How to Make a Slow, Insecure, Buggy WordPress Site

“You want to use WordPress? It’s hopelessly slow!” “It’s full of bugs!” “Say goodbye to your security!” You’ll hear these complaints a lot. The people who say these may just be trying to impress you with how much they know. But this much is true: It isn’t hard to build a poorly written WordPress site which is slow, buggy, and insecure. You have to know how to do it in order to avoid those mistakes.

Here’s a quick tutorial-in-reverse on how to build a site that will have everyone complaining — except the hackers and your competitors. Carefully don’t follow these steps if you want a great site.

Get every plugin you can

To build a really slow site, pile on the plugins. Never mind where they come from or what they do, as long as they make your site flashy. Some sites have hundreds, but if you have 25 or more, you’re well on your way to an overloaded site. Each one takes some processing time, can have bugs, and can conflict with the others. Here are some tips for dragging your site down fast:

  • Get plugins with few reviews from obscure vendors. Checking the reviews and sticking with well-respected products is for cowards. You want to be at the bleeding edge.
  • Get outdated, unsupported plugins. They were good a long time ago, when the publisher was making bug fixes and issuing updates. They can only have improved with age. They might even run on the latest version of WordPress.
  • Look for plugins that constantly update the screen. If a widget doesn’t change from minute to minute, that’s boring. Caching software can reduce the number of disk accesses, and you can’t have that. But then, you don’t use caching, do you?
  • Choose plugins that clutter the database. It takes more research to find them, but they’ll reward you with a bloated database that will continue to slow you down even if you stop using them.
  • Use pirated plugins. Not only will you save money, you’ll never be bothered with updates or support. Chances are good that what you install already has malware in it, so you’ll get an immediate boost in vulnerability.

Never update

If your installation was good enough for last year, it’s good enough for this year! Updates regularly become available for the WordPress core, themes, and plugins. WordPress is the world’s most widely used CMS for websites, so lots of crooks are looking for ways to break into it. The development team counters them by issuing regular security updates. Ignore them.

Likewise for your theme, as well as the hundred plugins you installed. Probably some of them are supported, but just ignore the updates. Leave everything the way it was. You can be confident some of them will break before long.

Never back up

Your site will never crash or be hit by ransomware, so why bother backing up? But if you do insist on backing up, there are ways to make it as useless as possible.

One way is to back up only the files. Without the database they aren’t very useful; you won’t have content, users, or configuration. Alternatively, you can back up to a drive which is permanently attached to your server. Chances are pretty good that anything which wrecks your WordPress installation will also ruin the backup. Don’t bother with anything like an offsite, encrypted backup. That would only give you real protection.

Edit themes via Admin UI

Whatever theme you use, the chances are high you’ll want to make some tweaks to its CSS and add/update widgets or other features. The recommended way to do this is to update the theme’s codebase with proper source control and disable “Edit” feature from the admin interface. That way, your updates would be tracked and prevent any potential malicious code injection from the UI. Another way, supported through Jetpack or through the theme’s options, is to add custom CSS.

Doing that is for losers. Go right in and edit through the admin UI. That way, if anything goes wrong or you lose your changes in an update, you can start all over while leaving your site vulnerable. If writing the code updates once was fun, doing it twice must be even more fun!

Provide huge image files

Cameras create images that are 4K pixels wide or more. Why not just put the file up, at full resolution and maximum quality, on your WordPress site? Your readers can have the pleasure of watching it slowly load on their phone’s tiny screen.

When you upload an image, WordPress creates one or more resized versions to suit various page layouts. But if you use the original, full-sized image, then most people will see exactly what they would have seen with the custom size, just more slowly.

Use worst practices for security

Use a password which you can remember, like “PASSWORD” or “123456.” The same password you use on all your other accounts is a good choice. Be sure not to limit the number of login attempts.

If you give other people accounts on your site, give them the Administrator role. Anything less would be an insult. Editor, Author, and Contributor roles let people make specific changes to the site but not create or delete accounts, change themes and plugins, or manage site options.

Don’t use SSL (HTTPS) access. It’s more exciting when your password goes through the Internet as plain text that’s easy to intercept.

Never moderate comments

Make sure that the pile of plugins you installed doesn’t include any comment spam catchers. Let anyone comment on both pages and posts, and never moderate the comments. Before long, you’ll have a nice collection of links to malware sites.

WordPress provides lots of options. You can disable comments entirely, moderate all of them, or moderate comments from people who haven’t commented before. None of these options are as exciting as giving the spammers free rein.

Edit the WordPress core

This is a really advanced option, for people who know PHP and are convinced they completely understand WordPress. If you’re truly courageous, make changes to the PHP code in WordPress to do things better.

Diving into the core will get you rewards like a crashed system that can’t be recovered and new security holes. Best of all, you’ll be the only person with those exact problems, so anyone trying to fix your system will be totally baffled.

No, really don’t!

Just in case you’ve forgotten, we aren’t really saying you should follow this advice. Don’t do these things unless you want an unreliable, slow, broken WordPress site. If you do, you can perform them yourself or hire a developer to wreck your site for you. People who work that way come really cheap.

But if you want a really great WordPress site, one that will run fast and reliably, then just call us.