Why we don't build on WordPress

We build custom sites: hand-coded pages paired with a lightweight headless CMS and served from a global edge network. We deliberately don't build on WordPress, even though it runs around 40% of the web, and that's a considered choice rather than a gap in our skills. WordPress is fine software that's been stretched far past what it was designed for, and for a modern business site the trade-offs aren't worth it. Here's the honest case, and what we build in its place.

It's the biggest target on the internet

WordPress's ubiquity is exactly what makes it dangerous. When 40% of all websites run the same software, attackers automate against it at scale. Bots crawl the web around the clock probing for known weaknesses. The core software is reasonably secure. The problem is everything bolted onto it.

The typical WordPress site runs a dozen or more plugins, each written by a different developer, each a potential way in. One plugin that doesn't get updated, because the developer abandoned it, or because nobody on your side is checking, is how sites get defaced, injected with spam, or held to ransom. The numbers aren't subtle. The overwhelming majority of hacked WordPress sites are compromised through plugins and themes, not core.

When your site is also your main source of enquiries or sales, that's a risk that compounds quietly until the day it doesn't.

Plugin bloat makes it slow

WordPress does very little out of the box, so you add plugins for the things you need: forms, SEO, caching, galleries, security, performance. Each one loads its own scripts and styles on every page, whether that page uses it or not. The result is a site that's heavy and slow before you've added a single line of your own.

Speed isn't a nice-to-have. Slow pages get demoted by Google and abandoned by visitors, and the drop-off is worst on mobile, where most of your traffic is. You can fight the bloat with caching plugins and tuning, but you're spending effort to claw back performance the platform gave away by default.

The maintenance never stops

A WordPress site is never done. Core updates, plugin updates, theme updates, PHP version bumps, security patches, and the genuine risk that an update breaks something, because all those independently-written plugins have to keep working together. Either you pay someone a monthly retainer to babysit it, or you don't, and it quietly rots until something falls over. There's no free option. There's only "pay attention" or "pay later".

What we build instead

We build custom sites: fast static pages, hand-coded rather than assembled from a template, and served from Cloudflare's global edge network. In practice that means a few things.

It's fast everywhere. Pages are served from data centres close to your visitors: quick in Perth, quick in Brisbane, quick for a customer on their phone. No caching plugins required, because there's nothing slow to cache around.

There's almost nothing to attack. No database to breach through a vulnerable plugin, no admin login for bot-armies to hammer. The attack surface is a fraction of a WordPress site's.

Content lives in version control. We pair the site with a lightweight headless CMS, so your content sits in version control rather than a fragile database. Every change is tracked, nothing gets silently overwritten, and the site can't be taken down by a corrupted database table.

And there are no surprise maintenance bills. No plugin licences renewing, no update treadmill, no 2am "the site's down" calls because an auto-update went sideways.

"But WordPress is what everyone uses"

It is, and "what everyone uses" is exactly why it's the most attacked and most bloated option going. Popularity isn't a quality signal here. It's a liability. The right platform is the one that's fast, secure and cheap to keep running for your business, not the one with the biggest market share.

You still get a proper content management experience: editing pages, publishing posts, running a knowledge base. You just don't get the security holes, the plugin sprawl, or the endless maintenance bill that comes with them.

If you're weighing up a new site or a rebuild and want to see what this looks like in practice, here's how we approach web design.