WordPress: What’s Hot, What’s Not

Matt Mullenweg, the head of Automattic, the company behind the WordPress content management system (CMS), announced last November that WordPress had garnered 25% of the market. Today, one out of every four Web sites runs on WordPress, far more than the next-best-known content management systems such as Joomla, Drupal and others. There are many reasons for WordPress’s success: its open-source code, the fact that it’s free, its large, very active community of users, its ease of installation and use, and its versatility. A true one-size-fits-all CMS for every problem still doesn’t exist. WordPress admirably meets most needs, but doesn’t work in all circumstances.

The Ecosystem

Due to its great popularity, many programmers have created themes and plug-ins (or extensions) for WordPress. Users enjoy countless choices, some  with very highly evolved functions. WordPress is kind of like the iPhone: its attendant application ecosystem is just as important, if not more important, than the original product. WordPress’s extremely active user community and the richness of its extensions are its greatest strength, but also its greatest weakness in terms of security and stability, as we will see.

Ease of Use

The WordPress administration platform is designed to be intuitive and non-intimidating for beginners. In fact, it’s downright fun to use. Since version 4.0, major efforts have been invested in a WYSIWYG environment, lowering the entrance threshold even further and reducing the learning curve. Further, due to its pervasiveness, few people have no prior experience whatsoever with WordPress. Finally, WordPress start-up costs are extremely low, which has also contributed to its success.

Quick Development

The vast choice of themes and plug-ins and their technical simplicity allow for a very short Web site set-up time, barring unusual or very specific requirements. For most common purposes, there is no need to reinvent the wheel with WordPress; your required plug-in probably exists already. And should you need a special feature, you’ll have an easier time finding a specialist for WordPress than Drupal or Typo3.


When all is said and done, and notwithstanding heated debates on this and other issues that the Internet seems to have a knack for, WordPress is essentially a blog (a chronological wireline), which means it’s not really a universal CMS, unless you are prepared to add on numerous extensions and twist its arm. WordPress makes an excellent blogging platform and general information and news Web site, but doesn’t work so well with more sophisticated, complex, non-linear platforms. WordPress is a blogging tool that can double as a Website, but the reverse is not true. Not yet, anyway. Automattic is in fact at a strategic crossroads, where it must define what WordPress is, and will be. It can legitimitally aspire to do everything, but not to do everything well.


WordPress has a long history of security flaws. Though it has improved in this regard since version 3.7, with the release of its automated update system, the many extensions and themes, sometimes of doubtful provenance or poorly conceived or maintained, can open the door to malware. Worse yet, WordPress developers are often slow to react to serious, documented bugs. WordPress is also a victim of its own success, since hackers get a better return on investment taking on wildly popular systems than obscure ones. In fact, thousands of bots lurk the Web looking for potentially hackable WordPress sites; a quick log file analysis of any HTTP server will demonstrate the ubiquity and virulence of such bots. Any professional WordPress site therefore requires constant monitoring and advanced security capabilities. And though it is laughably easy to install WordPress, its standard version is lacking in useful and essential security features, which must be topped up with plug-ins.

Potential Instability

The more external plug-ins you use, the more complex and fragile your system becomes and the more likely it is to break down at your next WordPress update. However, not performing security updates is not an option, even if it means that your Web site might malfunction due to newly incompatible plug-ins. And since WordPress’s strength resides precisely in its extensions, you’re stuck between a rock and a hard place, with all the frustration this implies. On the other hand, the new administration interface currently in the works, named Calypso and developed in JavaScript (along with the Node.js, React and Flux libraries), is rumoured to be incompatible with all previous versions of WordPress, suggesting that it may be wise to wait and see before launching into any large, WordPress-based projects.