fancy as themes look nowadays... many of them are not themes (CSS/JS/IMG/FONTS) anymore. They all contain a lot of code mostly for this and that function and this code is very faulty often. You might be as up to date as possible with those plugins and still get hacked by masses because simply no one really either reports the issues with the theme/plugin and no one fixes it. Only some real big plugins or themes (usually actually provided by WP devs Automatic or other big design/code sites) are maintained somewhat properly. And even with that you sometimes get literally news article on IT sites about popular Wordpress themes or plugins having some serious security holes that have left thousands of blogs open to attacks for a long time.

3rd party content for Wordpress is a big issue in terms of security and bugs. It's a big like the wild west. Everyone does what they want without real consequences. No one seems to help each other with things other than developing code or themes but not really fixing/reporting issues. Some kind of QA is missing as in plugins and themes with easy to avoid issues pass through and are allowed on the Wordpress Extend site where everyone can download and install them. And all of this is usually simply out of control for the average Wordpress user that uses it as just what it is "a tool".

I have had experience myself with this 3rd party stuff being not secure. In the past a blog that I hosted since 2009 was hacked once due to a faulty plugin (yes everything was up to date) and the hackers implemented a fake Microsoft Outlook site. I got rid of the plugin and removed all traces of the hack and everything was fine again. So you see sometimes once plugin is enough... and you're up for it really big (heads up to Strato for not going ape and simply absolutely suspending the service without a chance to fix it). And before anyone starts: we use strong passwords, the server is always up to date, login is only possible via SSH public key and we even use 2FA on the Wordpress Admin. Reason for the hack was another plugin and it was easy to figure out by simply searching for "wordpress hacked and showing outlook phishing site" or a similar search term (it was years ago by now so I don't remember what I searched for on Google to get clues and tips but it was easy to find). I found a nice article on a Wordpress site where that hack was discussed and everyone had this one thing in common: the plugin that had security holes.

@deanhills can share his fair experience with his blog getting hacked despite being up to date and all setup properly.

[xdude]

@ikk157

Think about Wordpress as a knife. if you cut yr self while doing something it's not knife's fault, is it ? I'm part of several big affiliate forums like BlackHatWorld. I rarely see members come compain about Wordpress blogs getting hacked or load problems. Those people from your forum, they should have try to find where is the problem since almost all of them had the same problem. Because it sounds like a common problem there. Not sure if all of them use the same server though.

Wordpress core it self nearly perfect for avarage web user. It has no high load problems and security is superb. Like I metioned before these problems start when you start adding Themes and Plugins. All you have to do it find the trouble maker and get rid of it. Another reason is using those fancy banner systems. Also there widgets do this too. Specially if you have a bad social widget.

More than 35% of all sites out there today are based on Wordpress. No other framework or script comes even near to this. There are so many people using Wordpress. But yes there are cons. If all you want is just couple of static pages whic won't be updated for a long long time then Wordpress is useless. If you too late to keep things updates and take regular backups then again Wordpress is not for you. Also if you don't do backgroud check before using themes or plugins again better not use Wordpress.

For example I only use default themes or themes which has been around for a while. If a theme developer hasn't updated them theme for 5 Wordpress updates I start looking for an alternative. Also I have started studying Elementor because I want to stick with one builder and do my own customizations.

[deanhills]

@deanhills can share his fair experience with his blog getting hacked despite being up to date and all setup properly.

Unfortunately I don't have a clue what happened.  I've published the identical blog on different VPSs and haven't ever had it hacked in any of the other VPSs.  So can't help but think the hacking had nothing to do with the WordPress blog - there was a manipulation of something in the DNS of the VPS through the IP that may have been inherited and associated with rogue domains that still carry that IP to this day.  

I've had the same blog running on VPS 9 for a very long time.  Also on HostUS for a while.  So chances should have been that those blogs would have been hacked too.  Identical meaning I have a backup of the blog that I use as a template   I imported it into a newly created WordPress blog on my Contabo VPS and then modified it.  Added new blog posts and changed the content of the pages.  I did the import with the All-in-one WP Migration Plugin which I use to move all of my WordPress sites.  Same style, same plugins. All I did was to change the content of the WordPress blog - pages and new posts.  Blog as always was disabled for feedback - it's basically a static site for all intents and purposes.  So unfortunately I can't contribute anything of value here as I don't have a clue what happened.

Greatest irony was that when the Contabo technicians checked after the hack report had been received, they couldn't find hack files on my VPS either.  They thought I'd fixed it.  So no one has provided me with a logical explanation yet for what happened.  I haven't received real and convincing proof yet that my blog has been hacked.  And since that happened in June 2019 I've been using the same blog with same style and plugins in two VPSs with no hacking at all. So far any way.

[jagathks]

TBH, i have never used any SSG's, but i believe it truly depends on what king of website you want to make..
I love CMS for matter of fact, it solves many problems for both static and dynamic websites interms of design, url management and more...