Why We Build With Modern Frameworks Instead of WordPress

The WordPress Problem

WordPress powers roughly 43% of all websites on the internet. It is, by any measure, the most successful content management system ever built. It democratized web publishing and gave millions of people the ability to build websites without writing code.

We still recommend against it for most business websites.

This is not a tribal preference. We are not framework purists who look down on PHP. The recommendation is based on three measurable factors: security exposure, performance characteristics, and total cost of ownership over a 3-5 year lifecycle. When you evaluate WordPress against modern static-first frameworks — Astro, Next.js, SvelteKit, Hugo — on these three axes, WordPress consistently loses for business websites that don't require daily content publishing by non-technical teams.

The Security Surface Area

A typical WordPress business site runs 20-30 plugins. A contact form plugin. An SEO plugin. A caching plugin. A security plugin (the irony is not lost on us). A page builder. A multilingual plugin. An analytics plugin. A backup plugin. Each of those plugins is a piece of third-party code with its own update cycle, its own developer, and its own potential vulnerabilities.

WordPress requires a running PHP process, a MySQL database, a file system with write permissions, and an administrative login panel accessible from the public internet. Each of these is an attack surface. Brute-force attacks against /wp-admin are so common that most WordPress security plugins include rate-limiting as a default feature — a feature that exists solely because of WordPress's own architecture.

A static site has none of these attack surfaces. There is no database to inject. There is no PHP runtime to exploit. There is no login panel to brute-force. There is no file system with write permissions. The output is plain HTML, CSS, and JavaScript files served from a CDN. The attack surface is, for practical purposes, the CDN provider itself — and if someone compromises Cloudflare, your WordPress site is equally vulnerable because it sits behind the same infrastructure.

For a cybersecurity consultancy, recommending WordPress for a client's business site while simultaneously telling that client to reduce their attack surface would be contradictory. We build our own site the way we advise our clients to build theirs.

Performance on Costa Rica's Internet Infrastructure

Costa Rica's average broadband speed sits around 70-90 Mbps download, with mobile connections averaging 30-40 Mbps. That is respectable for the region but still meaningfully behind North American or European averages. More importantly, latency to servers outside Costa Rica remains a factor. A WordPress site hosted on shared hosting in the US typically adds 80-150ms of network latency before the server even begins processing the PHP request.

WordPress follows a request-response cycle: the browser requests a page, the server executes PHP, queries the MySQL database, assembles the HTML, and sends it back. Even with aggressive caching (WP Super Cache, W3 Total Cache, LiteSpeed), the first uncached request still requires server-side computation. Page builders like Elementor or Divi add further overhead — they generate bloated HTML with inline styles and load JavaScript bundles that can exceed 500KB.

Static sites skip this entire cycle. The HTML is pre-built at compile time. When a visitor requests a page, the CDN serves a finished file from its nearest edge node. Cloudflare operates an edge node in San Jose, Costa Rica, which means a static site served through Cloudflare Pages delivers content to Costa Rican visitors with single-digit millisecond latency at the network layer.

Speed is not vanity. Google uses Core Web Vitals as a ranking signal. For businesses competing for search visibility in Costa Rica — where the market is smaller and every position matters — the performance gap between a static site and a WordPress site can directly affect revenue.

Total Cost of Ownership

The upfront cost of a WordPress site is often lower. A developer can assemble a business site using a premium theme ($60), a page builder ($99/year), and a handful of plugins in 20-40 hours. A custom Astro or Next.js build typically takes 40-80 hours for a comparable scope. The initial price difference is real.

But websites are not one-time purchases. They are ongoing operational systems. Here is what the WordPress site costs over three years:

• Managed hosting: $25-50/month for decent WordPress hosting (WP Engine, Kinsta, Cloudways). That's $900-1,800 over three years.
• Plugin licenses: Premium plugins like WPML ($99/year), Elementor Pro ($99/year), Yoast Premium ($99/year), and security plugins ($100-300/year) add $400-600 annually — $1,200-1,800 over three years.
• Maintenance: WordPress core updates 2-3 times per year. Plugin updates monthly. Theme compatibility testing after each update. A maintenance retainer runs $100-300/month — $3,600-10,800 over three years.
• Security incidents: The average cost of cleaning a hacked WordPress site is $500-3,000. With 30,000+ WordPress sites hacked daily according to industry estimates, this is not a theoretical risk.
• Rebuild: Most WordPress sites need a significant rebuild every 2-3 years as themes become outdated, plugins lose support, or PHP version requirements change.

The three-year total for a WordPress business site: $6,000-15,000+ beyond the initial build.

A static site on Cloudflare Pages: $0/month hosting (the free tier handles most business sites). No plugin licenses. No PHP updates. No database maintenance. No security patching. The ongoing cost is essentially zero unless the business wants content changes, which are billed per engagement rather than as a perpetual retainer.

The Costa Rica Context

Three characteristics of the Costa Rican market make the case against WordPress even stronger.

Bilingual requirements

Most business websites in Costa Rica need both Spanish and English versions. WordPress handles this through plugins like WPML or Polylang — both of which add complexity, database overhead, and their own vulnerability surface. WPML in particular has had multiple critical security vulnerabilities over the years. In a modern framework, internationalization is a first-class architectural concern. Astro's content collections, Next.js's built-in i18n routing, and similar features handle multilingual sites natively without third-party dependencies.

SINPE Movil and local payment integration

Costa Rica's payment ecosystem is unique. SINPE Movil is the dominant instant payment method, but it does not have standard e-commerce plugins for WordPress. Integrating SINPE Movil into a WordPress site requires custom development anyway — at which point you are writing custom code inside a framework designed to avoid custom code. Modern frameworks let you build clean API integrations with payment processors, SINPE Movil deep links, and local banking APIs without fighting against a plugin architecture.

Local hosting limitations

Quality WordPress hosting within Costa Rica is limited. Most local providers offer shared cPanel hosting with PHP 7.x (sometimes even 5.x), limited memory, and no managed security. Businesses that want adequate performance end up on US-based managed hosts, which introduces latency. With static deployment on Cloudflare Pages, the hosting question disappears entirely — the site is replicated across 300+ edge locations globally, including San Jose.

What We Use Instead

Our primary stack for business websites is Astro — a framework designed specifically for content-driven sites. Astro generates static HTML by default, ships zero JavaScript to the browser unless explicitly needed, and supports components from any major framework (React, Vue, Svelte) when interactive elements are required.

For applications that require server-side logic — dashboards, client portals, booking systems — we use Next.js or SvelteKit, depending on the project requirements. These frameworks provide server-side rendering, API routes, and authentication flows without the overhead of a traditional CMS.

Styling is handled with Tailwind CSS, which generates only the CSS your site actually uses — no 300KB theme stylesheets loaded on every page. Deployment goes to Cloudflare Pages with automatic builds from Git, preview deployments for client review, and zero-configuration SSL.

When clients need to edit content themselves, we integrate a headless CMS — Storyblok, Sanity, or Contentful — which provides a visual editing interface without any of the security risks of a self-hosted CMS. Content changes trigger an automatic rebuild, and the site remains static and fast.

When WordPress Still Makes Sense

We are not absolutists. WordPress is the right choice in specific scenarios:

• High-volume content publishing: If your business publishes 10+ articles per week with multiple authors, WordPress's editorial workflow is mature and well-understood.
• E-commerce with WooCommerce: For product catalogs with hundreds of SKUs, inventory management, and complex shipping rules, WooCommerce remains a viable option — though Shopify is typically a better choice.
• Budget constraints with no technical resources: If the total budget is under $1,500 and no developer will be available for ongoing work, a managed WordPress.com site is practical.
• Existing WordPress ecosystem: If a business already has a WordPress site with significant content, custom plugins, and trained staff, a migration may not be justified.

For most Costa Rican businesses building a new website — professional services firms, medical practices, tourism operators, logistics companies, and the industries we serve — a static-first approach delivers better security, better performance, and lower long-term cost.

Frequently Asked Questions