We say it on the homepage. WordPress is a tax. Don’t pay it. People ask what we mean.
Here’s what we mean.
WordPress runs 43% of the web, and for a lot of those sites it was the right answer in 2012. A husband-and-wife restaurant, a local plumber, a dentist’s office in Wesley Chapel. Pick a theme, install a few plugins, point a domain at it, done. That deal made sense when the alternative was paying a developer $8,000 to hand-code static HTML. The bar to get a working site got lower, and small businesses got online.
Fourteen years later, the deal looks different. The site that was free to start is now bleeding you in three places at once: hosting, maintenance, and the slow drag of a platform that loads in four seconds when it should load in one. That’s the tax. Most owners don’t see the line items because nobody itemizes them. So let’s itemize them.
Line item one: the security tax
Plugins are how WordPress works. They’re also how WordPress gets broken into.
In 2024, security researchers logged 7,966 new vulnerabilities across the WordPress ecosystem. That’s a 34% jump over the year before. 96% of them were in plugins or themes, not in WordPress core. Core is fine. Core has been audited by thousands of contributors. The problem is the twenty plugins stacked on top of it, written by twenty different developers, on twenty different release schedules, half of whom have moved on to other projects.
92% of successful WordPress breaches in 2025 came through plugins or themes. Not core. Not the host. The third-party code your site depends on to function.
There’s a category for this now: zombie plugins. In December 2025 alone, over 150 plugins were yanked from the WordPress repository because the developer stopped patching them or the code was too compromised to fix. If you’ve got one installed, it’s not getting updates. Ever. It just sits there, a permanent attack surface, until you find it and delete it.
The fix for all of this exists. You can buy a security plugin. You can pay for a web application firewall. You can run weekly malware scans. You can hire a managed WordPress host that virtual-patches vulnerabilities before the plugin authors do. All of those things cost money, every month, forever, and they’re a baseline, not an upgrade. You’re paying to stay where you already are.
Static sites don’t have this problem. There’s no database to inject. No PHP runtime to exploit. No plugin to abandon. When we deliver a site at Tarpon, the entire thing is a folder of HTML, CSS, and JavaScript files sitting on a global CDN. The attack surface is the contact form, and we keep that locked down by routing it through a service that does nothing else.
You don’t have to take our word for it. The numbers are public. Pull up the Wordfence vulnerability database any week of the year and count the new ones.
Line item two: the speed tax
Google measures three things to decide how fast your site feels. Largest Contentful Paint (how long until the main thing on the page shows up). Interaction to Next Paint (how long until a tap or click responds). Cumulative Layout Shift (how much the page jumps around while it’s loading). They call these Core Web Vitals, and they’re part of how Google ranks you.
As of late 2025, about 44% of WordPress sites pass all three on mobile. Shopify is at 65%. Wix is above 60%. Custom static builds are around 60%. WordPress is last.
This isn’t because WordPress is bad. It’s because the average WordPress site is running on cheap shared hosting, with a heavy theme, a page builder like Elementor or Divi, and a stack of plugins each shoving its own JavaScript and CSS into the page. Every page load fires up PHP, queries MySQL, assembles the HTML, runs the cache layer if you’ve configured one, and finally ships bytes to the browser. By the time all of that finishes, your visitor is already gone.
The fix exists. You can buy better hosting (Kinsta or WP Engine, $30 to $300 per month). You can install WP Rocket ($60 per year). You can buy a lightweight theme. You can audit every plugin and remove the ones bloating your scripts. You can hire a developer to generate critical CSS by hand. After all of that, a tuned WordPress site can hit 1.5 to 2 seconds on mobile, which is competitive.
Our sites load in under a second by default. Not because we’re geniuses. Because the architecture is different. The HTML for your homepage is already built and sitting on an edge server two hundred miles from your visitor. There’s no PHP. There’s no database. There’s nothing to assemble. The browser asks for the page and gets the page.
Speed matters because Google rewards it, sure. But speed mostly matters because people stay. Every additional second of load time correlates with a measurable drop in conversion. For a small business with a few hundred site visits a month, the difference between a 3-second site and a 1-second site is the difference between booking the appointment and not.
Line item three: the maintenance tax
This is the one nobody warns you about up front.
A WordPress site is a thing you have to maintain. Forever. Core updates. Theme updates. Plugin updates. PHP version updates from your host. SSL certificate renewals. Database backups. Database optimization when the database bloats. Cache rebuilds when something breaks the cache. Compatibility checks every time a plugin author rewrites half the code in a major version bump.
If you do this yourself, it’s an hour or two a month, every month, forever. If you ignore it, you’re the zombie plugin story above. If you pay someone, it’s a “care plan” at $75 to $300 per month, on top of hosting. Most agency care plans top out at “we apply updates and check the site didn’t break.” If it did break, that’s a separate invoice.
A static site doesn’t need any of this. There’s no software running. There’s nothing to update. The site sitting on the CDN today will be sitting on the CDN in five years, byte for byte identical, unless we deploy a new version on purpose. When you want to change copy or swap a photo, you open a simple editor, make the change, hit save, and 45 seconds later the new version is live everywhere in the world.
We host every Tarpon site for $30 to $75 per month. That includes hosting, the CMS that lets you edit copy, image optimization, the global CDN, SSL, uptime monitoring, and us actually answering the phone. Cancel anytime. Export the whole site if you leave. No contracts.
Compare that to a typical WordPress setup: $25/mo for managed hosting, $60/yr for WP Rocket, $99/yr for a backup plugin, $150/yr for a security plugin, $99/yr for the theme license, $99/yr each for whatever premium plugins your build depends on, plus $75 to $300/mo for a care plan if you don’t want to do the maintenance yourself. Run that math for a year. It’s not even close.
The honest case for WordPress
We aren’t going to pretend WordPress has no use. It does.
If you’re running a magazine with five writers, a managed editorial workflow, comments, user accounts, and a content team that knows the WordPress admin, WordPress is genuinely good at that. If you’re running a membership site with paid subscriptions, gated content, and a forum, WordPress and its plugin ecosystem will get you there faster than building from scratch. If you’ve already got 500 blog posts on it and you’re getting real organic traffic, ripping it out is a bigger project than it sounds.
For a local business, a dentist, a restaurant, a law firm, a roofer, a CPA, a contractor, none of that applies. You’ve got a handful of pages. You need them to look professional, load fast, show up in Google, and let people contact you. That’s the whole job. WordPress is a hammer the size of a house for that job.
What to do about it
If you’ve got a WordPress site that’s working fine, you don’t need to do anything. We aren’t trying to convince you to migrate for the fun of it.
If your site loads slowly, gets hacked occasionally, costs more than $100 per month to keep alive, or hasn’t been updated in a year because you’re scared of breaking it, that’s a conversation worth having. Send us the URL. We’ll record a 5-minute walkthrough showing what we’d change and what it would cost to start over clean. Free. No pitch at the end. Just an honest look.
Either way, now you know what you’re paying for.