What are the pros and cons of using a custom front-end to retrieve content from a WordPress back-end

I’ve been building wordpress sites for a few years now and have noticed a few things that bother me.

1. It’s fairly slow (awful blanket statement, I apologize)

Read More

My initial desire to create a custom front-end came from an observation. The WordPress sites I was building weren’t quite as fast as I wanted them to be (3-5 seconds, sometimes longer).

@Kenrik – They certainly were deployed on oversold shared-hosting, but they got good Yslow scores. I tried it out and found the sites to be approximately three times faster when I didn’t load the WP overhead. Same machine, same Yslow score, 3 times faster. I’m no expert on WordPress CPU usage, but I’ve read that it’s pretty intense, so I was not surprised by the speed gains I achieved.

2. It’s often overly complex for the needs of a simple website

Just a note: I’m mostly building sites for fashion lines and portfolio management, complex in front-end interaction, but with relatively little data. These sites are never going to be huge and they require very little code to retrieve the necessary content. My question is therefore largely theoretical.

I think that WordPress is a fantastic platform and that it has few limits for growth, however I think that loading all of its resources is overkill for a lot of smaller projects, destined to be served from shared hosting.

3. It has a lot of security issues (especially when using plugins)

Concerning security, I can see how my question was ambiguous and contradictory. What I meant is that from my understanding, a WordPress site, beyond any actual security holes, is vulnerable because attackers know that it is a WordPress site. This creates a challenge (to breach a popular platform) and an inherent cheat sheet (WordPress vulnerabilities are well documented). So, sure a custom solution might have more actual security holes, but I’m wondering if it this wouldn’t be balanced by the fact that it makes the inner workings anonymous. As @Kenrik said, “they most likely wont even bother because who cares about hacking a single site with iffy custom code?”

4. It’s difficult to optimize page-load times

What I meant by the difficulty of page-load optimization is that if one achieves interactive functionality via lots of plugins, many scripts are loaded and it becomes more tedious to go back and combine, modify, customize or optimize them. I find it easier to include jQuery plugins outside of WordPress and not have to deal with how they hook into wp_head.

So recently I decided to go about my development differently and use WordPress as only a back-end tool. I use the admin space to update content and populate the database but I use a custom data access layer and custom functions on the front-end to retrieve and display the content. For pages where login is needed, I include the blog-header file and use wordpress’ credential management functionalities.

As I see it, the pros of this independent front-end solution are that it makes development easier (you only write what you need, and it’s all your own work), it’s easier to optimize page-loads (you have better control over what scripts are used and how to combine them in optimal ways), you are not alerting the entire hacking world to the existence of a wordpress install (because the files aren’t loaded from a theme anymore) and more.

Potential Cons: Security, lack of scalability, lack of developer support for custom solutions… Anything else ?

I really enjoy creating sites outside of the wordpress constraints, I’m just worried I might be overlooking some major issues with this approach.

Please let me know if this is the case.

Cheers

To retroactively conclude:

I’m 100% sure that my sites are faster in the exact same environment when I don’t use the native WordPress front-end.

I’m doubt that my code is as safe as WordPress, but I think that I can lock it down and the fact that it has an anonymous front-end might make it less of a target.

I’m sure that I can code functionalities a lot faster when I deploy an extremely simple custom front-end solution.

So I’m just wondering, given my environment and my constraints whether doing this is still just a bad idea. And if so, what are the main reasons.

I’m sure there are other curious, ambitious, under-educated coders out there who might be wondering the same thing. They will likely benefit from whatever you have to say about the subject.

Thank you all

Related posts

Leave a Reply

4 comments

  1. You do cite experience with WP going back farther than that of mine… Yet I do not see these issues as that major. What scale of sites are we talking about?

    It’s fairly slow

    I feel this is bit too much of generalization. Slow can be put in context of specific hardware, tasks and level of traffic. It’s blanket statement otherwise.

    It’s often overly complex for the needs of a simple website

    Complex for whom? Users? Developer? WP is trivial to install and get running. Create some content and you have that simple site. Where is complexity here?

    It has a lot of security issues (especially when using plugins)

    Again, bit too much of blanket statement. WP itself is relatively secure and most of security issues that had major impact seems to be from running grossly outdated WP versions.

    State of plugins and security is definitely far from perfect, but nothing prevents to be very selective or developing secure and reliable plugins, right?

    It’s difficult to optimize page-load times

    Again, I am not sure what scale are we talking about. Optimization from low to mid sized sites seems trivial – install good static cache plugin, buff with opcode caching… Throw in alternative web server or reverse proxy if really needed.

    I really enjoy creating sites outside of the wordpress constraints, I’m just worried I might be overlooking some major issues with this approach.

    I pretty much have only one question for you – are you absolutely sure that you are doing it better, faster and more secure than native WP front-end?

    I do not ask this sarcastically, I think it might be plausible that for very narrow task custom-made and locked down front-end might be reasonable. But I also notice that overconfidence about custom solution being “just better” than collective work of many developers/companies is not uncommon in web development.

    Update

    My initial desire to create a custom front-end came from an observation. The WordPress sites I was building weren’t quite as fast as I wanted them to be (3-5 seconds, sometimes longer). […] They certainly were deployed on oversold shared-hosting, but they got good Yslow scores.

    YSlow (and PageSpeed) are excellent tools, but they are inherently limited. They can only analyze and advise on front-end performance and how site is processed by browser. They give no insight in your server performance and blindly chasing high front-end scores can actually be harmful to server load.

    You should use such tools, but you should never limit your insight in how site performs to them alone.

    On hosting – any dynamic site on shared hosting will choke under high load. Again, while it may seem easy to tweak and get high front-end scores, on the server side shared hosting critically lacks hardware and web stack flexibility, necessary for site with high traffic and/or striving for fast load times.

    I think that loading all of its resources is overkill for a lot of smaller projects, destined to be served from shared hosting.

    Had you tried static page caching? It effectively removes WP core out of most requests and it’s about as fast as you can get on shared hosting. If you tried and not satisfied with pages, served from static cache, WordPress is not your problem – hosting is.

    What I meant is that from my understanding, a WordPress site, beyond any actual security holes, is vulnerable because attackers know that it is a WordPress site. This creates a challenge (to breach a popular platform) and an inherent cheat sheet (WordPress vulnerabilities are well documented).

    There are no public and known security vulnerabilities in stable WordPress version. Those that arise are fixed in matter of hours.

    Poor server configuration (common occurrence on cheap hosts) or running outdated WP version is what gets you hacked, not the sheer fact of using WP.

    What I meant by the difficulty of page-load optimization is that if one achieves interactive functionality via lots of plugins, many scripts are loaded and it becomes more tedious to go back and combine, modify, customize or optimize them. I find it easier to include jQuery plugins outside of WordPress and not have to deal with how they hook into wp_head.

    Yes, some plugins have no clue how to properly load scripts. That is really arguments for picking plugins carefully, not against WordPress core.

    Concatenating and optimizing scripts is trivial with good caching plugin.

    Overall and after your updates I feel that you are too eager to discard WordPress for issues that are inherent to any complex and fully-featured CMS (you need decent hosting to get it snappy) and you hadn’t spend much time looking into caching solutions.

    It just might not be a good fit for the type of sites you build and you are better off looking into lighter, simpler and less functional CMS that will perform better under your hosting constraints.

  2. To add to what Rarst said but I think this post is border line trolling.

    1.It’s fairly slow You need to provide more details, a site with hundreds of thousands of pages and 1 million views a month is not the same as a regular blog/portfolio. It is rather simple and very common to have a WordPress site load in well under 2 second depending on hosting/plugins/media/optimization. This is not really a wordpress specific issue unless you have a very large site. Your understanding of page speed seems to be poor, website optimization is a lot more than Yslow….

    For example I have a dynamic site with a fair amount of images, widgets, 5 remote rss feed item, and 10 posts, the initial load is 2.9 seconds with no cache, reloaded with cache it is 1.02seconds. I can say this is about normal for all my WordPress sites. ( most of the initial 2.9 sec load are images which the cache clearly makes use of on reload.)

    2. It’s often overly complex for the needs of a simple website
    WordPress is without a doubt one of the easiest CMS’s that maintains some fairly advanced features. If you not taking advantage of those features then why are you using WordPress to begin with? If you find it complex, what are you comparing this with, .net, static html, nodejs?

    3. It has a lot of security issues (especially when using plugins)
    It does? WordPress itself is secure, especially in the last year+, there have been no major issues. Most WordPress security problems come from pure ignorance on the part of the users downloading malware themes, poorly written plugins, not updating their site, and bad hosting. By far the vast majority of security issues are not related to the WordPress core at all. I can provide very specific examples if needed.

    4. It’s difficult to optimize page-load times
    I really don’t think that is accurate, there are a handful of great plugins that make optimizing WordPress a breeze compared to manually doing everything ( which used to be the norm). These plugins literally save days of work by optimally caching, minifying, using CDN’s, etc, etc, with literally the click of a button, how do you find that difficult? Do you have any actual specific data we can look at?

  3. Martin: After reading through this question and its accompanying answers, here are my two cents on your question:

    Pros of using a custom front-end vs. WordPress

    • Potentially faster load times, since you could reduce the number of scripts, etc. that are loaded (but see below)
    • More control over database queries, which could potentially result in faster page load times.

    Cons of using a custom front end vs. WordPress

    Speed: One of your concerns with WP is speed. In my experience, unless you use plugins that insert their own JS into the header (via wp_head()), WordPress only loads what you tell it to.

    Omitting wp_head() from your header template will prevent WP from loading the new admin bar, for instance.

    What all this means is that there isn’t necessarily any advantage to using your own front-end, since you can customize what loads in your header anyway.

    Complexity: Your concern with complexity seems directed at the back-end, not the front-end. While I think WP has a great UI, I can understand wanting to tailor its functionality for specific projects. In many cases, you can modify your functions.php file and tell WordPress what to display (see this post for some examples).

    So, if it’s the back-end that’s overly complex, I suppose you can always build your own. If you’re referring to the complexity of WP’s database queries or resource usage, I’ll defer to someone with more knowledge on how that stuff works.

    Security: I don’t really buy the argument that running a custom front-end is more secure. If you’re running on a WP back-end, a hacker could just as easily discover that fact by looking at your URL paths (which include /wp-content/, etc.).

    There are plugins aplenty that remove the “generated by” meta from the front-end and do all sorts of other things to improve security (Secure WordPress is a good example). I actually believe it is less secure to rely on a homegrown custom solution. This is not a comment on your coding skills, but…it seems to me that an entire team of developers making a living doing nothing but WordPress would be more reliable than one guy.

    You do raise a good point in that WP kind of has a hacker’s bullseye on it. However…I’ve only ever been hacked on outdated WP versions and on shared hosting where the host was at fault. Since 3.0, there have been no issues. I think if you keep up to date on your install, verify that plugins you use are secure and supported, and use common sense, you won’t have any security problems.

    Page Load Times: I completely agree with you that using a bunch of plugins (or certain plugins) can adversely affect page load times. However, this places the blame more on the plugins and the developer’s choice to use them than on WP, does it not? You can use straight jQuery with or without your custom front-end, so I don’t see an advantage to going custom here when an intelligently designed WP theme will do just as well.

    Portability: My biggest concern about using a custom front-end is that it isn’t as portable or future proof as community supported ones. My company never builds custom CMSs for clients, because we’ve had many people come to us and say, “Our old web guy built this custom thing, and now he’s in Greece, and I can’t find anyone to update it.”

    WordPress uses standard functions that are well documented and that any experienced WP developer will know. With a big, robust, thriving platform like WordPress, a client can very easily find another developer to take over maintenance if the old one goes away.

    Final thoughts

    All of the above being said, I think you asked a good question that raises some valid concerns. I can see implementing a custom front-end for an internal project of yours — but that’s only if you believe the extra development time is worth it.

    For me, the cons of this approach outweigh the pros.

  4. I really don’t know if you have used WordPress much based on what you posted?
    We will use my site as an example. It gets a yslow score of 90% and loads in 1.5s flat for a new user. If they have it cached in their browser it’s instant.. I don’t even use static pages.

    Now I’m on a dedicated server.. so I don’t have to deal with shared hosting and I can optimize my server (gzip etc)

    My best guess is you have been using shared hosting server that is 120% sold.. then it comes to a crawl.

    Anything custom is going to have Way more security vulnerabilities than something like WordPress that get pounded on every day. Except, they most likely wont even bother because who cares about hacking a single site with iffy custom code?

    UPDATE:

    I understand a bit more where you’re coming from. However, much of what makes WordPress “slow” is badly coded themes or unoptimized servers. If your hosting provider has servers setup with just a basic Apache/php/mysql install more than likely it’s not optimized to run WordPress.. There are tweaks to php.ini/httpd.conf/mysql that makes it run faster with a database driven site.

    This is however a “Server” issue, not WordPress. I have a site that is on my dedicated server (Mac Mini Server, 2.66 C2D, 4GB) that loads in 1.5sec and the SAME SITE loads in 4sec on InMotion which is one of the better/best shared hosting providers.

    Now my “little server” is by no means powerful and yet it kicks the pants off of any shared hosting.. Server optimization is just as important in total website speed as is site optimization.