Business Decisions Impacting Your Customers Could Be Fatal

As a WordPress agency owner running my business and being responsible for dozens of people, my main goal is stability.

Stability in Business

John Lennon once said:

“Life is what happens while you are busy making other plans”

Since life is fragile itself and things change every single minute, the least we could do is stabilize as many variables as possible and take care of the potential problematic areas. That said, stability in business is determined by various factors, such as:

  • Having a steady recurring revenue model – memberships, selling WordPress products, or a backlog of clients for services
  • Working with a reliable team – employees, contractors, trustworthy and capable people available for work
  • Setting up the right work environment – office, equipment, Internet access and everything required for work on a daily basis

Stability includes trust, reliability, delegation, long-term commitment and being able to believe in a technology, partner or an idea so much that you share your business and sensitive data with them knowing that they are safe, while dealing with the rest of your work.

Stability could be interrupted in a many ways that we cannot predict, or at least expect not to happen. Some of those are not crucial, but others are critical. And based on your risk management process, you can prevent some of these depending on how much loss your business will generate in case of an unexpected event.

Stability and Potential Loss

For example, if your Internet at the office is down for an hour every two weeks, you have to assess the damages for your business. If only two people work at the office and most of their work is offline, that may be something that you don’t even notice – and it’s fine.

If this is a call center with 30 people, that means 60 non-billable hours or interrupted calls with serious prospects. Now that’s probably critical.

If Amazon’s or Google’s network was down for an hour every two weeks, people would probably start using eBay and Yahoo much more often which will lead to tens of millions of dollars of damages per month due to the downtime.

As you can see, an interruption in a service may be critical for some, and you should always be aware while working with your customers. My ISP offers a premium plan for VIP customers with a backup line with Internet access if the main one is down, extra gateways, internal DNS servers and so on. That premium service is worth paying for extra for business people.

If your Internet is down for 2h/month and you can break a server in the middle of a deploy, or lose a consulting client paying $300/hour – would you not pay $20-$40 extra for a backup line or switch to another backup ISP, or pay for two providers simultaneously?

Web Development, CMS Stability and WordPress

Coming from the Enterprise world to WordPress was incredibly shocking for me. I was both excited for the opportunity of solving more problems and delivering more projects in a shorter amount of time, and freaked out by the unexpected estimates when it comes to delivering a complex custom plugin or polishing a reliable platform.

Since I was dealing with estimates and project planning at one of the Java companies I worked for, I’ve had 6-figures projects signed for the amount of features that would translate to a $20K – $30K project in the WordPress world.

Now, the amount of work itself was significantly more – for a Java project – but there is another key takeaway:

A project of that size requires months of R&D, validating an idea, and numerous iterations of testing and benchmarks.

Rushing things leads to mistakes. Mistakes cause problems and regressions. And that could affect budgets, data, relations, and overall slam an entire business should that happen in the wrong moment.

But rushing things and underpricing is incredibly common in the WordPress world.

Drupal and WordPress

Dries covered Automattic’s latest acquisition in his post “Why WooMattic is big news for small businesses“. While I believe that a potential vertical with hosted WooCommerce would definitely create opportunities for small business owners (and reduce the waves of Wix and Squarespace users as well), Dries ends with the following comment:

To me, this further accentuates the division of the CMS market with WordPress dominating the small business segment and Drupal further solidifying its position with larger organizations with more complex requirements.

I disagree with his sentiment, but he’s right about one thing: Drupal has a proven place in working with large organizations having complex requirements. Probably the majority of the popular Drupal-based projects fall in that category (unlike 95%+ of the WordPress projects being blogs or 5-page business card websites).

And since I actually like Drupal myself, I would understand if a large corporation picks Drupal instead of WordPress for their project. Let me explain why.

WordPress is dangerous for non-experienced people

That’s right – it is.

You may be a technical expert capable enough to set it up in a safe and scalable way.

But WordPress seems so easy that it makes several things possible:

  • non-technical clients decide to build and operate WordPress websites themselves
  • non-experienced people start to offer professional services
  • non-technical service providers add WordPress to their suite of partners and mess up with the workflow
Clients misconceptions and false expectations
Clients misconceptions and false expectations

In my post Setting the Wrong Example I discuss the vast majority of “WordPress experts” who have no practical knowledge of the technical stack and what happens behind the curtains. The 5-minute install, tools like Softaculous and other quick tutorials make it possible to start in a matter of minutes.

It’s simply less common in the Drupal world. Less people claim to be Drupal experts since it’s more technical. Users are generally less inclined to go “on their own”. And it’s a 100% technical area for enterprise platforms and programming languages in that field.

Drupal does not update often

Automatic updates in WordPress help small blogs and small business owners, but they are a bottleneck for serious projects. That’s right, you can disable them with a single line of code, you can host a .svn/.git folder that prevents the updates, or even manage the permissions so that it’s virtually impossible.

But standard users don’t know that. And the fact that you are behind if you don’t update every 3-4 months is a problem.

Drupal issues a new version every few years. The core team is focused on delivering high quality and stability and spends less time dealing with backwards compatibility.

Don’t get me wrong – I’m thrilled when I have to update a WordPress 2.8 site that’s 7 years old to the latest version without regressions. But a short iteration ran by volunteers is risky, and allows for less time for testing and catching edge cases. And some of the latest security issues were caused by an oversight or the lack of enough eyes on a commit – just because everything moves so fast.

And an update is actually not a simple operation. The Core platform is being updated. That happens on different types of servers/hosting plans, running different web servers, MySQL databases or PHP versions. Those stacks are operated by different companies with various restrictions or limitations due to internal software, hardware firewalls, IDS/IPS and more. Also, a standard WordPress install has a theme and a number of plugins, which may be incompatible with the latest release as well.

Nacin gave a great talk on LoopConf that shed some light on the Emoji idiocy that most people (including me) ranted a lot about. Turned out it’s just a facade of a critical security issue, but if you see the video, you’ll find out how many edge cases are there in practice, given the million different combinations of WordPress environments across the world:

With so many steps required at the update workflow errors simply happen. A lot.

Even if they’re not critical issues (Fatal Errors), that’s quite a lot of regressions, and some are hard to catch.

Ryan also stressed on that problem discussing possible dependencies that could be implemented in WordPress – but we’re simply not there yet, and won’t be at least for another year or two.

Drupal’s Repository Is Less Accessible

One of the reasons why non-technical business owners and regular users decide to spin off a WordPress install themselves is that they can actually build SOMETHING that does what they need.

  • They can create an eCommerce store by installing WordPress with WooCommerce.
  • They can set up a membership website with BuddyPress, and find some free (or cheap) extensions in order to make it work.
  • They can find plenty of free themes for both platforms, or buy a pretty cheap theme that looks good.

Again, that’s great in general, since it facilitates the education of millions of people, introducing them to the Internet and provide an opportunity to become a media without initial investment – which is essential for 3rd world countries or other political regimes where “free speech” is a forbidden term.

But it also implies that building a site is a piece of cake. That web designers/developers are thieves, and they ask for a fortune in order to do something that a “user” can do in two hours. And educating your customers becomes a problem.

Especially when websites are hacked, compatibility is seriously affected between plugins, updates break the website and so on. Since everyone can submit a plugin to the repository, as long as it goes through a quick initial review. And there are three or four reviewers available for that market of 38,000 plugins.

Clients cum WordPress Developers
Clients cum WordPress Developers

Drupal has a more restrictive model, where module authors can work with a sandbox first, and apply for a fairly complicated full project approval process. It’s actually quite interesting and well organized, even though it may take several weeks (or months) to get a new project live. But reviewers spend time going over checklists and ensuring that plugins follow the quality standards.

It’s not incredibly different than’s model per se – it just includes more steps, more reviewers, a reviewing program, more public reviews (people applying for reviewers) and a strict process including different things to look at. They don’t rush that much, and have public checklists for both authors and reviewers.

The end result is – less modules are available for the public, but the overall sense of compatibility and security is higher. And that is a key trust factor for serious business clients. Also with major releases every 2-3 years module authors don’t have to spend half of their time dealing with compatibility issues or supporting different WordPress versions.

Dries also mentioned their core architecture which is sometimes more granular and better refined than the one that WordPress provides. Examples are their content types, taxonomies, user permissions and the new Caching API that is more or less state of the art. This serves as a best practice that module developers are required to use, which increases the quality drastically.

There are tons of discussions regarding the Settings API in WordPress and there is a group working on a new version. Right now most developers prefer using their own frameworks or filter a simple options page themselves in order to avoid the hassle and all of the crazy automagic going on. That wouldn’t be the case with simplified, more robust and extensible API, and would increase the security factor for the majority of the plugins in the repository.

Large Organizations Need Reliability

This is one of the reasons why large organizations still use proprietary technologies or enterprise platforms that take years to build. Stability for a large organization may cost billions of dollars.

If a small 5-page business website with 50 views a month is down for an hour a month or even hacked, that’s not a deal breaker. But what does it look like for large brands?

Sony's loss after the security breaches
Sony’s loss after the security breaches

Sony were hacked a few times over the past years. According to a review by Business Insider published in December, “Sony Corp’s movie studio could face tens of millions of dollars in costs from the massive computer hack that hobbled its operations and exposed sensitive data“.

Also, they remind us about the PlayStation breach in 2011 when customer data was stolen:

The tab will be less than the $171 million Sony estimated for the breach of its Playstation Network in 2011

I’m often befuddled when discussing major updates with developers working for large firms. As long as they don’t deal with sensitive clients, they can’t even imagine what could be the impact of a regression, of downtime, not to mention a successful hack attack. It saddens me, but after all it’s not my company they work for.

According to Forbes in 2013, Goes Down, Loses $66,240 Per Minute. If thirty minutes of downtime don’t bother you personally, that equate to $2M for a large organization.

Stability and Changes By WordPress Businesses

That big picture gets messier if we account for the rapid, startup-alike changes and actions by some companies operating a WordPress-driven business or providing services for WordPress clients as well. And unplanned or non-documented changes could cause a fatal issue for a large giant who has decided to trust WordPress for a reliable project.

I already mentioned that stability includes trust and commitment from both parties. Stability is like a marriage – you trust your partner so much that you can live together, they have access to everything sacred to you, and your personal life is more or less defined by that relationship.

Let’s see some potential problems for businesses interested in getting in bed with WordPress.

The WordPress Core

WordPress is an incredible framework that is extremely flexible and allows you to build virtually any type of project. It may not be the right tool for every problem, but it’s possible nevertheless.

An external large organization however may see several problems with WordPress

  • Automatic updates – the part that we discussed above – even when disabled, release cycles add bug fixes and security releases that must be applied immediately and are practically public, revealing the vulnerabilities that have been fixed.
  • Future Plans – the roadmap for WordPress is not clear, and decisions are not taken by a board of influential companies involved with WordPress in the broader definition of the term. If you plan to invest billions in a project over the next 10 years, it’s not clear what sort of major changes would happen in the 30 major releases that are yet to come.
  • Lack of mature high-end marketplace – all of the available themes and plugins for free or at a low cost are not an advantage if they are potentially insecure, not optimized for performance and practically without guaranteed compatibility. The amount of time for reviews and rewriting these and the potential risk of missing a thing may lead to choosing Drupal’s “Lego” model, a custom framework, from scratch or a high cost enterprise platform.

While I don’t argue that these are necessarily valid points and we should turn around everything so that we can server enterprise customers, all of those are valid remarks that I’ve discussed with enterprise customers and owners/managers at companies with tens of thousands of employees.

WordPress Hosting and Environment

WordPress runs on several different stacks and there are thousands of options available for WordPress customers. At least in theory.

I’ve had so many issues with numerous hosts that I can’t even remember. Some of those problems were so ridiculous that installing a LEMP or LAMP stack with a single command in the shell in a barebone $5-$10/m VPS would be ten times more secure, reliable and pretty fast.

Recently I had a CDN provider blocked on one of my hosting accounts. Two of my sites suddenly stop delivering most of the media, the majority of the CSS and JS files weren’t loaded. My uptime monitors didn’t catch that obviously, so the sites were probably ugly as hell for a few hours. That happened twice, no memo or reminder, or any notification that the provider suddenly decided to block a popular CDN provider and stop delivering media.

Speaking of CDN’s, I was unable to see any media on my friend John’s website yesterday – since someone blacklisted Bulgaria. When I travel and I use a mobile SIM card, or a 3G toggle, I often get blocked by dozens of websites as a false positive – a potential “bot”. Some of those websites are in the top 10,000 Alexa websites in the US, and that leads to lost business opportunities for them.

Until recently (if not still) Azure, Microsoft’s hosting, required a few WordPress core files to be edited when installing a WordPress website to Azure. There are still unresolved tickets focused on Azure’s guidelines.

cPanel Hacking Core

George Stephanis recently reported on Twitter that cPanel is editing WordPress Core files. I didn’t believe that at first, until he kept digging and came up with the entire report of the situation.

Long story short, that was the first reply by cPanel:

Are you using the cPAddons tool within the cPanel interface to install & manage WordPress? If so, then yes, we disable the auto-update functionality within the application so the updates can be managed from the cPanel interface itself. The way our cPAddons tool tracks software is not compatible with the way WordPress updates, hence why we disable the auto-updates so we can track it through cPAddons.

So… when the platform that powers 24% of the Internet does something differently than us, let’s hack that for all of our clients and make them run a non-supported customized version that may cause regressions from then on.

As far as I’m concerned, this is being done without the customers’ consent, and it doesn’t even work properly since George found a number of sites running a WordPress version from early 2014. Updates, huh?

These Are Just a Few Examples

That’s not the complete list of things happening around WordPress – I can list at least 20 different community decisions related to WordPress updates, regulations for the repositories, idiocies by hosting vendors, plugin authors intentionally breaking other plugins, ThemeForest themes that include the kitchen sink, development environments with hidden custom updates over a standard technical stack.

All of those lead to one thing: surprises. And surprises are crucial for two reasons:

  1. A non-regulated change may affect business customers and harm their businesses – the CDN example before, the insecure cPanel websites etc.
  2. Once you find a single voluntarily change that affects your business, you can never feel safe anymore. It’s like being robbed on the street – you’ll walk carefully and be afraid in the evening for the next 20 years or more (speaking from experience).

If you believe that this is a “minor thing” and it “doesn’t hurt anyone”, then you’re either completely wrong, or you are intentionally working backwards, helping the devolution of WordPress back to a simple blogging platform for small websites.

Not paying attention to large businesses is irresponsible. Large businesses are the best thing that could happen to a CMS – it builds trust in the CMS, tests the limits of the code in terms of security and scalability, and builds an enterprise infrastructure for scaling projects.

When they use a CMS, it helps make it better and brings new ideas. Knowing this can help you decide how to pick or build a CMS. Take on the challenges of big businesses because solving these problems improves the CMS and helps everyone who uses it, including you.

But until we start working together and discussing the potential impact of major business changes, we’ll keep losing potential opportunities by large brands, kick existing successful businesses away from WordPress due to regulations or politics, and keep complaining about cheap clients or low plugin and theme prices.

11 thoughts on “Business Decisions Impacting Your Customers Could Be Fatal”

  1. John Locke says: May 25, 2015 at 7:52 pm

    Excellent piece, as always, Mario. WordPress, can learn lessons in perception, and procedure from Drupal. Though I feel the two are similar in basic structure, the philosophies about how they grow and manage core development are very different.

    Drupal seems to exercise a lot of measured control over how they move forward. WordPress is very active, which leads to occasional oversights. The same community is there to help correct those issues. I’m not sure this philosophy will change anytime soon, or ever.

    Enterprise level WordPress projects would not use the same components, like plugins or themes, as the mom and pop shop down the street. But the perception of those segments of the market affect the decisions made by the enterprise section of the market.

    The 80% of the market using questionable hosting plans, themes, and plugins affect the perception of the platform by the top 20%.


    I smile when you mention WordPress being dangerous for non-experienced people. In the last six months, I’ve been approached twice by older guys (one an IT guy, another a graphic designer) who had already told their clients they could help them with WordPress. The problem is, they now needed someone to teach them how to use it!

    In both cases, they thought someone could teach them all they needed to know about the platform in an hour or two, and were reluctant to pay to have anyone mentor them longer. Putting in the time to learn it themselves, I guess, was also out of the question.

    I have no beef with people who want to sell WordPress services coming from a tech/IT/graphic design background, but for the love of God, put in the time to learn like the rest of us have to before you start selling your skills.

    No idea what will happen to their clients, but I guess we’ll see.


    I love the analogy of being robbed at gunpoint leaving you forever cautious. (*raises hand*) While you may not be scared every time you walk down a dark street by yourself after that, you’re definitely cautious and aware.

    WordPress (or any platform or tool) has to appear safe, and be able to prove it when it counts the most.

  2. Mario Peshev says: May 25, 2015 at 9:40 pm

    Thanks for the great story John, that aligns with my point of view as well.

    I’ll also link to WPML’s article explaining Why Drupal Developers make x10 more than WordPress Developers. While I don’t fully agree with the examplery approach and there’s more behind “picking modules in Drupal” vs. “picking plugins in WordPress”, it’s true that large clients want assurance, and they’re ready to pay for it.

    Until they have it, we’ll keep working mostly with clients who can’t make a difference between, a self-hosted site on $2/month hosting with a ThemeForest theme, and a custom solution. And they’ll keep doing it themselves without any in-depth understanding of quality in any possible way.

    And another favorite article of mine on the subject –

  3. John Locke says: May 25, 2015 at 10:02 pm

    I love that article by @mor10 as well. I think I first discovered it when you linked to it in another article, and I return to it often.

    You’re right, there needs to be more education of clients…before they ever get to us. About what is necessary for a solid WordPress site, and the differences between a good development process and a shaky one built on shifting sand.

    The WPML article is another example of where we can learn and improve as a community.

  4. Dave Chu says: May 28, 2015 at 6:07 pm

    Brilliant points! Thanks for writing that. It’s very valuable to get informed opinions from someone who is very well-informed, but isn’t simply a fanboy of something. I’m a WordPress developer, and have done some testing and examination of Drupal in the past. I finally found Drupal to be too much of a learning curve for me, and not necessarily suited for what I would build, but there’s no denying its power and flexibility for many applications. I would also say that their community is quite helpful to newbies. My favorite magazine, The Economist, is running Drupal. Who knows, I may go back to it at some point.

    You’re spot on with the idea that WordPress’ efforts to become easy and ubiquitous have unintended negative consequences. I just had a discussion with someone about moving their WordPress site. He says, “I imagine it’s pretty small”. This is just the type of person who, as you say, doesn’t think he should pay anything because it’s so easy.

    And another consequence of free ubiquitous WordPress is that newbies start calling themselves “developers” or “designers”, when they know almost nothing. And that cheapens the brand.

    It makes me glad that I’ve used many CMS’s, and kept my skills sharp enough that I can be somewhat more objective on where things are going.

    Thanks again for this!

  5. Mario Peshev says: May 28, 2015 at 7:43 pm

    Hey Dave, thanks for stopping by.

    Drupal has a higher learning curve indeed, and the user experience is rough when compared to WordPress, although they’ve been spending a lot of time working on UX over the past few years. But their target audience is not small business owners, regular users, bloggers and marketers – which is the target for the majority of the WordPress websites out there.

    I just had a discussion with someone about moving their WordPress site. He says, “I imagine it’s pretty small”. This is just the type of person who, as you say, doesn’t think he should pay anything because it’s so easy.

    That’s right, but there’s one more thing that I see in that sort of discussions.

    It’s a matter of “why should I pay if I can do it myself for two hours?”

    Yes, the growing business needs its CEO to be 100% focused on his/her work, but there are things that may not be as cost effective as the DIY way. At least from the users’ perspective.

    For example, if a client can’t make a difference between a DIY solution and a site for $2,000 and he can build that in 2 hours with a premium theme, that’s about $1,000/hour rate.

    So the main problem I see here is the lack of understanding of quality, ROI and stability for a custom solution, which is facilitated by the easiness of WordPress in the first place.

  6. Dave Chu says: May 28, 2015 at 7:54 pm

    Exactly right. I may have to quote you on that last sentence.

    I will also quote you if I can get my rate up to $1000 per hour! I think some people like instability – it’s much more exciting living on the edge! 😉


  7. Mario Peshev says: May 28, 2015 at 10:41 pm

    $1K/hour is a good rate, I may as well switch my strategy as well. 🙂


  8. Paulino Michelazzo says: May 29, 2015 at 2:54 pm


    Nice points and I agree with you. Driving between Drupal and WordPress environments (both with more than 8 years of experience) I feel the same: WordPress need to be more “enterprise” with strong processes.

    But, on the other hand, this is a good opportunity for people looking for “holes” to make money 😉


  9. Mario Peshev says: May 30, 2015 at 1:49 pm

    Hey Paulino,

    It’s true that you can penetrate the market and exploit the “holes” to make some money. But it requires a solid initial investment in sales plus education, which is not necessarily available for mid-sized agencies on the market. In addition to that the overall understanding of WordPress and the ridiculous market rates make it unappealing for most professionals which leads to lower code quality (overall) since less experienced developers use WordPress for serious projects.

    It’s a long story though, and I’ve been writing a lot about that lately, feel free to browse the Business category here 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *