01.02.17
Building a Better Website: Why Custom-Coded Websites Outperform Every Time
By Ryan Owens
Understanding the Tragic Pitfalls of WordPress, Joomla!, Drupal and Other Common CMS Platforms
This blog article references a third-party report compiled by the
Sucuri™ Remediation Group, a leading Internet security consulting firm and resource for qualitative data and analysis on technology.
Download the Sucuri™ Website Hacked Trend Report (2016)
Doing Things the Hard Way
I've been personally building custom, one-of-a-kind websites since the dawn of the Internet, more than 25 years now as of this writing. Along the way
my company has grown to become Greenville's most-awarded web design firm, having been honored with various awards and accolades for outstanding web design and development, including a
2018 Interactive Media Award (Best in Class),
2017 Interactive Media Award,
2016 WebAward,
2015 Interactive Media Award,
2014 Horizon Interactive Award (responsive website design),
2014 Horizon Interactive Award (email campaign),
2012 Horizon Interactive Award,
2010 Interactive Media Award,
2008 WebAward,
2007 Interactive Media Award,
2006 Horizon Interactive Award, and
2005 WebAward.
However, my experience with computers goes back even further, all the way back to my childhood when I received a
Commodore 64 for Christmas. I taught myself how to code by the time I was 12, and each year I would ask for and receive a different peripheral device... one year a color monitor, the next year a floppy disk drive, a drawing tablet or dot-matrix printer. I even had a modem and a subscription to Compuserve in the early 1980s, even though my parents didn't even know what that was or what I would do with it. So I've been online for about as long as a person can be, and I've seen a lot of things come and go over that time.
In the early days of the World Wide Web, we had to custom build everything from scratch, because there simply were no shortcuts or other ways to do it. A lot has changed over the last two decades, among them are the prevalence of various site-building tools for do-it-yourself types and those seeking, let's just say, a "shortcut."
Among the most common CMS platforms today are WordPress, Joomla!, and Drupal, which together power millions of websites around the globe. The rise of CMS systems such as these can largely be attributed to the fact that they provide a quick and cheap way to throw a website together without a lot of work or creativity, and they make it possible for "non-techie" types to do things that they otherwise would be unable to do.
Over 90,000 websites are hacked every day. WordPress is the most hacked CMS — with 83 percent of hacked websites using the WordPress platform.
As stated in the Sucuri™ Website Hacked Trend Report available for download, "This user adoption however brings about serious challenges to the Internet as a whole as it introduces a large influx of unskilled webmasters and service providers responsible for the deployment and administration of these sites." As the report goes on to say, "Out of the 11,000+ infected websites analyzed, 75% of them were on the WordPress platform and over 50% of those websites were out of date. Compare that to other similar platforms that placed less emphasis on backwards compatibility, like Joomla! and Drupal, the percentage of out-of-date software was above 80%."
Other highlights from the Sucuri™ report include, "As of March 2016, Google reports that over 50 million website users have been greeted with some form of warning that websites visited were either trying to steal information or install malicious software. In March 2015, that number was 17 million. Google currently blacklists close to ~20,000 websites a week for malware and another ~50,000 a week for phishing. PhishTank alone flags over 2,000 websites a week for phishing. These numbers reflect only those infections that have an immediate adverse effect on the visitor (i.e., Drive by Download, Phishing) and do not include websites infected with Spam SEO and other tactics not detected by these companies."
You see, today's Internet is a very complex beast. It has evolved to the point that technology has grown ever more complicated, and the devices we access the Internet with ever more diverse. We ask websites to not only look good on all of these devices, we expect them to do a whole lot more as well. Hackers have become not only more sophisticated, but equally as aggressive. Keeping on top of all that takes time and effort, and well, let's be honest, lots of folks just aren't interested in time and effort, because those things cost money.
So why not use a system like WordPress, Joomla! or Drupal? You can get a free template, so you don't even need to be a designer. You can copy and paste text into these website builders, so you don't even need to know HTML or how to write a line of code. And you can get free extensions or modules, so you don't even need to know a good programmer. Sounds too good to be true, right? Well, unfortunately it is. But if that old adage is so acceptable in other industries, or indeed life in general, what puzzles me is why do so many people think that web development would be any different, especially considering the very nature of technology?
And the result is that lots and lots of folks have jumped into the website-building gold rush, seeking easy money and claiming to be an expert on the subject, when in fact all they know how to do is put together a half-hearted WordPress template that they got for free, upload your logo, copy and paste in some text, send you your login so you can "manage it yourself," and then you never hear from them again. Thousands of dollars later, you find out you have been hacked, your website is impossibly broken, you can't manage the site yourself because it is terribly complicated and doesn't make any sense, and the person or company who sold it to you is not answering their phone, has closed up shop or skipped town altogether.
This article was written to avoid that scenario for you, and hopefully save you some time, money and frustration, and to shed some light on what is so often misunderstood.
An Easy Target
The size and scope of WordPress, Joomla! and Drupal platforms means that the sheer size of their reach makes them an attractive and very vulnerable target to malicious hacks, security breaches, and headaches. What makes these platforms so enticing to hackers is the size and scope of these systems and in turn the number of back doors, holes and inherent flaws in such a system. A hacker is much, much less likely to focus their attention on infiltrating one, solitary website that flies under the radar or that they don't even know exists in the first place, when
they can easily deploy a botnet (a network of compromised computer systems) to automatically scan the entire Internet for vulnerable CMS platforms such as WordPress, Joomla! and Drupal, and at the same time infect tens of thousands or even millions of websites at once. And making matters worse, usually these CMS platforms can be infected without anyone even knowing about it, until it's too late.
These security breaches can sometimes be innocuous, or they can be downright devastating. The nature of CMS platforms such as these require a host of various components, or "modules" that extend the functionality of these websites. These modules are really just substitutes for proper coding technique, and they can be things like a contact form, an animated image slider, eCommerce shopping cart, and so forth. The problem is that each of these modules are written and provided by different "companies" who are largely unknown, and therefore their skills and competence are largely unknown as well. And because all of these CMS platforms - WordPress, Joomla!, and Drupal - are completely open-source, meaning they are free to use and in the public domain, that means there is not a typical gatekeeper to police the creators of these modules, and really little to no profit incentive for these companies either, since they are essentially giving away their products to the end user. And if something is free or given away, then just what exactly is it really worth?
Some of these modules could be written by a 13-year-old living at home with his parents, who likes to tinker with coding in his spare time. Maybe that module he provided has a few bugs in it at best, or at worst perhaps serious security holes that are ripe for exploitation by the Russian mafia or Chinese government. Perhaps he'll get around to writing an update when he has the time, or perhaps not. Since he's not making any real money at it, what's the rush? But even if there is an update provided, someone still has to manage the CMS platform and remember to constantly check and upgrade all of the various modules, components, templates, and basic software as well. This is a constant, recurring issue with these platforms, and will be so until the end of time. However, even the best managed CMS systems can be vulnerable, because
typically patches and updates don't get released until AFTER a breach or security issue has been discovered, exploited and made public. By that time, it is often too late. A more sinister threat is that many of these modules and extensions are developed by bad actors and explicitly written to distribute malware or create back doors that are intended to be exploited for nefarious purposes - a real "Trojan Horse" that can wreak serious damage to your own computer as well as those that visit your website.
According to the Sucuri™ report, "The impacts to the WordPress platform stems from vulnerability exploitation attempts against vulnerable software, specifically in plugins."
As for my own personal experience with the likes of WordPress, Joomla! and Drupal, I can only attest to what I have seen first-hand or read about through various reputable sources, such as those referenced in this article.
Or a quick Google search for "Wordpress hacked" or "WordPress hacking tools" will return over a million results. In my own experience, I have never found it necessary or even worthwhile to explore the possibility of utilizing one of these platforms to build a website, for a few simple reasons:
- Why would I need to, when I have the education and skills necessary to build it myself? I have been honing my artistic and computer skills for pretty much my entire life, so just what does a template offer me that I can't do better myself? And isn't that what you are paying me for anyway?
- A shortcut is just that - a means to an end that devalues the expertise and quality that I have spent decades developing and improving. Invest your money in a better mousetrap, and you'll catch more mice.
- All of these CMS platforms have been hacked so many times, and are in constant need of updates, de-bugging, and so forth, why would someone expose themselves to such a risk if they don't have to? I had one potential client tell me that they had "only" been hacked twice - twice! To which I replied, it is not a matter of if you will be hacked, but when. One should not find it acceptable to be hacked once, much less twice.
- Most every website built on one of these platforms has not only serious security risks, they also have a variety of coding errors, design flaws, and general usability issues that just cannot be solved. They can't be solved because of the inherent flaws of the template builder system, that is, because you are relying on someone else's template, or module, or software, etc., and each of these is provided by a different company or person, there can be no guarantee that they will work as intended, or be compatible with each and every component. In fact, the very nature of these platforms basically guarantees that there will be incompatibilities, technical glitches, and bugs (some serious) that no one is willing or able to take responsibility for.
- We've created an easier way to manage your website content, using Stratatomic's own WebAdmin™ technology, and it's point-and-click simple. Custom designed and programmed for each client's specific requirements, it does exactly what you want it to do. Because we custom program WebAdmin™ ourselves to fit your needs, the only limit to what it can do is your own imagination. WebAdmin™ never needs updating, patching, or troubleshooting, so it's guaranteed to work when you need it to. WebAdmin™ is completely scalable and flexible, and it can grow as your business evolves or your needs change. WebAdmin™ has none of the headaches that come with those other CMS platforms, and because it's our own technology, we promise to provide ongoing service and support for the lifetime of our engagement.
- If you want something you've never had, then you have to do something you've never done. How are you going to one-up your competition, if you are using the same platform, template, or technology that they are? The nature of trying to land on top of the search engines means you have to optimize each and every line of code, every last detail, and every pixel to perfection. To do that requires no shortcuts I can assure you. It requires a plan, certain skill, and flawless execution. It is where art meets science, where technology meets design. Anyone who tells you they can do it easily or on the cheap is selling you a shortcut, and only looking to cash their paycheck and move on to the next project as quickly as possible. It's called Churn 'n Burn. They are not interested in solving the problem at hand, building a better mousetrap, or establishing a long-term relationship with a client.
- The nature of these platforms opens them up to an array of "developers" who have no business being in the website business to begin with. Amateurs at best, these companies or individuals are typically fly-by-night operations who have no interest in providing long-term support to their customers, or building a reputation or body of work. By the time a customer realizes they have reached a dead-end with their website, or that it has been hacked, compromised, or that their support is non-existent, their "website guy" has stopped answering their calls, has closed up shop or skipped town. I can't tell you how many times I've heard that story. It gives reputable firms and our entire industry a black-eye, but unfortunately in this business there are no certifications or licenses required, so caveat emptor.
Lessons Learned
Over the course of my career, I have had no need or interest in using either of these platforms to build a website. However, I have had a few experiences with them that I think are worth sharing with you. Please note the names have been changed in order to protect the innocent.
Let's start with "ST" - the CEO of a large company that prides itself on innovation, leadership and Quality with a capital "Q". ST came to me one day and wanted me to take a look at his website, built with WordPress, which he thought "looked pretty good."
What troubled him were the constant messages he was getting from WordPress, telling him that "the website will be down for maintenance" and that "critical security updates were needed immediately" and so on. So I took a look at his website, and it didn't take me longer than 5 minutes to find some very serious usability issues, to say nothing of any security vulnerabilities. Notably, the main navigation buttons wrapped to two lines when viewing on Mobile devices, and perhaps worse yet, all of the website text wrapped in all the wrong places and for no apparent reason. That meant that the website was basically impossible to use or read on a smartphone, because the navigation was broken and the text split words apart (without hyphenation) on every line, making for a bunch of indecipherable words that was nothing short of embarrassing for the client. So here you had a website that could not be navigated on a smartphone, or even read. It looked OK on a desktop browser, but most views are coming from smartphones these days, so essentially this website was hopelessly broken. Making matters worse, there was nothing that could be done to fix it, because the template that had been used was not being updated, or the updates didn't fix the issue, and the company that built the site was unable to find out what was wrong with it.
Basically, they had reached a dead-end. At that point, the only thing left to do was start over from scratch, and build him a completely custom, 100% perfect website designed to his exact specifications, which is what we did. He had lost some good money to learn a hard lesson, but at least in the end he finally got what he deserved and paid for, and we got a new client.
Then there was the phone call I received from "JP" - a person who previously worked for a client of mine but had since gone out on his own. He called because he knew me from our previous business relationship, and he valued and trusted my opinion. JP explained to me that he was "happy" with his current WordPress site,
but inexplicably had been unable to send email for several weeks. I asked him to forward me one of his emails that had been bounced back from another account, and he sent one to me. I looked at the error contained in the email, and instantly realized that his email had bounced because his ISP had blacklisted his domain. Basically that meant that his emails were no longer being relayed, because spam had been coming from his domain.
I then explained to him that apparently his WordPress website had been hacked, without his knowledge, and they were using his domain (and the security hole in his site) to send spam that looked as if it were originating from his company. His ISP had in turn blacklisted his entire domain, again without notice given to JP, and he had no one to offer any support or help with this matter. As is typical in these WordPress cases, the "developer" who sold him on the website was AWOL and was either unwilling or unable to answer the phone or provide any assistance to his customer. JP ended up having to solve this problem for himself, and undoubtedly spent a great deal of time on the phone with his ISP trying to straighten this mess out, and a lot more time trying to catch up on his missed emails and lost business.
In conclusion, the Sucuri™ Website Hacked Trend Report offers the following outlook, "The argument that website owners should simply update, isn't going to be enough. Most of these websites are but one piece of a much larger, complex, environment in which website owners integrate everything they have access too. It's not that a website owner needs to focus on the single instance of WordPress, Joomla!, Magento or Drupal, but rather all the websites within the same environment to avoid things like cross-site contamination. This is complicated by the different deployment and configuration options available, and the general lack of knowledge by the website owner. These challenges are not only affecting small website owners, but can be seen in large organizations as well. Unfortunately the knowledge and education distribution is not as fast as the user adoption."
Different x Design™
I founded Stratatomic in 2000 because I am passionate about harnessing the power of Design + Technology to help my valued clients grow their business and reach their goals for success. To that end, I promise to never, ever take a shortcut or give you less than my best effort in anything I endeavor to do.
If it is worth doing, it is worth doing right. It has never been and never will be only about the technology, it is mostly about the talent, integrity and character of the person pushing the buttons. That simple philosophy has served me, and my clients, very well indeed throughout the course of my career. I hope you will allow me the opportunity to put my creativity and attention to detail to work for you.
Stratatomic is a creative firm specializing in web, multimedia, advertising, and graphic communications. Stratatomic also offers complete solutions for
web site hosting,
WebAdmin™ site management software and
Google Analytics™ site analysis tools, providing clients with a singular resource for top-to-bottom implementation of their internet marketing strategies.
Stratatomic’s proprietary
WebAdmin™ eCommerce and site-management technology recently surpassed $15 million in online sales transactions and order processing. Today, WebAdmin™ enables clients of all sizes to effectively manage their own site content or storefront and is the power behind websites that receive more than 2 million page requests per month and average hundreds of orders per day. Founded in 2000 by Ryan Owens, Stratatomic LLC is a privately held company based in Greenville, SC.
If you're ready to see the difference that Stratatomic can make in your business, contact us at 864.271.7021 or
click here to send us a message.
Ryan Owens is the founder, president and chief creative officer of Stratatomic LLC. A graduate of the
University of South Carolina, Ryan serves as design strategist and technical director for all agency projects and brings more than 30 years of industry experience. Mr. Owens presently serves as Senior UX Designer for
Sync.MD, and on the Digital Marketing Advisory Board at the
University of South Florida Muma College of Business, and also as an adjunct professor at
Furman University, offering instruction in Logo & Symbol Design as well as Graphic & Advertising Design.