WordPress powers roughly 43% of the entire web. That's not a typo. Nearly half of all websites on the internet run on the same content management system that started life as a blogging platform in 2003. It's the most popular CMS by a staggering margin, with an ecosystem of over 60,000 plugins and thousands of themes.
We used to build with it. We were good at it. And then we stopped. Completely.
This isn't a hot take for the sake of being contrarian. We ditched WordPress because, for the kinds of businesses we work with, it consistently underdelivers on the things that actually matter: speed, security, reliability, and long-term cost of ownership. Here's the full picture.
The WordPress reality check
WordPress's market share is impressive, but it tells a misleading story. That 43% includes everything from abandoned blogs to half-finished hobby projects. It includes sites built on pirated themes running outdated PHP versions. It includes enterprise installations with six-figure budgets and full-time dev teams maintaining them.
For a small-to-medium business, the typical WordPress experience looks something like this: you pay a designer to build a site on a premium theme with a page builder like Elementor or Divi. It looks decent when it launches. Six months later, you've got 30 plugins that all need updating, your hosting company is nagging you about PHP versions, and your site takes four seconds to load because WooCommerce is initialising on every page even though you only sell three products.
Twelve months in, something breaks. A plugin update conflicts with your theme. The contact form stops working. The designer who built it has moved on or doesn't answer emails anymore. You're stuck Googling error messages at 11pm on a Tuesday, wondering how this happened.
Sound familiar? You're not alone.
The security problem is real
WordPress is the most targeted CMS on the internet. That's not speculation -- it's mathematics. When 43% of the web runs on the same platform, attackers can build exploits at scale. One vulnerability in a popular plugin doesn't compromise one site. It compromises millions.
The numbers are sobering. Sucuri's annual hacked website report consistently shows WordPress accounting for over 90% of all cleaned CMS-based infections. In 2024 alone, Wordfence blocked over 100 billion malicious requests targeting WordPress sites. The vast majority of successful attacks exploit known vulnerabilities in plugins and themes that simply haven't been updated.
A hand-coded site has no admin login to brute-force, no plugin vulnerabilities to exploit, and no database to inject. You can't hack what isn't there.
A hand-coded website, by contrast, has a fundamentally different security profile. There's no admin panel to brute-force. No database to inject queries into. No plugins with known CVEs. No theme files with backdoors. The attack surface is, for all practical purposes, the web server itself -- and modern hosting platforms handle that security layer far better than any WordPress security plugin can.
Plugin bloat: the silent killer
The plugin ecosystem is WordPress's greatest strength and its most damaging weakness. Every plugin adds weight: additional CSS, JavaScript, database queries, and HTTP requests. A typical WordPress business site runs 20-40 plugins. Each one was solving a problem. Collectively, they are the problem.
Here's what a common plugin stack looks like for a basic business site:
- SEO plugin (Yoast or Rank Math)
- Security plugin (Wordfence or Sucuri)
- Caching plugin (WP Super Cache or W3 Total Cache)
- Contact form plugin
- Page builder (Elementor, Divi, or WPBakery)
- Image optimisation plugin
- Backup plugin
- Analytics plugin
- Cookie consent plugin
- Social media plugin
That's ten plugins before you've added anything specific to your actual business. And notice the irony: you need a caching plugin and an image optimisation plugin to counteract the bloat that all the other plugins created. You need a security plugin to patch the vulnerabilities that the plugin architecture introduced. It's a system that creates its own problems, then sells you the solutions.
With a hand-coded site, contact forms are a few lines of HTML and a form handler. SEO is baked into the markup. There's no page builder because the pages are already built -- properly. Analytics is a single script tag. Cookie consent is a lightweight component. The entire site does more with less.
The performance gap
This is where the difference becomes measurable and undeniable.
A typical WordPress site on shared hosting loads in 3-6 seconds. With decent hosting and aggressive caching, you might get that down to 2-3 seconds. A well-optimised WordPress build with premium hosting, CDN, and careful plugin management can hit 1.5-2 seconds.
Our hand-coded sites consistently load in under one second. Often well under. The Jaunt Studio website scores 100 on Google's PageSpeed Insights for both mobile and desktop. Not because we've spent weeks optimising -- because there's nothing to optimise away. There's no bloat to begin with.
Why does this matter? Because Google has explicitly stated that page speed is a ranking factor. Because every second of load time costs you conversions. Because mobile users on variable connections don't have the patience for a three-second white screen while WordPress bootstraps itself. The performance gap isn't marginal. It's the difference between a site that works and a site that makes people wait.
Want to see how your site stacks up?
Run a free audit and get instant scores for performance, SEO, accessibility, and best practices.
Run free auditOwnership and portability
Here's something that doesn't get discussed enough: when you build on WordPress, you don't truly own your website. You own a collection of database entries, theme configurations, and plugin dependencies that only work together in one very specific environment.
Try moving a WordPress site to a different host. Try updating PHP. Try migrating away from WordPress entirely. Every one of those tasks ranges from "painful" to "might as well start over." Your content is locked inside a MySQL database. Your design is tied to a theme that's tied to a page builder. Your functionality lives in plugins that may or may not exist next year.
A hand-coded website is a collection of files. HTML, CSS, JavaScript. You can open them in any text editor. Host them anywhere. Move them in minutes. They'll work on any server that can serve static files -- which is literally all of them. There's no vendor lock-in. No proprietary formats. No database to migrate. You own every line and can take it wherever you want.
When WordPress does make sense
We're not zealots about this. WordPress genuinely is the right tool for certain use cases:
- Content-heavy sites that publish daily and need multiple non-technical authors managing content simultaneously
- Complex e-commerce with hundreds of products, inventory management, and third-party integrations that would be impractical to build custom
- Tight budgets with DIY needs -- if you truly can't afford professional development and need to manage everything yourself, WordPress with a good theme is a reasonable starting point
- Rapid prototyping -- when you need something live this week and plan to rebuild properly later
But for a small-to-medium business that needs a professional web presence -- 5-15 pages, a contact form, strong SEO, and fast load times -- WordPress is an excavator when you need a shovel. It can do the job, but the overhead, the maintenance, the risk, and the performance cost aren't justified.
The hand-coded advantage
Let's be specific about what you get when we build a site from scratch:
- Speed: Sub-second load times. 90-100 PageSpeed scores. No bloat, no compromise.
- Security: No CMS to exploit. No admin panel. No database. No known plugin vulnerabilities. The attack surface essentially doesn't exist.
- SEO: Clean semantic HTML. Proper heading hierarchy. Structured data. Optimised images. Fast Core Web Vitals. Everything Google rewards, nothing it penalises.
- Control: Every pixel, every interaction, every line of code is intentional. Nothing is there because a theme decided it should be.
- Reliability: No plugin conflicts. No update anxiety. No "white screen of death." The site works because there's nothing in it that can break it.
- Low maintenance: No weekly plugin updates. No PHP version worries. No database optimisation. The ongoing cost of running a static site is essentially zero.
Key Takeaway
WordPress is a powerful tool -- but power isn't the same as suitability. For most small-to-medium businesses, a hand-coded website delivers better performance, stronger security, cleaner SEO, and lower long-term costs. The initial build takes more skill, but the result is a site that works harder, loads faster, and doesn't need constant babysitting. Choose the right tool for the job -- and for most business websites, that tool isn't WordPress.
The bottom line
We're not anti-WordPress. We're pro-results. And the results consistently show that for the businesses we serve, hand-coded websites outperform WordPress builds on every metric that matters to the business owner: speed, security, search rankings, reliability, and total cost of ownership.
If you're running a WordPress site that's become a maintenance headache, or you're planning a new build and trying to decide which direction to go, we're happy to talk it through. No pressure, no sales pitch -- just an honest conversation about what makes sense for your specific situation.
