I know WordPress — will I be able to manage a custom-built site?

Absolutely, and it's even easier. The custom admin panel is intentionally simple — no plugins, no updates, no complex menus. If you can write an email, you can manage your website content. No technical knowledge required.

How much does a custom website or application cost?

The price depends on the scope of the project. A simple website starts at approximately 20,000 CZK. More complex applications are priced individually. The consultation is free — reach out and we'll schedule a free initial call.

Why not WordPress? Everyone uses it.

WordPress is fine for bloggers, but it has real limitations for businesses: constant plugin updates, security patches, slow loading, and dependency on premium themes. Custom code is purpose-built — no bloat, no third-party dependencies.

How long does development take?

A simple brochure website is ready in 2–4 weeks. Mid-complexity projects typically take 4–8 weeks. Complex systems like Flurix or Sport-Club take 3–6 months, depending on requirements.

Will I own the source code?

Yes. Once fully paid, the source code is entirely yours. Nobody can revoke your access or charge ongoing licensing fees — you have no dependency on any external vendor.

Do you handle hosting, domain, and server setup?

Yes. I provide the full infrastructure — domain registration, hosting setup, SSL certificate, email, regular backups, and monitoring. Everything under one roof.

How does communication and the project process work?

You communicate directly with me — no middlemen, no ticketing systems. The project runs transparently: regular updates, access to a staging environment, and clearly defined milestones.

What if I want changes or new features after launch?

I write code that's easy to extend. I offer a monthly maintenance retainer or an hourly rate for one-off changes. You're not locked into any contract — we work on trust.

← ← Back to blog

Security & Development 2026-05-01

Why WordPress Is a Security Liability for Business Applications

The WPScan database tracks over 57,000 documented vulnerabilities, and 96% of all compromised CMS installations are WordPress. Read our honest analysis of the security, performance, and financial risks of building business applications on the world's most targeted CMS.

WordPress is a remarkable open-source success story. Over twenty years, it grew from a personal blogging tool into a platform powering over 43% of all websites on the internet. But this massive adoption has become a double-edged sword for businesses — and a security problem that simply cannot be ignored.

The Security Numbers That Speak for Themselves

The WPScan vulnerability database tracks over 57,000 documented vulnerabilities in WordPress plugins, themes, and core. On average, 50–70 new CVE entries are published every single week. Sucuri's annual hacked website report found that 96% of all compromised CMS installations are WordPress. The key question is no longer "will my WordPress site be targeted?" — it's "when, and through which attack vector?"

How an Attack Actually Unfolds

Attackers don't just rely on brute force. They work systematically with automated tooling. A typical attack scenario:

Fingerprinting — An automated scanner identifies the WordPress version, installed plugins, and their versions. Files like readme.txt, wp-includes/version.php, and HTTP response headers reveal this without any authentication.
CVE matching — The scanner cross-references detected versions against a vulnerability database. If a known CVE is found, it moves to exploitation immediately.
Exploitation — Common vectors include SQL injection in a plugin, unauthenticated file upload, XSS attacks leading to session cookie theft, or credential brute-forcing on /wp-login.php and the XML-RPC endpoint.
Persistence — The attacker uploads a webshell, creates a backdoored admin account, or embeds an encrypted payload inside the database (wp_options) that activates on every page load.

The entire process — from initial scan to full compromise — takes on average less than 4 hours after a CVE is publicly disclosed. Most site operators update plugins manually and irregularly.

Plugins: The Largest Attack Surface

WordPress core itself is now reasonably well-maintained. The real problem is the plugin ecosystem:

Over 60,000 plugins in the official repository, plus thousands of commercial ones.
Plugins are written by developers with vastly different security awareness — from professionals to hobbyists.
The average WordPress installation uses 22 active plugins.
Every plugin adds third-party code with direct access to your database, filesystem, and HTTP requests.
A plugin can be sold to a new owner at any time. In 2021, the popular AccessPress Themes plugin was deliberately backdoored after acquisition, compromising over 360,000 websites.

With custom code, the attack surface is exactly what you deliberately create. No third-party code with database privileges. No plugins whose author decided to sell the project or walk away.

XML-RPC and /wp-login.php: Permanently Open Doors

WordPress ships with two endpoints under constant automated attack:

/wp-login.php — The login page, accessible with zero protection by default.
xmlrpc.php — Originally for remote publishing, today primarily abused for credential brute-forcing (a single HTTP call can test hundreds of passwords simultaneously via multicall) and DDoS amplification.

Both can be blocked, but this requires deliberate action and ongoing maintenance — because WordPress core updates can re-enable them.

Performance: Hard Numbers

A standard WordPress page load typically triggers 15–80 database queries and loads dozens of PHP files from core alone, before any plugins run. Real-world data:

Average WordPress site: Google PageSpeed score 45–65 without aggressive caching.
Same content on a custom application: 90–98 without special effort.
Time to First Byte (TTFB): WordPress typically 600–1,200 ms, custom PHP application 80–200 ms.

PageSpeed isn't just a UX metric. Google uses it as a ranking factor since the Core Web Vitals update. A slow site means lower search rankings and fewer customers.

Vendor Lock-In: The Plugin Trap

Features WordPress doesn't natively offer are covered by plugins — on subscription:

WooCommerce + essential extensions: $150–500/year
Advanced form builders (Gravity Forms): $160–260/year
Membership plugin: $150–300/year
Backup and security plugin: $100–200/year

Stop paying? You lose updates and run vulnerable software. Switch plugins? Data migration costs hours or days. Custom code is a one-time investment — and it belongs to you permanently.

Update Roulette

Every plugin update is a gamble. With 20+ plugins from 20 different authors, conflicts are statistically inevitable. The result: your site breaks at 3 AM, customers see an error page, and you're calling a developer in a panic. Skip the update? You're running vulnerable software that bots are actively scanning. Neither option is good.

When WordPress Makes Sense

WordPress has its place — it makes perfect sense for:

A company blog or PR site with no sensitive data and no user database
A simple product catalog with infrequent content updates
A project with a limited budget where basic functionality suffices

But the moment your site processes customer personal data, payments, business documents, or sensitive authentication — you are knowingly choosing the world's most frequently attacked CMS as the guardian of that data.

What Custom Development Delivers

A custom application isn't automatically secure just because it isn't WordPress. Security is the result of deliberate decisions. Every DubNet CZ application includes:

PDO prepared statements — no inline SQL; SQL injection eliminated at the architectural level.
CSRF tokens on all state-changing forms.
Login rate limiting by IP address with exponential backoff.
Content Security Policy (CSP) headers restricting permitted script and style sources.
HSTS for enforced HTTPS and protection against SSL stripping attacks.
Audit logs covering all logins, data modifications, and administrative actions.
Minimal database privileges — the application's DB user has no CREATE/DROP rights.
2FA for all administrative access.

Conclusion: The Decision Has a Price Tag

WordPress is a legitimate tool used in the right context. For a business application handling customer data, payments, or sensitive company information, it introduces systemic security risk that cannot be fully eliminated — only managed, at the cost of ongoing time and money.

Custom development costs more upfront. Over 2–3 years, the total cost of ownership becomes comparable. And throughout that time, you operate a system whose every line of code you understand, whose attack surface is minimal, and whose security doesn't depend on the decisions of anonymous third-party plugin developers.

Want to know what a custom solution would look like for your use case? Get in touch — the initial consultation is free.