As a company specializing in website design and development, Workhorse frequently finds itself in the role of suggesting or addressing inquiries regarding different Content Management Systems (CMS). Although we endorse various CMS platforms and always tailor our recommendations to meet the unique requirements of each client, WordPress consistently takes center stage in these conversations. Having successfully crafted hundreds of websites on this platform, WordPress has risen to become the most widely used CMS globally, driving approximately 43% of the internet.
However, we often face many dated and incorrect assumptions about its suitability for the role.
Why is there a negative perception of WordPress?
WordPress often is often dismissed for the enterprise for a few reasons:
- Security concerns
- Stability and scalability concerns
- Apparent ease-of-deployment and customization gives the appearance of it being amateurish
- Experience level of WordPress developers varies considerably, leading to a poor perception of theme quality, design, usability, and security
- Content management experience is inconsistent and based on developer skill, number of plugins, and use of visual page builders
However, WordPress’ extensibility and developer-focused features means that leveraging WordPress as an enterprise-level content management system is a viable option for many organizations, and all of the above concerns are the result of poor planning, development, and (lack of) maintenance. WordPress can meet the needs of the enterprise, resulting in a consistent, enjoyable content management experience as well as a secure and performant website.
Fortune magazine even published a list of the largest companies in the USA that use WordPress which includes the likes of Walt Disney, Merck, Warner Bros. Discovery, Campbell Soup, Clorox, and dozens more.
Even NASA just launched their new website, built on WordPress.
Why did NASA choose WordPress for its CMS?
An interesting post on WP Tavern explores many of the reasons that WordPress was selected to replace an aging website that NASA had developed on the Drupal platform. Notably, NASA evaluated over a hundred content management systems before deciding on WordPress.
According to the president of the agency that rebuilt nasa.gov:
“For years, myself and many of us in the WordPress community have been mythbusting the perception from customer stakeholders in 2 areas: (a) WordPress isn’t enterprise. It’s just a blogging platform. (b) WordPress is not a secure CMS,” Toothman said. “While I don’t expect NASA choosing WordPress to wipe out those pre-existing perceptions, it is further evidence to support the fact that WordPress is enterprise class, and that it can meet security benchmarks.”
– J.J. Toothman, President, Lone Rock Point
Scalability & Performance
WordPress can be designed and built to be scalable and fast, but similar to any CMS there is planning and consideration that needs to go into those processes. A non-exhaustive list would include:
- Using a WordPress-tuned infrastructure
- Following WordPress development best practices
- Carefully considering plugin and theme selections (see below)
- Using a dedicated server and/or appropriate infrastructure
- Optimizing front-end theme code
Security
The WordPress core is incredibly secure. However, its ease of use also makes it possible for users to deploy a poorly configured or planned website. That ease of use has contributed to the perception that WordPress is not secure. In addition, many site owners do not understand that regular maintenance is required to keep their website stable, fast, and secure.
None of the above security concerns apply to a properly built and maintained WordPress website, and in reality the preventative actions and best practices that are required apply to all enterprise sites, not just those built on WordPress.
In addition, we often find that a marketing website can be caught between both the IT and marketing teams, with no clear owner of the security and maintenance responsibilities. This dynamic commonly results in what could have been preventable security issues.
Creating a plan during the development phase to account for these needs is critical to ensuring that the WordPress installation stays secure:
- Create a plan for who will regularly update WordPress core, theme, and plugins, and at what cadence
- Create a plan for who will be managing server updates. It is often smarter to use a managed WordPress host to handle these responsibilities for you, unless your IT team has the capability and capacity to do so. NASA moved to a managed WordPress host from their Amazon AWS environment for this reason.
- Implement firewalls and security features to prevent DDOS, OWASP attacks, brute force, and other common attacks against websites
- Backup and disaster recovery plan and testing; similar to what would be done for any software
Authentication, Identity Management, and Roles
We’ve always found WordPress’ out-of-the-box authentication and user management to be well built, but often insufficient for a large organization. The default user roles are not granular enough, for example, making it hard to observe the “principle of least privilege“: giving your users the access they need, but no more.
Thankfully these issues can be easily solved by:
- Creating custom roles based on business need
- Integrating company SSO and identity management solutions
- Enforcing multi-factor authentication
- Implementing other login protections such as restricting access to the CMS login endpoint
Customization & Extensibility
WordPress is open source and has thousands of available developer hooks and a robust API, allowing you to build and integrate endless features. For example, it’s possible to:
- Create modern, JavaScript-based headless websites
- Integrate with native apps
- Build custom web applications
- Integrate with CRMs and third-party applications
Most importantly, you do not need dozens of conflicting and potentially redundant third-party plugins to do so.
Conservative Use of Plugins
One of the most common causes of a compromised WordPress site and a poor content management experience is a reliance on out-of-date, poorly curated, and redundant plugins. The WordPress plugin library is massive and easy to use, which is a blessing and a curse. To avoid these issues, we recommend using a small, curated list of well-maintained, carefully vetted plugins. And of course, they should be updated regularly, in the same way you would maintain all software that is a foundation of your day-to-day business or personal life.
In addition, we often see WordPress sites utilizing plugins for tasks that could be easily accomplished with minor customizations to the theme, or that offer redundant functionality found in another plugin.
To address these concerns, we always recommend disabling the ability for users to install plugins, and having a qualified team review any plugin installation requests carefully.
Publishing Workflows
Often, enterprises have content review and publishing workflows that require various levels of approval. Out of the box, WordPress does include acceptable tools to handle this approval process. However, this can be extended to build out custom workflows based on your content administration requirements.
Use a Custom, Thoughtfully Built Theme
Similar to plugins, there are thousands of free and commercial themes that can be easily installed to quickly get a WordPress site online. However, they can vary wildly in quality and are almost never an ideal solution for developing an enterprise site.
For example, they often take a kitchen-sink approach to site building and attempt to be all things to all people. This means that the theme’s code base is huge and it will be very difficult to maintain consistent brand standards as new content is added to the website. Enterprise WordPress projects are much more successful if the theme is built, bespoke, for the specific needs of the organization.
We often find commercial themes lead to a Frankenstein’s monster of brand continuity problems as well. Due to their flexibility, a user might use the wrong color code for a heading, the wrong font style or size, or even an entirely different page building method, leading to any number of inconsistent user experiences.
A custom theme has a number of advantages over a commercial theme:
- Smaller attack surface and less code bloat
- Branding consistency across all content modules and layouts
- Tailored administrative experience that increases productivity and content manager satisfaction
Compliance & Accessibility
Out of the box, WordPress meets many of the compliance requirements of the enterprise, such as WCAG 2.1 AA and privacy requirements. Once you start designing and building, though, you must take care to continue to ensure that you are following all organizational and jurisdictional requirements. Doing this is not so much a WordPress issue, but rather should be considered throughout the project lifecycle, from design through post-launch maintenance, for any website.
Selecting an inexperienced team, or a poor quality theme and plugins, can make meeting compliance requirements much more complex.
Open Source Puts You in Control
WordPress is open source and quite portable. This gives you control of your website in ways many proprietary “enterprise” content management systems don’t:
- No expensive licensing fees
- No vendor lock-in: You can move your website as you see fit
- Many more developers and agencies capable of enterprise-level development and support
- Full access to codebase
- Cost of ownership is almost always lower
Choose the Right Team to Build & Support the Website
This one is critical. You need a qualified team to build the website, one that has expertise in building scalable, high-traffic, enterprise sites. Do not rely on freelancers or in-house developers whose area of expertise is another technology stack or can’t dedicate their full focus to the website.
Aside from the question of WordPress, a modern enterprise website has compliance, security, performance, and scalability requirements that require a specialized team to both understand and implement those needs.
The team must understand the compliance and legal landscape for your business and the changing web ecosystem and have the ability to stay on top of web development trends and best practices.
The Wrap-Up
In conclusion, while WordPress is a powerful CMS, the success of its implementation in an enterprise environment often depends on proper planning, ongoing maintenance, and adherence to best practices.
Over the past 10 years, Workhorse has designed and developed over 300 WordPress websites, most of which we continue to host and maintain. All of the best practices discussed above have become central to our enterprise methodology and process. By following these best practices and customizing WordPress to meet your enterprise’s specific needs, we can help you create a secure, scalable, and efficient content management system for your entire organization.