If you search for arguments for and against the Wordpress blogging platform, you will find a vast number of results, some that will tell you it's the best thing since sliced bread, and others that will say that it's the most dire and insecure platform there is.
Wordpress has been around for a long time. It started life back in 2001 as a package called b2 cafelog, and being open source, was forked in 2003 to create Wordpress. It was and still is a tool for writing a blog. It's often referred to as a Content Management System, but it isn't. It's a blogging tool. It has become the darling of the graphic design, branding and advertising agencies largely because of its sheer ubiquity and the huge range of themes and templates that are available for it. Such companies often treat websites as an afterthought of the branding exercise and tend not to have full time software developers available and rely on the point/click method of development that a lot of Wordpress themes provide. Such companies generally don't have much of a clue about security or an idea of the necessity of keeping sites up to date and it's no surprise that they end up getting hacked, defaced or serve up malware.
Among Worpress's problems are:
Computer technology evolves rapidly. What was cutting edge last year is old hat this year. So a software package that was designed in 2001 just does not cut it today. The Wordpress core is still based on decades old programming techniques which leave it open to security issues. The central development principle has been maintaining backward compatibility over security. Over the years it's been patched, hacked, re-patched, recoded and reinforced, but underneath it is the same ancient code that it has always been. Today's Internet is a vastly bigger and more dangerous place that it was 16 years ago and the bad practices that were prevalent then, are disasters waiting to happen today. Only recently, (October 2017) a serious SQL injection vulnerability was found in the database driver. At the core of the problem, which is still unaddressed is the reliance on manual validation or “escaping” of values passed to the database. The use of prepared parametrised queries, as is offered by PHP's PDO driver would fix this issue at a stroke. It would however break several million lines of plugin code.
Poor Core Functionality
Wordpress is a blogging tool. It should therefore come as no surprise that the out-of-the-box functionality is limited to the needs of blogging. It doesn't even have a contact form as standard – that's one of those things that every school kid learns to code. The only way such functionality is achieved is by adding third party plugins. Another example is the lack of any way to manage content that has to appear on every page. Again, plugins to the rescue.
Plugins & Performance
To do anything other than add a post or a blog, you pretty much need to add a plugin. While adding plugins solves some of the problems, for every plugin added, a Wordpress site will get a little slower. Moreover, because Wordpress does not provide any reusable frameworks such as jQuery, in its core, every plugin that needs one has to bundle its own version. More often than not you'll see several different versions of what is essentially the same code being loaded. Loading many versions slows page load times.
There is no consideration given to performance in Wordpress out of the box. There is no caching either at the server or browser level, no js/css minification, nothing! The solution to the bloat and slow performance is usually – you guessed it – more plugins. There are a plethora of plugins available that will replace locally served frameworks with ones delivered by a content delivery network, and also several cache plugins are available, some of which cause more problems than they solve.
This method of working keeps the application logic separate from the database and separate from the presentation. It's therefore easy to change the presentation without affecting the logic. Unfortunately that's not how Wordpress works. More often than not every Wordpress theme has a vast collection of extra code in its theme's functions.php file and in most of its templates.
It Gets Hacked a Lot
Wordpress sites are frequently hacked. Why? Most Wordpress fans will tell you that it gets hacked because it's the most popular platform on the web and is therefore an attractive target – a low hanging fruit if you will. The trouble with that statement though is this: If it was actually secure, it wouldn't get hacked in the first place, would it? It's like a couple of paper bags vs. a barn full of steel boxes. Targeting the steel boxes because they're common wouldn't get you very far.
While the Wordpress core isn't trivially vulnerable, the real Achilles heal is plugins, or more accurately the way that Wordpress is written to accommodate plugins. When you install plugin you have no idea how secure the code is or whether there will be any updates. Even worse, the commercial plugins typically stop giving you updates after six months unless you renew the licence every so often. Thus you can be left with a gaping hole in your site and no way to plug it other than removing the plugin. More often than not, there's some sort of file upload vulnerability which allows arbitrary code to be uploaded. While Wordpress does have a media manager, it's very basic and not designed as a reusable component. Thus plugins invariably write their own, with mixed results.
There are also some rather dumb design decisions. It's frequently suggested that you should not use "admin" as your login user because it's trivial to guess. This is good advice. However, Wordpress now features a REST API, which among other things allows you to disclose the entire list of user names simply by adding /wp-json/wp/v2/users to your site's home page URL. Unless you've installed a security plugin that stops this.
The database is over simplistic and makes use of a lot of serialised data. This can be tricky to work with. It's not usually a problem, but if you're trying to do manual database updates or fix something, it's a royal pain.
A fixation with recording the site's URL in the database. This can be really quite irritating if you ever want to move to a new domain name. Even though you can specify the site's URL in Wordpress' settings and force it again using constant declarations in the site's wp-config, there will be odd corners where it spews out full URLs from the database. This even makes turning on SSL for your website tricky because Wordpress will insist on spitting out http in various places leading to mixed content warnings and images that don't show up. Numerous sites still have broken links in dark places pointing back to the original development site or old domain name.
Manual Menus. Some themes handle this better than others, but there is generally no way of adding a new page to your site's navigation other than by editing the menu. A lot of other systems will do this automatically.
Poor SEO. Standard Wordpress doesn't let you set the important meta-title and description as standard. The solution is usually yet another plugin.
As you can see, Wordpress has more than a few issues that really do make it unfit for anything more than a simple blog.
Its lack of reusable core components, ancient design and vulnerable-by-design database code essentially means that any it's little more than a pretty shell and certainly not a solid foundation for anything more complex such as an e-commerce site. Don't let the existence of a mind boggling array of plugins fool you – just because they exist does not make them a good idea. If you build a three story mansion on the foundations of that old bach, you shouldn't be surprised when the whole lot comes tumbling down around your ears.