“WordPress is secure”
The WordPress core software itself is fully secure. It’s regularly audited and vetted by experts which keeps it secure. Like all web platforms, any risks lie with the WordPress users themselves and how conscious they are about security. A bit like locking your front door behind you, or using your car’s alarm, there are plenty of simple steps anyone can do to keep out unwanted visitors – you just have to use them.
Last year (2019), WordPress powered over 34% of the internet. This is 4% growth on the year before (2018). That popularity is pretty compelling, although it does have the side effect of also making basic WordPress websites a natural target for malicious attacks. If you follow best practice procedures and opt for healthy hosting environments, you’ll have a good website and a deterrent to would-be hackers.
What is a basic WordPress Site?
A basic WordPress website is one that was developed cheaply, where budget was the main focus or criteria for picking an agency or freelancer to design and build it. Often, when planning a new company website, security and hosting are the least interesting or valued aspects as they think hackers are only interested in big, global or fancy websites. I’ve heard many small business owners say “no one would bother to hack a small company like ours”. This is the first myth to debunk. The real truth is, cyber criminals don’t pick websites based on size. Like all ‘smart’ criminals, they target easy opportunities.
In a digital sense, open doors and windows don’t exist in the latest WordPress software or even within the latest plugin updates. I emphasise ‘latest’ versions, as basic WordPress sites are hacked from entirely free, preventable issues. These include out of date plugins, unsupported themes and using insecure passwords and usernames… All human error or human judgement error.
“WordPress is FREE & why this is a problem”
WordPress security company, Sucuri published a 2017 ‘Hacked Websites Report’. 39.3% of websites hacked in 2017 were running out-of-date WordPress core software at the time of the incident. Our belief based on this and our experience, is that out of date software leaves a clear identifiable footprint, detectable by malicious entities. Out of date software and plugins are both a beacon and a security risk. Sadly when we last checked, only 62% of WordPress websites run the latest core software version. My view is that being in the 38% who regularly update is the easiest and free defense. At Usable, we include this as part of our weekly or monthly support service – ask for details.
“WordPress Plugins and Themes are the problem”
Yes and No. Over 56,000 themes and plugins are available in galleries such as Themeforest. Many more premium ones are also direct or through small development houses – so the choice is staggering but not all equal! Choosing a theme to match your vision for the company seems like an easy option when you’re looking at colours, images and layout, but this is where caution is advised.
The best theme and plugin development houses do a good job of patching security issues as they become known. If in doubt, our advice is visit the support page for any theme you are considering and check their support log. The less premium theme and plugin creators will show less frequent updates which is a tell-tale sign of security risk. Some dev houses simply stop supporting their products and you might not even be aware.
In a report by WordPress security software, Wordfence ‘of website owners who were hacked, over 60% who knew how the hacker got in’. All attributed it to a plugin or theme vulnerability, most likely out of date.
Sucuri’s 2016 report, actually identified just 3 plugins as accountable for over 15% of the hacked websites they looked at. Frustrating as the vulnerabilities in those plugins had long since been patched by the company who made them. The websites using these plugins, just hadn’t updated to the latest versions.
“Any WordPress login is easy to hack”
WordPress usernames and passwords are a perfectly secure system for locking out the bad guys. However, a large percentage of hacks come from login credentials leaking into the wrong hands via the webmasters’ own hosting or FTP account.
According to Wordfence, 16% of hacked sites were through password theft, public workstations, or through phishing techniques. These are all equally attributable to Joomla, Shopify, Wix, Magento, Webflow or any other CMS system with multiple accounts.
Perhaps the key factor with weak login details is username and password ‘quality’. Out of the box, the username ‘admin’ is given to all WordPress websites. Previous to 2020, the number of WordPress owners using this was as high as 18%. Nowadays it’s likely to be higher. And like the core WordPress version you are using, this information is publicly available on your site if you add blogs and news. If so, hackers simply need to guess a password and there are AI tools to do this for them! According to Wikipedia, In 2020, the most popular password was 123456 and the second most popular was 123456789 – ten years running. So, username Admin and password 12345 is almost a skeleton key for many budget websites. Check your website users right now in the ‘Users’ panel on WordPress – and remove any of these immediately.
“WordPress hosting is cheap”
A bit like WordPress themes and plugins, your hosting environment makes a crucial difference too. WordPress sits on a layer known as PHP. In 2020, as of researching this article, the latest version known as PHP 7 has many built-in security enhancements over the earlier version PHP 5. yet, only 33% of WordPress websites use PHP 7 or higher. The company we use and recommend is Level Ten Hosting, who ensure this is always up to date and help with any and all queries.
Using premium WordPress hosting may seem like an unnecessary cost, but as well as adding security, it can also offer real-time multi-location backups, faster updates and better mobile experiences. So, even if a whole continent powers-down, your website won’t. And speed is the added bonus. Google now includes within its algorithm, an indicator on the speed your website and pages load, because on Mobile this really matters.
“It doesn’t matter if our website is slow”
The speed of all CMS Platforms, without proper attention, including WordPress can degrade over time. It’s a factor that now affects your search engine optimisation (SEO), but also your users experience (UX) and the admin team having to make updates. You should measure your site’s initial loading time using a service such as Pingdom. If you are concerned, simply enter your site’s address and choose a local testing server.
In our experience, longer than 2 seconds to load is bad, but usually only due to a small number of rescuable factors. We’ll cover the easiest to fix , in order:
- Images. Any homepage with multiple images will slow down loading speed, but it’s easily remedied. Firstly, Photoshop can only compress images so far. To really optimise them, try using tinypng or jpgcrusher. This can shave off up to about 80% of file sizes usually. Then, if you’re using WordPress already, switch on lazy load for images (you may need to install a plugin such as a3 lazy load) which delays the loading of images until they are required.
- Hosting environment – Even with the above fixes to images, how and where your website is hosted makes probably, the biggest difference. We’ve recently upgraded to a brand new WordPress-specific hosting environment with NGINX running. Just migrating our already optimal client’s websites has increased their own website speeds by up to 5x. Get in touch for details and costs >
- Theme – Not all themes are constructed with speed in mind. Consider migrating to another theme, or hand coding just the key pages such as home and any landing pages.
- Plugins used – Audit the plugins that are currently used. Check the dates of their most recent releases and the most recent reviews. If in doubt do a Google search to see if any are known for performance issues. Any that flag up problems, consider hand coding into the theme or swapping for better supported plugins.
- Clean Up Your WordPress Database – Every WordPress website uses a database to store data to use when necessary. All your post and pages revisions, draft versions, and users etc are stored. As time goes by, the database becomes ‘bloated’ accumulating out of date info which takes longer for WordPress to process. Try using the brilliant Advanced Database Cleaner which can be found in the plugin directory from within your WordPress website. All information is presented simply for you to make a single click and remove unwanted data.
“Is WordPress good for SEO?”
Yes. Well, technically it’s at least as good as your own skill. Nearly 25% of the world’s top 10 million websites — including TIME, Mashable, Marketing Land and Search Engine Land — are built on WordPress, which is compelling enough. However, like all CMS platforms, onsite SEO isn’t an accident to get right. It requires a strategy, a plan and time to execute along with other off-page SEO techniques (i.e. backlinks – other ‘quality’ websites and social media channels with links to your website).
Is WordPress is already optimised for SEO?
Firstly, that’s an honest No. However, there are no CMS’s that are automatically optimised and honestly, that would be frustrating. Especially if your theme or developer guessed your core business incorrectly and attracted visitors looking for the wrong reasons. WordPress is search engine friendly though – meaning it has integrated tools such as Yoast that can be installed and configured really easily if you know how to write well. However, you will still need SEO expertise plus maybe a copywriter and someone to review your performance with Google Analytics. So, simply switching to WordPress won’t rank you on Google but it’s a great start. It is, however, a continuous list of tasks that should be ongoing within your marketing efforts. If you need help, Get in touch for details and costs of our own on-page and Off-page SEO services >
Is WordPress mobile-friendly?
Again, no – not natively. This is where the right theme or developer makes the difference. But before that, it’s worth considering the term ‘mobile-friendly’… To me there are two distinct variants: 1. Whether Google’s robots consider your site to be mobile friendly… (test it here for a numerical score) and 2. Human UX and how it actually appears on phones to users. The latter being more of a UX and UI consideration, which you can test using any number of online mobile phone emulators including this great, free resource from Browserling >
Looking at Human UX considerations on WordPress, there are also two distinct types:
The first and basic type of theme is Responsive. The content in a responsive webpage automatically adapts its formatting and shape to suit different screen sizes. Typically the WordPress theme you have chosen will handle this. Results can be a little surprising though as it’s automated.
⁃ The second and favoured type of mobile content is Adaptive. Similar to responsive, but the actual content in your page can also change. An example might be that on the desktop view of your website you display a complex data-table, but on the mobile version of your website, this is replaced by a simple image. Taken further, you can even change the menu structure, so you might want to remove some pages for Mobile visitors such as calculators and careers pages which may not be relevant. This improves UX and ultimately satisfaction for visitors and is very easy to configure in the best WordPress themes, which is why we prefer Adaptive.
“WordPress is super-easy to use”
The most common website requirements are usually covered with a really good theme and shouldn’t require any HTML expertise. That said, not all WordPress websites are easy to use. At Usable Media we compared our own WordPress platform and against a list of most common requirements from our clients to ensure we’re still as good as ever. The list of 15x tasks goes from adding a new page or image to GDPR and improving SEO. See the full list here >
With more advanced features such as integrating HubSpot, creating online calculators or taking payments, you may need a bit of help from us. Still, I think WordPress makes this type of advanced functionality as easy as possible, even for developers to help from time to time.
“How long does it take to build a WordPress website”
It can be quick. 2 weeks quick. Although in our experience, there is a list of ‘hidden’ elements which aren’t even specific to WordPress that cause delays. Looking at our last 10 WordPress projects, I have identified the most common events to slow schedules and ranked them below – with recommendations on how we mitigate against project slip:
- Key stakeholder holidays and absence (c.25%)
Task 1: Use a dedicated project manager to align calendars based on people’s availability at the beginning.
- Changing the design or navigation part-way through the project (c.20%)
Task 2: Start the design process with a UX workshop and build an interactive prototype to experiment with
- Changing the content and architecture from a previous website (c.20%)
Task 3: Build a blank WordPress website using the definitive text. Use this as the ‘data point of truth’
- Multiple contact forms (c.15%)
Task 4: Define ‘Ideal visitors’ and plot their user-journey through your website. Include how they get in touch and what automated follow-up steps are needed to keep them interested.
- Adding animation or micro-interactions such as mouseover states (c.10%)
Task 5: Perform an upfront quiz for Key stakeholders. Then audit these competitors and influencers and include any requests in the project scope for signing-off.
- Task 6: These are sadly legal requirements. Make a list of the required notices at the beginning of the project and ensure the legal department or consultant is involved early-on.
“I will still have to pay my agency for simple website updates”
WordPress powered 34% of the internet in 2019. If you count only the CMS-built sites, then about 60% of them are WordPress. With over 400 million people visiting WordPress sites each month and nearly 118 billion words were published on WordPress there has developed, a busy community of WordPress experts supporting this activity. This is great for clients as choice drives quality and value for them.
We know at Usable Media, we have to provide genuine value to retain our clients. If not, quite simply, we would lose them. We drive value in 5 key areas as follows:
- Cost. Our pricing is based on a studio rate, so whether it’s SEO, Design or Advertising Strategy etc, we’re collaborative so you get a product that’s influenced by expertise. We have an office but our team are encouraged to work collaboratively, remotely and wherever they feel most effective.
- Support. We want to be easy to do business with. To support our clients ongoing, we have 3x main tiers of support. Rapid Response for same day emergencies, Support Tickets for out of hours help and Sprint meetings for scheduled support. Every website we build for a client uses our award winning page builder software. Which has been used by over 100,000 websites.
- Proactive. We listen. We care that our clients excel and if we spot an opportunity or gap in their or their competitors’ efforts, we don’t ignore it. We research it and provide usable, high impact recommendations that help our clients achieve ROI.
- Team. The work we deliver is from professionals chosen by talent, not by convenience or location. Using the power of online meetings with a central project manager enables us to collaborate using the strongest individuals in our industry.
- Tested. Our core team is supported with a global expert advisory panel. This covers SEO, CRO, UX and PPC. Our work and advice is reviewed, tested and refined before we make any recommendations.
- Sustainable. We have never driven or travelled to a meeting if it can be held online and always ask first. Doing this provides us with less travel time and more time to talk to clients which is better for communication. It’s better for the environment too.