WordPress, done properly - why most NZ business sites are slow and insecure (and how to fix it)

WordPress powers a huge share of the web, including most small-business sites in New Zealand. It has a reputation in some circles for being slow, bloated and insecure - and plenty of WordPress sites genuinely are. But after years of building, rescuing and hardening WordPress sites, we can tell you the platform is rarely the real problem. How it’s built and looked after is.

Here’s what actually goes wrong, and what a properly-built WordPress site looks like.

Why so many WordPress sites are slow

When a site crawls, it’s almost always one of a handful of causes:

• Plugin sprawl. Every plugin adds code that runs on each page load. We routinely see sites with 30-40 active plugins, half of them doing things a few lines of custom code would handle more cleanly. Each one is also a maintenance and security liability.
• A heavy “do-everything” theme. Multipurpose themes and page builders ship enormous amounts of CSS and JavaScript to cover every possible use case - most of which your site never uses but still has to load.
• Unoptimised images. A single 4MB hero image straight off a phone camera will sink your load time on mobile. Images are the number-one payload offender on most sites.
• Cheap shared hosting. If the server is overloaded with hundreds of other sites, no amount of front-end tuning fully rescues it.

What “fast” actually requires

Speed isn’t one trick - it’s a stack of sensible decisions:

1. Be ruthless about plugins. Every plugin should earn its place. We audit what’s installed, remove what isn’t pulling its weight, and replace bloated plugins with lean alternatives or small bits of custom code.
2. Choose a lightweight foundation. A well-built theme (or a custom one) that ships only the code the site needs beats a bloated multipurpose theme every time.
3. Optimise and lazy-load images. Serve appropriately-sized, modern-format (WebP/AVIF) images, and only load below-the-fold images when they’re needed.
4. Cache aggressively. Page caching, object caching and a content delivery network (CDN) mean most visitors are served pre-built pages from a location near them, not generated from scratch on every request.
5. Host it properly. Quality cloud hosting with real resources - not the cheapest shared plan - underpins everything above.

Done together, these routinely turn a 6-8 second mobile load into something under 2 seconds, with strong Core Web Vitals scores that Google rewards in search.

The security side

WordPress’s popularity makes it a target - but “popular” doesn’t mean “insecure.” Most WordPress hacks exploit the same few weaknesses:

• Out-of-date core, themes or plugins. Unpatched known vulnerabilities are the single most common way in. Updates aren’t optional.
• Weak admin credentials and no rate-limiting on the login page, leaving it open to brute-force attempts.
• Nulled or abandoned plugins - pirated premium plugins often ship with malware, and abandoned ones stop getting security fixes.
• Over-broad file permissions and no separation between the web server and the files it can write.

A hardened WordPress site addresses all of these: timely updates, strong authentication with login protection, removal of unused and risky plugins, locked-down file permissions, a web application firewall, and regular automated backups so you can recover fast if something does go wrong.

The honest takeaway

WordPress is an excellent choice for a great many businesses - it’s cost-effective, familiar, and there’s a solution for almost anything. The difference between a WordPress site that’s a liability and one that’s a genuine asset is entirely in the craftsmanship and the ongoing care.

If your WordPress site is slow, you’re nervous about security, or you’ve inherited something held together with 35 plugins, get in touch - rescuing and hardening WordPress sites is bread-and-butter work for us. Or, if you’d rather it was simply handled, our care plans keep WordPress fast, updated and secure so you never have to think about it.