What is WordPress?

WordPress was originally based on a blogging platform but has now evolved into a Content Management System (CMS) for publishing content on the web.

Today it is the most popular platform used by 33% of sites across the web and is easy for non-technical users and administrators to use and administer.

The base WordPress app can be extended using third-party vendors plugins, themes, and widgets to cater for specialist applications such as eCommerce, job listings, custom forms, branding and lots more.

Many third-party plugins and themes are free but if you require advanced features paid versions might be needed.

The WordPress app and source files are free and open source but to enable internet users to access your app you need to deploy the files and database to an internet connected host.

WordPress Hosting

To run a WordPress website requires a supported web server with PHP installed and access to a MySQL/MariaDB database.

You can create a free account on WordPress.com and get started with a basic WordPress site but you will likely need to pay extra for upgrades to make it suitable for a business web site.

Fully managed WordPress hosting

Fully managed hosting provides an optimized WordPress environment with most day to day website operations managed by the host. You just need to manage your business specific functions and users and regularly post new content. This option is often the simplest option for small businesses but is typically more expensive than other options.

Self hosting

Many web hosting companies offer hosting plans suitable for WordPress hosting.

Many web hosting control panels provide an easy option to install a basic WordPress site with related MySQL database. You then customize the settings, theme and add any plugins you require.

WordPress Hosting

Standard WordPress Features

WordPress has numerous standard features which include

  • user registration, authentication, and authorization
  • creating and updating content pages and posts
  • post comments and moderation options
  • spam protection
  • extend basic functionality via third-party plugins, widgets, and themes
  • API Access to access and administer content and users
  • extend default post type for new requirements using custom fields
  • schedule posts to be published at a future date
  • Really Simple Syndication (RSS) feeds
  • basic content search
  • intermediate autosave when editing page and post content
  • admin section provides undo and redo on content editing
  • ability to store last n revisions of key fields when saving content
  • manage and publish content via mobile apps


Large number of plugins and themes to extend the base application for special requirements like eCommerce, job listings etc

Large user base including many big brand names

You can choose where to host the WordPress app and database.

100% free with open sourced source code

You can completely customise the app and lots of developers are available via freelancer type sites if you need to develop custom plugins or themes

Restrict access permissions using Roles

External REST API can be used to access post data

Base post type can be extended using custom fields


Many hackers target WordPress sites

Some Plugins are not actively maintained and not updated for latest WordPress core files. Plugins can have dependencies on other plugins or cause conflict with other activated plugins

PHP is good for small apps but not considered as maintainable and scale able as more modern languages which typically catch many errors by the pre-compilation before deployment.

All posts including custom post types and revision versions are stored to a single posts database table. This can increase size and access times

Custom fields if used are held as metadata within database. This can cause performance issues as database columns cannot be indexed

Default search does not always work as expected

Not all data objects relate to a WordPress post type. Custom logic and data tables can be implemented but requires custom development and many of the standard WordPress features will not be available for the custom data tables

Default installation options do NOT protect API endpoints or prevent brute force password guessing attacks

WordPress Security

Many hackers target WordPress based websites and a hacked site can result in data breaches, content loss, corrupt files, malware, lost time and can result in the website being blacklisted.

The default installation settings do not prevent brute force password guessing attacks or restrict access to REST API endpoints.


Review the WordPress security best practice advice published at WordPress.org .  The following are just a few of the actions to consider

  • use strong passwords and https connections. Do Not share passwords with others and do not use the same passwords across multiple web sites
  • keep WordPress core, installed plugins and themes updated
  • do not install plugins not used
  • consider use of Cloudflare to boost performance and optimize security. A free version is available although it does not support all features e.g. subdomains.
  • limit user permissions based on roles
  • backup all files, media and database frequently
  • install a recommended security plugin to limit brute force password attacks etc
  • add protection to REST API etc to restrict access to API endpoints for unauthenticated users
  • For a non-membership website consider password protecting the wp-admin folder via the hosting control panel. The admin will then be prompted with two separate login forms to access scripts in the admin section. For Windows Plesk hosting control panel setup click here.