// 22 April 2026
Why I'm leading with static sites now (and what changed about WordPress)
I used to recommend WordPress to every small business that walked through the door. I don't anymore. A note on the maintenance treadmill, the cumulative cost of plugins, and the recent supply-chain attacks that made me reconsider what "easy" actually means.
- · wordpress
- · astro
- · security
- · business
I have spent seven years building WordPress sites. I have built them for trades, therapists, charities, publishers and brands you have heard of. WordPress is genuinely good at the thing it set out to do, which is to give a non-technical person a way to publish a website and edit it themselves. That is a real superpower and I am not going to pretend otherwise.
But for most brochure and marketing sites that walk through my door now, I am no longer recommending it as the default. Here is the thinking.
The plugin list
A typical “modern WordPress site” is not really a website. It is a website plus a small ecosystem of plugins, each one of which is a separate piece of software being maintained by a separate team in a separate part of the world. A reasonable starting list for a small-business site looks like this:
- Elementor Pro for visual layout
- A theme add-ons plugin that ties Elementor into the active theme
- Gravity Forms or similar for anything more than a contact form
- A cookie consent plugin to make GDPR look handled
- A redirection plugin because URLs change and 404s hurt SEO
- Yoast SEO or RankMath
- Site Kit by Google to wire in Search Console and Analytics
- A security plugin like Wordfence or Solid Security
- A speed plugin like WP Rocket because the rest of the stack made the site slow
- A backup plugin because the core platform doesn’t do backups
- A custom-PHP plugin for the one snippet that needs to live somewhere
That is eleven plugins before the site has done anything bespoke. Several of those are paid. The cumulative annual licence cost is real money — Elementor Pro alone is around £80 a year, WP Rocket is similar, Gravity Forms more. The client pays it, every year, forever, on top of hosting.

Each plugin is a piece of software being updated independently. Each update is a chance for compatibility breakage. Each plugin is a piece of attack surface. None of them is a problem on its own. All of them together are a maintenance treadmill that someone has to stay on top of, indefinitely.
The grim joke is that several of the plugins on the list above exist to fix problems caused by the others. WP Rocket exists because Elementor and the average WordPress theme make pages slow. The cookie consent plugin exists because Site Kit and the analytics setup are dropping cookies that need consent. Each new plugin solves a small problem and creates a slightly larger one.

What changed in the last year
The point I have been making for years is that the more plugins you have, the larger the surface area for things to go wrong. The point that the last twelve months have been making, more loudly than I ever could, is that “things going wrong” includes the plugins themselves being compromised at source.
In June 2024, a handful of WordPress plugins were found with malicious code injected directly into their distribution. Wordfence flagged Social Warfare and four others. Mid-2025, Gravity Forms — yes, that Gravity Forms — disclosed that an external party had made unauthorised modifications to the plugin code, affecting people who downloaded a specific version on a specific weekend in July.
Then in April 2026 the largest one yet: an attacker bought a portfolio of 30+ WordPress plugins on Flippa for six figures, sat on them for eight months, and then activated a backdoor that had been quietly added in a routine update. WordPress.org closed 31 plugins in a single day. The forced update, by the time it landed, only disabled the phone-home — the malicious code was still in the codebase of every site that had auto-updated to the compromised version. Smart Slider 3 Pro (800,000 installs) was hit independently the same week.
This is not a normal class of attack. This is somebody buying the trust relationship between you and a plugin author, then using that trust to walk in the front door of every site that has the plugin installed. There is no Wordfence rule that detects “the plugin you trust has been bought by somebody who shouldn’t be trusted.” The model assumes the source is safe.
If you are running a small business site, this is the world your website now lives in. Auto-updates fire monthly. The plugins you depend on can change ownership, and you will not be told. The maintenance burden is no longer just “keep things up to date.” It is “monitor the supply chain of every plugin in your stack, forever.”
Where WordPress still earns its place
I want to be clear about this. There is still a real, large category of website where WordPress is the right answer:
- Sites where the client genuinely needs to update content themselves, daily or weekly.
- Sites where multiple staff members will be editing pages and posts.
- Sites where a familiar admin interface matters because the team already understands it.
- Sites where the content model is genuinely complex — e-commerce, memberships, learning management — and the WordPress plugin ecosystem covers it neatly.
If you are in any of those buckets, the trade-offs swing back towards WordPress. The maintenance cost is the price of self-serve content management, and it can be worth paying.
What has changed is that my default assumption — “if you need a website, you want WordPress, here are the four tiers” — no longer holds for most clients. Most clients I see do not actually need a CMS. They have a brochure site that gets updated three or four times a year, and they have been told they need WordPress because everyone has it. They are paying for software they barely use, in security risk and in licence fees, to support a workflow they don’t need.
The honest middle ground
Where it gets genuinely interesting is the upper end. Once you go past “brochure site” into territory where the requirements are bespoke — a custom membership platform, a bespoke booking flow, anything that needs custom data models — the gap between “WordPress with twelve plugins fighting each other” and “Astro on Cloudflare with a small custom backend” closes very fast. At that scale, custom is sometimes the cleaner build. For e-commerce specifically, Shopify has been eating WordPress’s lunch for years because it solves the entire problem and is somebody else’s job to maintain.
What is left for WordPress is the genuine middle: the small charity newsletter, the ten-page therapy practice that publishes a blog post a month, the local restaurant that wants to update the menu themselves. That middle still exists. It is just smaller than it was, and a lot smaller than the WordPress install base would suggest.
What I am doing about it
For most brochure sites the discovery call now starts with the same question: are you going to edit this yourself, or will you be happy emailing me when the menu changes? If the answer is “I’ll email you,” the fast, secure, low-maintenance answer is a static site on Astro and Cloudflare. No plugins, no admin login, no patches, hosting from £20 a month, the site will still work in five years if no one touches it.
If the answer is “I’ll edit it myself, regularly,” WordPress is still on the table. I’m happy to build it, host it, and look after it. I will probably end up using fewer plugins than the typical builder uses, and I will be honest about the maintenance burden up front.
If you already have a WordPress site and want a second pair of eyes on the plugin list, the hosting setup, or the question of whether you actually need it — I am happy to do that on the £55/hour clock with no further commitment. Sometimes the answer comes back “this one is fine, leave it alone.” Sometimes it doesn’t.
The point is that “WordPress” stopped being the default answer for me. It is now one of three or four answers, picked deliberately, for the cases where it earns its place.
// thanks for reading
If something here was useful — or wrong — I'd like to hear about it. Email james@willcocks.uk.