Scalable and Secure: The Benefits of Choosing a Custom Website over WordPress
As of September 2021, WordPress is estimated to power around 40% of all websites on the internet. This includes both self-hosted WordPress websites and websites hosted on WordPress.com. Given that there are nearly 2 billion websites currently on the Internet, WordPress powers a very large number of websites. That is not too surprising given that it makes building and managing a website easy and accessible, even for beginners. It provides the path of least resistance for a user while offering a large library of themes and plugins to choose from. And given its free and open-source nature, it’s a cost-effective choice for many users.
But there’s a catch: the popularity of WordPress websites makes them a target for hackers. Hackers are always looking for ways to exploit vulnerabilities that they can use to gain access to websites. Things like using outdated software, weak passwords, third-party plugins and themes, and making mistakes can all create opportunities for hackers to exploit. The modularity and customizability of WordPress is also its biggest weakness.
Here at Web Performers, we have first-hand experience with hackers attempting to breach our website because they assume we use WordPress. An estimated several tens of thousands of websites are breached daily so it is safe to assume that WordPress websites make up the majority of those hacked daily.
The Security Edge of Custom-built Websites
Custom built websites are generally considered to have better security compared to WordPress websites because of the unique code used in their development.
Unlike WordPress, custom built websites are built from scratch using custom code, which at the same time means that there are possibilities for stupid simple mistake, exposing security risks vs wordpress multi-user tested system. However, most, if not all, custom-built websites may not have 3rd party security plugins, whiuch needs to be monitored and updated in order to keep entire system secured (in general WordPress websites, plugins can be a source of security issues so those allways needs to be chosen carefully).
And here comes the interesting part: wordpress security mechanizm is well known. So are various exploits. And once actor identifies platform as wordpress, these well known exploits comes in to play.
Our research shows, that nearly 20% of a traffic to sites we built, especially in early life stages, are testing for wordpress exploits. Most popular are checkong left - open or unsecured API endpoints, xml file detections, sometimes even brute force attemtps.
Which makes one think - if site is custom built, it becomes hard(er) to grasp what kind of security mechanism is used, what are the attact vectors etc. This alone does not make a sice super secure, yet it will majorly dissapoint automated tools trying the exploits
The Carcases
One of the ways we found reliaible to avoid stupiod simple mistakes while coding, and not to dive in on using 3rd party plugins, extentions and so on are using mature carcases. Most of them (like node with auth0, django) have allready well thought security mechanizms in place, and various protections against miss-using them.
These parts are crowd-coded by very high tier developers. They do need patching and keeping up to date as well, yet, are considered majorly relialible, are open source (which makes them even more reliable inmho) and free of charge.
For the above reasons, there are tons of materials of how to code with them properly, thus security fasctor gets higher without inflating development time or budget
Auditing tools
Major importance in security is auditing (ISO 27001 agrees). And auditing should be integral part of both coding and maintenance of the actual page.
We do use security headers tool (https://securityheaders.com/) and integrate penetration testing scenarious in automatic tests. Another trick - reports and alerts on unexpected activities in sensitive code places - the beauty of custom built platforms is the ability to monitor sensitive places, since there are not that many, while they are getting built and afterwards.
Once you use platform as wordpress, you have to be aware of all tips and whistles available with the platform (i.e. content api's), thus, be aware of their configurations and states they are at. Or, of course, consider buying a plugin which will do it for You.
Whats the verdict?
Wordpress is great. Thatsd why it fuels most of the internet these days.
Custom apps are under valued i believe, and got the reputation of being super expensive and complicated thanks to everyone (once that should and should not) building them.
If you value your time, security and stability of your web (or any other digital) platform - consider choosing ISO27001 certified (or security-first minded) partner for your solution.
Contact us here to discuss on us being that partner if interested :)