What are the pros and cons of using a custom front-end to retrieve content from a WordPress back-end

You do cite experience with WP going back farther than that of mine… Yet I do not see these issues as that major. What scale of sites are we talking about?

It’s fairly slow

I feel this is bit too much of generalization. Slow can be put in context of specific hardware, tasks and level of traffic. It’s blanket statement otherwise.

It’s often overly complex for the needs of a simple website

Complex for whom? Users? Developer? WP is trivial to install and get running. Create some content and you have that simple site. Where is complexity here?

It has a lot of security issues (especially when using plugins)

Again, bit too much of blanket statement. WP itself is relatively secure and most of security issues that had major impact seems to be from running grossly outdated WP versions.

State of plugins and security is definitely far from perfect, but nothing prevents to be very selective or developing secure and reliable plugins, right?

It’s difficult to optimize page-load times

Again, I am not sure what scale are we talking about. Optimization from low to mid sized sites seems trivial – install good static cache plugin, buff with opcode caching… Throw in alternative web server or reverse proxy if really needed.

I really enjoy creating sites outside of the wordpress constraints, I’m just worried I might be overlooking some major issues with this approach.

I pretty much have only one question for you – are you absolutely sure that you are doing it better, faster and more secure than native WP front-end?

I do not ask this sarcastically, I think it might be plausible that for very narrow task custom-made and locked down front-end might be reasonable. But I also notice that overconfidence about custom solution being “just better” than collective work of many developers/companies is not uncommon in web development.

Update

My initial desire to create a custom front-end came from an observation. The WordPress sites I was building weren’t quite as fast as I wanted them to be (3-5 seconds, sometimes longer). […] They certainly were deployed on oversold shared-hosting, but they got good Yslow scores.

YSlow (and PageSpeed) are excellent tools, but they are inherently limited. They can only analyze and advise on front-end performance and how site is processed by browser. They give no insight in your server performance and blindly chasing high front-end scores can actually be harmful to server load.

You should use such tools, but you should never limit your insight in how site performs to them alone.

On hosting – any dynamic site on shared hosting will choke under high load. Again, while it may seem easy to tweak and get high front-end scores, on the server side shared hosting critically lacks hardware and web stack flexibility, necessary for site with high traffic and/or striving for fast load times.

I think that loading all of its resources is overkill for a lot of smaller projects, destined to be served from shared hosting.

Had you tried static page caching? It effectively removes WP core out of most requests and it’s about as fast as you can get on shared hosting. If you tried and not satisfied with pages, served from static cache, WordPress is not your problem – hosting is.

What I meant is that from my understanding, a WordPress site, beyond any actual security holes, is vulnerable because attackers know that it is a WordPress site. This creates a challenge (to breach a popular platform) and an inherent cheat sheet (WordPress vulnerabilities are well documented).

There are no public and known security vulnerabilities in stable WordPress version. Those that arise are fixed in matter of hours.

Poor server configuration (common occurrence on cheap hosts) or running outdated WP version is what gets you hacked, not the sheer fact of using WP.

What I meant by the difficulty of page-load optimization is that if one achieves interactive functionality via lots of plugins, many scripts are loaded and it becomes more tedious to go back and combine, modify, customize or optimize them. I find it easier to include jQuery plugins outside of WordPress and not have to deal with how they hook into wp_head.

Yes, some plugins have no clue how to properly load scripts. That is really arguments for picking plugins carefully, not against WordPress core.

Concatenating and optimizing scripts is trivial with good caching plugin.

Overall and after your updates I feel that you are too eager to discard WordPress for issues that are inherent to any complex and fully-featured CMS (you need decent hosting to get it snappy) and you hadn’t spend much time looking into caching solutions.

It just might not be a good fit for the type of sites you build and you are better off looking into lighter, simpler and less functional CMS that will perform better under your hosting constraints.

Related Posts:

  1. Frontend Password change
  2. WordPress Front end Form – Enable to Submit PHP Codes
  3. What is the difference between a cer, pvk, and pfx file?
  4. How to solve “Kernel panic – not syncing – Attempted to kill init” — without erasing any user data
  5. Is it possible to decrypt SHA1
  6. Error `sec_error_revoked_certificate` when viewed in Firefox only
  7. Convert .pfx to .cer
  8. How can bcrypt have built-in salts?
  9. Why should I use the esc_url?
  10. Where to securely store API keys and passwords in WordPress?
  11. Why escape if the_content isnt?
  12. Full path disclosure on rss-functions.php
  13. What to use instead of wp_kses() in user output
  14. Are the default salts secure?
  15. is_email() VS sanitize_email()
  16. Subscribe to email for security fixes?
  17. How to escape custom css?
  18. Understanding SVG vulnerabilities in WordPress related to a specific fix
  19. Moving wp-config.php: Can this be done after site launch?
  20. How to secure or disable the RSS feeds?
  21. WordPress “Site Health Status” trust it or myself for its security advice?
  22. Do Cookies Need to be Sanatized Before Being Saved?
  23. Disable external access to REST API Endpoint
  24. Make password invalid once logged out of password-protected page
  25. What is the wp-includes/certificates/ca-bundle.crt used for?
  26. Do you need to escape hard coded plain text?
  27. Encrypt emails?
  28. WordPress salts set in config and database
  29. Disallow file edit not preventing plugin install
  30. How to secure WordPress XMLRPC?
  31. Protecting HTML5 video [closed]
  32. How can I find security hole in my wordpress site?
  33. Does WP show me if I’m logged in from multiple locations?
  34. Do I need to use the esc_html() function on hard coded links?
  35. WordPress Malware Problem help! [duplicate]
  36. Restrictive File Permissions
  37. Downloading File from Outside Web Root
  38. Why are xmlrpc.php and wp-cron.php being called so often?
  39. Using esc_html with HTML purifier and CSSTidy: Overkill?
  40. wordfence scan warning on W3 Total Cache [closed]
  41. site get login attempts after htaccess ip restriction
  42. Is it good security advice to install wordpress in subdirectory but link to root?
  43. Is default functions like update_post_meta safe to use user inputs?
  44. wp-config.php modified?
  45. Moving wp-config.php up 2 levels
  46. How Could I sanitize the receive data from this code
  47. WordPress SQL Injections through User Agent
  48. How to save iframe tag into a post?
  49. wp-json and what data does it give away?
  50. How to prevent wp-login brute force attack from thousand of different IP? [duplicate]
  51. What permissions should I give directories if I want to make WordPress more secure?
  52. How to protect wp-admin through .htaccess?
  53. Something is unescaping all html entities before output to browser [closed]
  54. Is wp_kses the right approach in sanitizing this string?
  55. Renaming install.php for security?
  56. Is it safe use wp_editor in public contact form
  57. Limit Login Attempts BEFORE PHP is executed?
  58. Which Versions of WordPress Ship with the Patched TimThumb?
  59. Safe to say WordPress security releases don’t have database upgrades
  60. Use global variables or function that returns said variables for site-wide private-ish WP settings?
  61. fail2ban to prevent Brute Force Attacks on WordPress?
  62. Use Google authentication for pages within a website [closed]
  63. How to give the same error message when the wrong password or wrong username is used?
  64. Do we need to escape data that we receive from theme options?
  65. should I escape a literal url added in functions.php
  66. My Site keeps crashing due to the wp-confg file being deleted
  67. Moving wp-config.php outside root folder where we have multiple wordpress websites for enhanced security [duplicate]
  68. Make “default” wordpress pages & features unaccessible
  69. Adding Security Keys?
  70. How might I sanitize an XML file before WP Import? (Does wordpress verify or clean text when importing from an XML document? )
  71. Secret keys in SCM
  72. Spam in WordPress root folder
  73. Secure Server after configuration
  74. Uploading attachment (pdf) and prevent download for anonymous user
  75. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  76. How to prevent my external API call from being called by anyone but me (my site)
  77. Specific Page/Post Need to Stay Non SSL
  78. Block JSON access over the net
  79. Can someone do something to my website if I posted a snapped image of the header and covered my logo? (On reddit, when explaining a question)
  80. Scan multiple websites for malware that are in same webhost root?
  81. The in-famous Unable to locate WordPress Content directory (wp-content) and the Direct Method
  82. Security: AWS (shared hosting) claims template file malicious
  83. How to check whether a site has been compromised without browsing into it?
  84. My site thinks it’s secure when it is fact not
  85. Is it possible to only have the admin interface bind to the local loopback?
  86. PHP Code Sniffer – WordPress VIP Coding Standards
  87. wp-config.php file and code injection
  88. Trying to understand nature of hacking
  89. Default installation permissions for wp-config.php
  90. Correct setup to block file modifications from hackers
  91. Is my WP site being hacked?
  92. Directory to store secure file
  93. How can I give someone server access to only duplicate and modify a site?
  94. WP-JSON: Cross Origin Resource Sharing Vulnerability?
  95. How can I implement ansible with per-host passwords, securely?
  96. Why should I firewall servers?
  97. Does drilling a hole into a hard drive suffice to make its data unrecoverable?
  98. OpenVPN vs. IPsec – Pros and cons, what to use?
  99. Can you alter the default wordpress strong password requirements?
  100. how to sanitizing $_POST with the correct way?

Leave a Comment