As a WordPress agency owner running my business and being responsible for dozens of people, my main goal is stability.
Stability in Business
John Lennon once said:
“Life is what happens while you are busy making other plans”
Since life is fragile itself and things change every single minute, the least we could do is stabilize as many variables as possible and take care of the potential problematic areas. That said, stability in business is determined by various factors, such as:
- Having a steady recurring revenue model – memberships, selling WordPress products, or a backlog of clients for services
- Working with a reliable team – employees, contractors, trustworthy and capable people available for work
- Setting up the right work environment – office, equipment, Internet access and everything required for work on a daily basis
Stability includes trust, reliability, delegation, long-term commitment and being able to believe in a technology, partner or an idea so much that you share your business and sensitive data with them knowing that they are safe, while dealing with the rest of your work.
Stability could be interrupted in a many ways that we cannot predict, or at least expect not to happen. Some of those are not crucial, but others are critical. And based on your risk management process, you can prevent some of these depending on how much loss your business will generate in case of an unexpected event.
Stability and Potential Loss
For example, if your Internet at the office is down for an hour every two weeks, you have to assess the damages for your business. If only two people work at the office and most of their work is offline, that may be something that you don’t even notice – and it’s fine.
If this is a call center with 30 people, that means 60 non-billable hours or interrupted calls with serious prospects. Now that’s probably critical.
If Amazon’s or Google’s network was down for an hour every two weeks, people would probably start using eBay and Yahoo much more often which will lead to tens of millions of dollars of damages per month due to the downtime.
As you can see, an interruption in a service may be critical for some, and you should always be aware while working with your customers. My ISP offers a premium plan for VIP customers with a backup line with Internet access if the main one is down, extra gateways, internal DNS servers and so on. That premium service is worth paying for extra for business people.
If your Internet is down for 2h/month and you can break a server in the middle of a deploy, or lose a consulting client paying $300/hour – would you not pay $20-$40 extra for a backup line or switch to another backup ISP, or pay for two providers simultaneously?
Web Development, CMS Stability and WordPress
Coming from the Enterprise world to WordPress was incredibly shocking for me. I was both excited for the opportunity of solving more problems and delivering more projects in a shorter amount of time, and freaked out by the unexpected estimates when it comes to delivering a complex custom plugin or polishing a reliable platform.
Since I was dealing with estimates and project planning at one of the Java companies I worked for, I’ve had 6-figures projects signed for the amount of features that would translate to a $20K – $30K project in the WordPress world.
Now, the amount of work itself was significantly more – for a Java project – but there is another key takeaway:
A project of that size requires months of R&D, validating an idea, and numerous iterations of testing and benchmarks.
Rushing things leads to mistakes. Mistakes cause problems and regressions. And that could affect budgets, data, relations, and overall slam an entire business should that happen in the wrong moment.
But rushing things and underpricing is incredibly common in the WordPress world.
Drupal and WordPress
Dries covered Automattic’s latest acquisition in his post “Why WooMattic is big news for small businesses“. While I believe that a potential WordPress.com vertical with hosted WooCommerce would definitely create opportunities for small business owners (and reduce the waves of Wix and Squarespace users as well), Dries ends with the following comment:
To me, this further accentuates the division of the CMS market with WordPress dominating the small business segment and Drupal further solidifying its position with larger organizations with more complex requirements.
I disagree with his sentiment, but he’s right about one thing: Drupal has a proven place in working with large organizations having complex requirements. Probably the majority of the popular Drupal-based projects fall in that category (unlike 95%+ of the WordPress projects being blogs or 5-page business card websites).
And since I actually like Drupal myself, I would understand if a large corporation picks Drupal instead of WordPress for their project. Let me explain why.
WordPress is dangerous for non-experienced people
That’s right – it is.
You may be a technical expert capable enough to set it up in a safe and scalable way.
But WordPress seems so easy that it makes several things possible:
- non-technical clients decide to build and operate WordPress websites themselves
- non-experienced people start to offer professional services
- non-technical service providers add WordPress to their suite of partners and mess up with the workflow
In my post Setting the Wrong Example I discuss the vast majority of “WordPress experts” who have no practical knowledge of the technical stack and what happens behind the curtains. The 5-minute install, tools like Softaculous and other quick tutorials make it possible to start in a matter of minutes.
It’s simply less common in the Drupal world. Less people claim to be Drupal experts since it’s more technical. Users are generally less inclined to go “on their own”. And it’s a 100% technical area for enterprise platforms and programming languages in that field.
Drupal does not update often
Automatic updates in WordPress help small blogs and small business owners, but they are a bottleneck for serious projects. That’s right, you can disable them with a single line of code, you can host a .svn/.git folder that prevents the updates, or even manage the permissions so that it’s virtually impossible.
But standard users don’t know that. And the fact that you are behind if you don’t update every 3-4 months is a problem.
Drupal issues a new version every few years. The core team is focused on delivering high quality and stability and spends less time dealing with backwards compatibility.
Don’t get me wrong – I’m thrilled when I have to update a WordPress 2.8 site that’s 7 years old to the latest version without regressions. But a short iteration ran by volunteers is risky, and allows for less time for testing and catching edge cases. And some of the latest security issues were caused by an oversight or the lack of enough eyes on a commit – just because everything moves so fast.
And an update is actually not a simple operation. The Core platform is being updated. That happens on different types of servers/hosting plans, running different web servers, MySQL databases or PHP versions. Those stacks are operated by different companies with various restrictions or limitations due to internal software, hardware firewalls, IDS/IPS and more. Also, a standard WordPress install has a theme and a number of plugins, which may be incompatible with the latest release as well.
Nacin gave a great talk on LoopConf that shed some light on the Emoji idiocy that most people (including me) ranted a lot about. Turned out it’s just a facade of a critical security issue, but if you see the video, you’ll find out how many edge cases are there in practice, given the million different combinations of WordPress environments across the world:
With so many steps required at the update workflow errors simply happen. A lot.
Even if they’re not critical issues (Fatal Errors), that’s quite a lot of regressions, and some are hard to catch.
Ryan also stressed on that problem discussing possible dependencies that could be implemented in WordPress – but we’re simply not there yet, and won’t be at least for another year or two.
Drupal’s Repository Is Less Accessible
One of the reasons why non-technical business owners and regular users decide to spin off a WordPress install themselves is that they can actually build SOMETHING that does what they need.
- They can create an eCommerce store by installing WordPress with WooCommerce.
- They can set up a membership website with BuddyPress, and find some free (or cheap) extensions in order to make it work.
- They can find plenty of free themes for both platforms, or buy a pretty cheap theme that looks good.
Again, that’s great in general, since it facilitates the education of millions of people, introducing them to the Internet and provide an opportunity to become a media without initial investment – which is essential for 3rd world countries or other political regimes where “free speech” is a forbidden term.
But it also implies that building a site is a piece of cake. That web designers/developers are thieves, and they ask for a fortune in order to do something that a “user” can do in two hours. And educating your customers becomes a problem.
Especially when websites are hacked, compatibility is seriously affected between plugins, updates break the website and so on. Since everyone can submit a plugin to the WordPress.org repository, as long as it goes through a quick initial review. And there are three or four reviewers available for that market of 38,000 plugins.
Drupal has a more restrictive model, where module authors can work with a sandbox first, and apply for a fairly complicated full project approval process. It’s actually quite interesting and well organized, even though it may take several weeks (or months) to get a new project live. But reviewers spend time going over checklists and ensuring that plugins follow the quality standards.
It’s not incredibly different than WordPress.org’s model per se – it just includes more steps, more reviewers, a reviewing program, more public reviews (people applying for reviewers) and a strict process including different things to look at. They don’t rush that much, and have public checklists for both authors and reviewers.
The end result is – less modules are available for the public, but the overall sense of compatibility and security is higher. And that is a key trust factor for serious business clients. Also with major releases every 2-3 years module authors don’t have to spend half of their time dealing with compatibility issues or supporting different WordPress versions.
Dries also mentioned their core architecture which is sometimes more granular and better refined than the one that WordPress provides. Examples are their content types, taxonomies, user permissions and the new Caching API that is more or less state of the art. This serves as a best practice that module developers are required to use, which increases the quality drastically.
There are tons of discussions regarding the Settings API in WordPress and there is a group working on a new version. Right now most developers prefer using their own frameworks or filter a simple options page themselves in order to avoid the hassle and all of the crazy automagic going on. That wouldn’t be the case with simplified, more robust and extensible API, and would increase the security factor for the majority of the plugins in the repository.
Large Organizations Need Reliability
This is one of the reasons why large organizations still use proprietary technologies or enterprise platforms that take years to build. Stability for a large organization may cost billions of dollars.
If a small 5-page business website with 50 views a month is down for an hour a month or even hacked, that’s not a deal breaker. But what does it look like for large brands?
Sony were hacked a few times over the past years. According to a review by Business Insider published in December, “Sony Corp’s movie studio could face tens of millions of dollars in costs from the massive computer hack that hobbled its operations and exposed sensitive data“.
Also, they remind us about the PlayStation breach in 2011 when customer data was stolen:
The tab will be less than the $171 million Sony estimated for the breach of its Playstation Network in 2011
I’m often befuddled when discussing major updates with developers working for large firms. As long as they don’t deal with sensitive clients, they can’t even imagine what could be the impact of a regression, of downtime, not to mention a successful hack attack. It saddens me, but after all it’s not my company they work for.
According to Forbes in 2013, Amazon.com Goes Down, Loses $66,240 Per Minute. If thirty minutes of downtime don’t bother you personally, that equate to $2M for a large organization.
Stability and Changes By WordPress Businesses
That big picture gets messier if we account for the rapid, startup-alike changes and actions by some companies operating a WordPress-driven business or providing services for WordPress clients as well. And unplanned or non-documented changes could cause a fatal issue for a large giant who has decided to trust WordPress for a reliable project.
I already mentioned that stability includes trust and commitment from both parties. Stability is like a marriage – you trust your partner so much that you can live together, they have access to everything sacred to you, and your personal life is more or less defined by that relationship.
Let’s see some potential problems for businesses interested in getting in bed with WordPress.
The WordPress Core
WordPress is an incredible framework that is extremely flexible and allows you to build virtually any type of project. It may not be the right tool for every problem, but it’s possible nevertheless.
An external large organization however may see several problems with WordPress
- Automatic updates – the part that we discussed above – even when disabled, release cycles add bug fixes and security releases that must be applied immediately and are practically public, revealing the vulnerabilities that have been fixed.
- Future Plans – the roadmap for WordPress is not clear, and decisions are not taken by a board of influential companies involved with WordPress in the broader definition of the term. If you plan to invest billions in a project over the next 10 years, it’s not clear what sort of major changes would happen in the 30 major releases that are yet to come.
- Lack of mature high-end marketplace – all of the available themes and plugins for free or at a low cost are not an advantage if they are potentially insecure, not optimized for performance and practically without guaranteed compatibility. The amount of time for reviews and rewriting these and the potential risk of missing a thing may lead to choosing Drupal’s “Lego” model, a custom framework, from scratch or a high cost enterprise platform.
While I don’t argue that these are necessarily valid points and we should turn around everything so that we can server enterprise customers, all of those are valid remarks that I’ve discussed with enterprise customers and owners/managers at companies with tens of thousands of employees.
WordPress Hosting and Environment
WordPress runs on several different stacks and there are thousands of options available for WordPress customers. At least in theory.
I’ve had so many issues with numerous hosts that I can’t even remember. Some of those problems were so ridiculous that installing a LEMP or LAMP stack with a single command in the shell in a barebone $5-$10/m VPS would be ten times more secure, reliable and pretty fast.
Recently I had a CDN provider blocked on one of my hosting accounts. Two of my sites suddenly stop delivering most of the media, the majority of the CSS and JS files weren’t loaded. My uptime monitors didn’t catch that obviously, so the sites were probably ugly as hell for a few hours. That happened twice, no memo or reminder, or any notification that the provider suddenly decided to block a popular CDN provider and stop delivering media.
Speaking of CDN’s, I was unable to see any media on my friend John’s website yesterday – since someone blacklisted Bulgaria. When I travel and I use a mobile SIM card, or a 3G toggle, I often get blocked by dozens of websites as a false positive – a potential “bot”. Some of those websites are in the top 10,000 Alexa websites in the US, and that leads to lost business opportunities for them.
Until recently (if not still) Azure, Microsoft’s hosting, required a few WordPress core files to be edited when installing a WordPress website to Azure. There are still unresolved tickets focused on Azure’s guidelines.
cPanel Hacking Core
George Stephanis recently reported on Twitter that cPanel is editing WordPress Core files. I didn’t believe that at first, until he kept digging and came up with the entire report of the situation.
Long story short, that was the first reply by cPanel:
Are you using the cPAddons tool within the cPanel interface to install & manage WordPress? If so, then yes, we disable the auto-update functionality within the application so the updates can be managed from the cPanel interface itself. The way our cPAddons tool tracks software is not compatible with the way WordPress updates, hence why we disable the auto-updates so we can track it through cPAddons.
So… when the platform that powers 24% of the Internet does something differently than us, let’s hack that for all of our clients and make them run a non-supported customized version that may cause regressions from then on.
As far as I’m concerned, this is being done without the customers’ consent, and it doesn’t even work properly since George found a number of sites running a WordPress version from early 2014. Updates, huh?
These Are Just a Few Examples
That’s not the complete list of things happening around WordPress – I can list at least 20 different community decisions related to WordPress updates, regulations for the WordPress.org repositories, idiocies by hosting vendors, plugin authors intentionally breaking other plugins, ThemeForest themes that include the kitchen sink, development environments with hidden custom updates over a standard technical stack.
All of those lead to one thing: surprises. And surprises are crucial for two reasons:
- A non-regulated change may affect business customers and harm their businesses – the CDN example before, the insecure cPanel websites etc.
- Once you find a single voluntarily change that affects your business, you can never feel safe anymore. It’s like being robbed on the street – you’ll walk carefully and be afraid in the evening for the next 20 years or more (speaking from experience).
If you believe that this is a “minor thing” and it “doesn’t hurt anyone”, then you’re either completely wrong, or you are intentionally working backwards, helping the devolution of WordPress back to a simple blogging platform for small websites.
Not paying attention to large businesses is irresponsible. Large businesses are the best thing that could happen to a CMS – it builds trust in the CMS, tests the limits of the code in terms of security and scalability, and builds an enterprise infrastructure for scaling projects.
When they use a CMS, it helps make it better and brings new ideas. Knowing this can help you decide how to pick or build a CMS. Take on the challenges of big businesses because solving these problems improves the CMS and helps everyone who uses it, including you.
But until we start working together and discussing the potential impact of major business changes, we’ll keep losing potential opportunities by large brands, kick existing successful businesses away from WordPress due to regulations or politics, and keep complaining about cheap clients or low plugin and theme prices.