SMEs (Small and Medium-sized Enterprises) have been one of the key strategic audiences that DevriX works with under the core retainers proposition. There are some peculiar misconceptions (or legitimate concerns) that enterprise representatives always outline during meetings and calls regarding their hesitation while considering WordPress for a new product or a platform rebuild.
Over the past decade, we have built WordPress-driven software solutions for automotive manufacturers, airline brokers, banks, large educational institutions, enterprise digital media publishers, eCommerce brands, certification authorities, and many others. Some of the common rebuttals arise as early as the presales calls or discovery sessions.
I will go over all the main 15 obstacles that enterprise CEOs and directors have shared during our enterprise sales process and what is the actual state of these in the WordPress ecosystem context.
1. WordPress Isn’t Secure Enough for Enterprises
Security is one of the main issues pointed out by enterprises who regularly read online magazines, blogs, social media group reports and posts about hacked WordPress websites. The initial perception is that WordPress is insecure in its roots.
As a Core platform itself, WordPress is incredibly secure. There are regular security fixes or various vulnerabilities that are responsibly disclosed to the WordPress Core security team. But looking at the bigger picture, the core WordPress platform is more secure and better tested than most solutions out there.
Security issues related to WordPress that enterprises stumble upon are broadly caused by vulnerable themes and plugins, improper hosting setup, or misuse of WordPress by its own users. There have been regular reports of security issues with themes and plugins, but using them is optional and depends on the expertise and understanding of the service provider building the enterprise WordPress platform.
The WordPress Foundation has crafted a detailed whitepaper for WordPress security that should be a go-to resource for enterprises researching WordPress as a possible platform for their needs.
It’s worth noting that the majority of CVEs (common vulnerabilities and exposures) are niche and hard to exploit. For instance, many of them require elevated user access to start with (such as editor) – roles that are capable enough to cause damage if they choose so due to the nature of their permissions. Or specific vulnerabilities related to an extension of a popular plugin loaded on a certain page with other prerequisites needed to potentially exploit.
This doesn’t take into consideration standard protection practices used by most sites – including the WAF features by Cloudflare or zero-day security systems employed by professional hosting partners by Pagely.
Bottom line, well-protected and professionally maintained systems are rarely impacted by security leaks even if vulnerabilities get reported and published online.
2. Convoluted Marketplace With No Authority
Providing numerous alternatives for a particular technical requirement is welcome by small businesses, freelancers and agencies, but seems like a liability when discussing that with Enterprise organizations.
The way most of them look at it is the following:
If there are too many solutions doing more or less the same thing, there is not enough focus or user base that allows a business to scale, implement the best practices, and prepare it for enterprise use.
While discussing the pros and cons of each solution, the follow-up response is:
But still, there is no repository with recommended and preferred applications and tools that come with a security stamp which would ensure the safe and reliable use in an enterprise context.
In a nutshell, the way we handle that at DevriX is by conducting regular code reviews of established market solutions across several major versions of a plugin. We have an internal list of solutions that we have validated internally, and have confirmed with enterprise technical teams that are comfortable with using the plugin in their platform. We also keep in touch with other agencies that work with enterprises and sync our resources internally – to ensure that nothing is missed.
As we conduct regular reviews, some ongoing updates may cause discrepancies in the regular flow of operations. We also use certain plugins with additional extensions that detach functionality and callbacks for extra security. Professional solutions aren’t usually plug-and-play – while existing frameworks or plugins are adopted, this comes with heavy modification on top of them.
The vast majority of programming work on our end is built upon our plugin framework which is secure by default. We develop most of the features in-house and design them to be lightweight, and straight to the point. This leads to a limited code base with less conditional operations, thus fewer loopholes that can be leveraged for a breach.
3. Lack of Certification/Trust Issues
The lack of credibility when selecting a service provider, a hosting vendor, or a plugin shop stands out among the major bottlenecks for service providers.
Coming from the enterprise space and attending Java or .NET conferences regularly, most industry experts have gone through a number of procedures and taken various certificates that ensure compliance with a standardized process. WordPress is more flexible and provides fewer restrictions regarding validating repository plugins (or certifying WordPress vendors).
On top of that, over 95% of the WordPress consultants and companies don’t profile in enterprise solutions and don’t conduct most of the security reviews themselves. This isn’t a requirement for small businesses that are looking for lower-cost solutions and don’t go through the elaborate review, which is a necessity for enterprises.
That said, there are several established organizations in the WordPress space that have built many platforms for enterprises, and continue maintaining and innovating in the enterprise space. Some of our clients have spent 4-6 months of background research and due diligence of agencies prior to contacting them for a new project or a retainer agreement.
For example, one of our enterprise accounts in the video software space took just over a year before we finally signed the contract – and they’ve been with us for nearly 6 years now. Two other brands – publishing and e-commerce – took the initial built with design agencies, then signing with us for ongoing development and support (both ongoing accounts for the past 5 years).
4. Enterprise is Not a Focus of WordPress
The WordPress leadership team has never outlined a particular market that they target exclusively. The platform has evolved over the past 20 years and is currently used by 43% of the Internet.
Various established corporations and popular brands have deployed WordPress as their primary solution or for some of their internal applications. That includes NASA, Microsoft and Skype’s blogs, the White House (to name a few.)
In 2015, we built a multisite platform for one of the largest automotive manufacturers in the world. A year earlier, a security solution constructed by our team has been reviewed by several security consultants and auditors who have confirmed the enterprise stability of the end application. Over the years we have been providing architecture and development services for other established brands and enterprises with an overwhelming set of new features, 3rd party integrations, data synchronization between custom ERPs and CRMs, extensive data analytics and user experience logging, custom reporting engines, flexible membership levels and payment capabilities and more.
WordPress is flexible enough as an application framework and allows for bending the core in multiple directions – enterprise being a viable alternative for various providers.
5. Incomplete Deployment and Delivery Process
Enterprises talking to different providers often complain about the incomplete implementation process of an application. Their end product depends on multiple variables that should be built by third parties, or integrated with their existing solutions.
There is no proven process of delivery and ongoing updates that let them sleep at night, and seems contradictory to other hosted solutions built by enterprise web content management providers.
One of the reasons for that is the variety of hosting providers and their limitations. There are hosting vendors who offer hosting solutions on top of their own infrastructure or agencies that build external layers on top of AWS or Google Compute Engine. Enterprises often run their in-house infrastructure or host with AWS directly.
Some WordPress development companies also have partnerships with specific hosting providers or often hosting that they manage themselves. AWS in particular is the underlying layer behind some of the popular managed hosting providers like Pagely.
Since different clients come with various expectations in terms of traffic, user base, and pricing caps, many vendors have to use different deployment processes that accommodate for each and every case. That prevents providers from spending all of their time on polishing an automated deployment solution with capistrano/chef/ansible (or running Docker containers) and connect it to a continuous integration server that runs all tests before deploying to staging.
Luckily, all of those are possible, and many service providers in the field are already equipped with the right setup and internal workflow that allows them to put these in motion and ensure the stability of an enterprise application. It’s about selecting the right provider who has expertise in the field, and the right toolkit which is suitable for enterprise needs. And the right hosting vendor that makes all of that possible when pushing to staging and merging to production.
6. Scarcity When It Comes to Updates
Over the past few years, WordPress has been following a release cycle revolving around launching 3 major releases a year.
Overall, updating a WordPress site with its set of plugins and themes is different than dealing with a hosted solution that takes care of the full round of extensions and add-ons. We approach that with three separate steps in our internal process:
- Monitoring security sources – our team is subscribed to several security databases that report vulnerabilities in WordPress themes and plugins. Finding a major issue in a plugin is followed by a rapid upgrade iteration that prevents hackers from taking advantage on our sites.
- Code review – we keep track of plugin updates, their changelogs, and the version updates as compared to their previous release. If we note an unexpected change that may affect the stability of the applications, we investigate further and test locally for possible regressions.
- Testing changes in a staging environment – whenever possible (and unrelated to a major security leak), we push updates to staging and test internally first, then send over for validation in case of doubts. Confirmed updates are merged to production.
More often than not, changes are minor and don’t affect the functionality of an application. However, feature updates may possibly have an impact on a large number of clients and public-faced screens for hundreds of multisite instances that we need to review carefully.
One of our existing clients is a notable entertainment vendor with dozens of franchise subsites in 60+ cities in North America, Europe, Asia, Australia. Each franchisee operates their own instance, and occasionally introduces specific updates that could be affected by a major network update. Updates should be performed carefully by looking into each subsite separately, validating a list of main screens that are widely used by visitors, and administrators.
The same goes for all of our multisites given the nature of the shared codebase.
Some of the minor WordPress core updates over the years caused regressions. It’s not common, but it happens. Running a professional process that involves dev and staging environments, as well as waiting out the first week or two for public reports, helps mitigate a number of problems here.
7. Lack of SLA Packages for Enterprises
Many development agencies providing WordPress solutions don’t provide the flexibility and availability that enterprises need.
AWS had a couple of major outages over the past couple of weeks that affected some of the largest websites hosted online. A research conducted in 2013 based on Amazon’s profit report in 2012 stated the following:
Based on Amazon’s 2012 net sales, it was determined that outage cost Amazon $66,240 per minute
Enterprises generate different revenue, and downtime costs may be lower for other businesses, but even a tenth of that amount would be over $6,000 in lost opportunity and sales for each minute of downtime.
Service interruption may be caused by the server provider or a technical issue in the codebase. The longer the downtime, the higher the loss for the enterprise.
We partner up with Pagely for 8 of our high-end customers and communicate proactively in case of glitches, or expected outages. Some of our clients purchase high availability plans that host their solution in multiple locations, therefore reducing the risk of an outage due to a mirror version of the site available in a different zone.
Additionally, we provide 18 hours of availability during business hours and several contact channels over the weekend in the event of an outage. Weekend hotfixes have been performed several times over the past few years to ensure the stability of an application in the case of a regression.
This availability is made possible to our larger accounts bringing $150K – $500K in annual contracts – but providing that peace of mind is important for high-scale organizations.
Enterprise SLAs are provided by several industry providers – mainly larger companies that work with enterprises and can afford to hire enough team members covering different time zones, and support staff who can tackle first-level support issues over the weekend. It’s an extra cost that is justified for businesses who risk a lot in the event of an outage.
8. WordPress Can’t Scale Well
Enterprises that consider WordPress as an application for their needs are often worried about the scalability of the core platform. Scalability issues often pop up during Google searches due to small businesses that don’t invest in proper technical solutions or pay pennies a month to lower-end hosting vendors.
DevriX has scaled over 10 billion pageviews across the agency portfolio in 2023 plus $400M+ in GMV processed through our commerce and affiliate platforms. Peak events have brought 30K – 40K concurrent visitors on our sites at a time, and the platform scales easily with the right infrastructure and hosting environment.
During WordCamp San Francisco in 2012, Iliya Polihronov – a system wrangler at Automattic, announced some statistics around the WordPress.com hosted platform powering tens of millions of blogs, among some of the largest online magazines:
There is an extremely low number of existing websites online that have ever registered a comparable traffic or amount of content. And the numbers are increasingly growing over the past years.
Scalability issues usually result in four different scenarios for all websites online:
- Consistently high traffic (hundreds of thousands, millions, or tens of millions of visitors a month)
- Large volume of content – hundreds of thousands of articles, tutorials, lessons, products
- Large customer base – a good number of users registered in WordPress, browsing the dashboard simultaneously
- Traffic peaks during product launches, events, or PR campaigns
Depending on the business case, each of those can be tackled differently with the right consultation and planning. We have personally dealt with all of the above and implemented different solutions for enterprises – implementing various caching engines, denormalizing the database, purchasing extra storage for planned launches, building custom lightweight dashboards for users, and more.
WordPress is a proven solution that can scale incredibly well and even rank among the best platforms regarding the ability to handle high-end traffic.
9. WordPress Has Limitations in Terms of Functionality
Many of our customers in the enterprise space question the viability of WordPress regarding handling data analytics, logging, reporting or user management activities that comply with established enterprise processes online.
The truth is, WordPress isn’t always the right tool for the job, but integrates extremely well with 3rd party services and external solutions that can tackle some of the heavy-lifting.
We integrate with various providers such as HubSpot, Salesforce, LinkedIn, Cvent, Boomtrain, Parse.ly, and a large number of professional providers that leverage the information collected by WordPress, crunch it and extend the feature set inside of their own dashboards. The core infrastructure provides a good number of available APIs, a flexible and extensible database schema, and an entirely limitless front-end engine for incredible design and user experience.
Our core team is a certified HubSpot agency partner and well-versed in scaling data warehouses with BigQuery for data engineering & analytics purposes. Just like every enterprise solution, each product represents a multitude of different systems working together to deliver the end result.
Different activities may be performed in external dashboards for additional insight or data processing that could be passed back to WordPress. Or connected to other 3rd party services or internal applications used by enterprises that communicate with dozens of applications that serve different needs.
The WordPress APIs and thousands of hooks have been one of the main reasons the platform is so popular at the end – there’s hardly anything limiting the functional progress of a WordPress-driven platform.
10. WordPress Doesn’t Integrate Well with Services and Internal Tools
As mentioned in the previous point, WordPress does integrate very well with external services and other tools used by enterprises.
WordPress incorporated the REST API in its core system years ago. This presents the opportunity for external services to fetch data from WordPress, extend the data reporting capabilities, and push additional information in the database. We leverage the REST API in MySLP‘s dashboard by pulling data in different screens and presenting it as a table, list, and grid views. It’s of use for our multisites whenever the main site has to aggregate information from the subsites and report the best stories from different channels or pass it over to external data analysis platforms.
It’s a two-way architecture platform that even allows you to build lightweight mobile applications or HTML/JS-driven SPA pages that operate with an external WordPress website.
Headless apps are also possible – and we’ve built a few with Next.js, a React-driven framework, when needed. Even though the core WordPress product can work extremely well in high-availability situations even without a decoupled layer.
For self-hosted applications, the WordPress MySQL database can also be exposed to other applications, denormalized in order to provide additional logging and data tracking capabilities, or combined with the use of NoSQL databases or caching engines with some advantages.
The popularity of WordPress has also put it on the radar of numerous organizations that maintain WordPress integration plugins and frameworks. This reduces the development time needed to integrate an individual solution or extend it depending on the business needs.
11. Back-end is Useless and Incredibly Complicated
A common concern from business owners, C-level executives, and directors with no former experience in WordPress is the complexity of the WordPress dashboard. Most enterprise web content management platforms are easy to use and somewhat intuitive. They focus only on enterprises and don’t provide a lot of flexibility in terms of tens of thousands of possible add-ons that could extend the flexibility of a website.
Having said that, there are plenty of options that would simplify the look and feel for logged in users and provide various opportunities for better control and a more organized dashboard.
- Admin menus and dashboard widgets can be removed or reorganized for certain roles or even specific users – a less cluttered admin experience
- Additional back-end themes can be installed or created that match the corporate brand
- Custom dashboards can be created for different roles in order to match the user experience expectations of users and administrators
- Front-end member management is often provided by user management plugins, social network solutions integrating with WordPress, or LMS solutions
Essentially, WordPress provides many additional benefits by using the default administrative look and feel (that external extensions make use of, together with default security layers dealing with role management). But user experience doesn’t need to be a hassle and can be adjusted as to match the enterprise expectations.
12. There is No Established Training Vendor for Onboarding
Larger corporations often employ hundreds or thousands of employees, and a new platform may very well be used by several different departments. A proper onboarding training is needed, and there is no official authority providing training courses for WordPress.
I have been training technical and business courses since 2006 and over the years, I’ve met dozens of trainers and small training companies specializing in WordPress education. Platforms like Linda, WP101, and Video User Manuals also have training courses for WordPress users.
Enterprises can’t find a reliable reference to these, and they often need additional options for on-site training sessions, customized curriculums, or workshops from a training institution. While no designated educational organization provides that at scale, alternatives could be combined with the same end result.
13. Open Source is Equal to Lack of Responsibility
We live by the open-source playbook as it gives us flexibility and control over the technical development process. Commercial solutions keep the intellectual property to a limited number of employees who decide on the future course of the software.
Some of our prospects and partners in the enterprise space have raised concerns with regards to accountability.
Freedom vs. Lack of Responsibility
During an onboarding call last month, a client of ours said the following:
We need accountability with regards to every piece of the puzzle. Some of the proposed tools or extensions don’t seem reliable due to the lack of enterprise support plans in the event of a technical problem.
Insurance is critical for high-end corporations legally bound to some degree of accessibility, data governance, and overall service operability. While the assumption for lack of responsibility is inherently incorrect, no single authority could be held accountable in the event of a critical issue. This could be a liability for individual businesses unless they partner up with the right community vendors and distribute responsibilities in a thoughtful and careful manner.
14. Too Many Steps to Build, Host, and Maintain a WordPress Platform
In the context of Enterprise Content Management Systems or Web Content Management Platforms, small and medium-sized businesses compare somewhat different tools with WordPress as compared to enterprises.
Most small businesses that we talk to point at Drupal, Joomla, TYPO3. Most enterprises that we meet compare with Crafter CMS, IBM Web Content Manager, Adobe Experience Manager, Sitefinity, Hippo, dotCMS.
That’s an entirely different world played by vendors who market differently, target different audiences, go to different conferences, and focus on different features. And each of those enterprise WCM providers offers a hosted enterprise solution.
And there are various alternatives between a self-hosted to a fully managed environment.
The process is enterprise-alike as well – starts with a couple of phone calls, sending formal specifications and white papers elaborating on the value proposition. Sign up does not require the understanding of hosting (although enterprise CIO and their staff often discuss these), nor goes through a lookout of service providers, hosting vendors, extension developers.
Everything is consistent, available in one place, signed off by the company behind the product.
While WordPress doesn’t have a single authority that offers a verified marketplace, in-house onboarding or development team, and a hosted environment for enterprises, there are different configurations dependent on the WordPress development company that would manage the process and ensure the reliant deliverability. The obvious benefit is building a custom-tailored platform that could be significantly more powerful, extensible, and appealing as compared to any hosted solution with a finite set of features or customization opportunities.
15. WordPress Isn’t Designed for Enterprises From Day 1
This objection is actually valid. But how many enterprises have really started as such?
The Google search engine launched as Google.com in 1997. Gmail was introduced in 2004, G-Suite (Google Apps) in 2006. Over the past years, Google has been investing in hardware and mobile software as well – from the Chromebook and Nexus phones through partnerships with hardware providers, to Google Glass and the Pixel phone.
AWS started as a spinoff of Amazon – the largest e-commerce marketplace (originally launched as a book store).
Plenty of successful products and services in use by enterprises have started as products for small or medium-sized businesses and scaled with their first enterprise clients. Other startups emerged just a few years ago and have been on the market, but haven’t generated a large portfolio of customers yet.
That said, WordPress has started as a blogging platform in 2003, but transitioned to a CMS a few years later and is currently being used as an application framework. It’s been validated and used by Fortune 500 companies, many of the most visited websites in the US, celebrities, international brands, and corporations in all industries.
Enterprises could undoubtedly consider it as a viable alternative and a legitimate candidate for enterprise-grade web content management solutions.
If in doubt, look up some of our WordPress case studies and see for yourself.