Don’t get Ploned: Your Client Needs WordPress Instead

Plone is a web-based content management system built on Python, sharing many similarities with WordPress. As a WordPress developer, you may from time-to-time find clients leaning towards Plone. Learn the important differences between WordPress and Plone, and you’ll be better prepared to help such clients.

There’s a Python in my boots

Python is a programming language. You can read all about the ins and outs on the official Python website. Used for many things, Python gets a nod for some sexy software like:

  1. Blender for 3D modeling and animation
  2. PyGame for developing games
  3. Trac Project for helping developers manage software projects

Oh, and by the way, there’s this little content management system called Plone also built on Python.

Why would anyone use Plone for a website?

With professional web tools like WordPress, a more application-development-friendly Drupal, and the distracted-by-shiny-things Joomla, it’s hard to imagine why anyone would even consider using Plone for their website.

Plone == Harder;

Pretentious programmer quotes aside, Plone is more difficult than WordPress to install, maintain, and develop for.

  1. Fewer commercial web hosts support the requirements for Plone than support the requirements for WordPress.
  2. Developers experienced in PHP, MySQL, and WordPress specifics are far easier to locate and hire than those knowing Python, Plone, and the layers in between.

But what about all those Plone advantages?

A few issues I discovered almost held water for Plone. Here’s the information you need to knock them down.

Plone is more secure than WordPress

This perception is out of date.

In 2008, the National Vulnerability Database showed Plone had fewer security issues than Joomla, Drupal, or our beloved WordPress.

That was 2008. Four years ago.

I don’t know (yet) about Joomla and Drupal, but WordPress releases significant core updates every 3 to 4 months, and promptly releases security updates in between. By contrast, Plone just recently stated they will release on a 6 month cycle. We’ll see how that works out for them. In the meantime, I hope all the layers Plone resides on top of remain secure.

Plone is faster and more scalable than WordPress

This benchmark was apples to oranges.

With the Plone 4 release in 2010, there was tough talk about Plone being “3 times faster than WordPress, Drupal, and Joomla.” The website speed benchmarks leading to these results, however, were using base installs of all systems with no caching add-ons.

I hate to accuse anyone of cheating but, well–that’s cheating. The ZODB database used by Plone is fundamentally different than the MySQL database WordPress uses. Among other things, ZODB provides performance enhancements that are only available to WordPress by adding a simple plugin to make use of various types of caching. By simply adding and configuring the W3 Total Cache plugin, I’m sure WordPress performance can stand its ground against Plone.

My client needs document management functions WordPress doesn’t have

Plone has often been deployed as a document management / workflow collaboration tool in various enterprises. Some folks try to use it instead of commercial tools like Microsoft Sharepoint. Indeed, Plone’s founder mentions in a wishlist for Plone:

“I’m not saying that we should ignore simple web publishing — simply that it’s not an area we will ever be a dominant player in — and we’re not trying to be.”

He goes on to say Plone should concentrate on:

  1. Intranet deployments
  2. Collaborative workspaces with complex security requirements
  3. Document management
  4. Other specialized fields

Before finishing research for this article, I was going to hand the document management / collaboration battle over to Plone as a winner. However, I found WordPress tools developed by serious backers to handle almost everything Plone can do in terms of:

  1. Rights management
  2. Workflow
  3. Editorial review
  4. Collaboration
  5. Document management

Rights management in WordPress

Do you need to customize permissions for certain users and groups of users? Plone can try to beat you over the head with its capabilities, but WordPress can do it easily, too. The Members WordPress plugin gets my vote, allowing fine-tuned control over capabilities, and letting you create your own custom roles. When other plugins specify their own special capabilities, “Members” lets you manage and assign those capabilities, as well.

Workflow, editorial review, and collaboration

Do you need editors at various points in your content-creation process to review, comment on, pass along, and optionally approve content? I thought for sure Plone was going to win this one, but not so. The Edit Flow WordPress plugin takes me back to my newspaper days, but with more flexibility. Not long ago, newspapers might spend a high 6-figures on systems with this sort of management toolset. I was amazed by “Edit Flow,” and I think anyone looking to implement a real workflow in WordPress will be.

Active Directory / LDAP Integration

Do you need to control all your organization’s user rights from a central directory? Plone can do this, with the right nerd on hand, and I thought WordPress use cases didn’t really need this ability. However, when considering an organization managing hundreds or thousands of users on numerous systems, I can see where directory integration could be valuable. After all, how would you like to remember the 20-some systems you need to edit access to when an employee joins or leaves your company?

It turns out, you can easily use AD and LDAP with WordPress. I like to test anything I write about, but did not have the resources to test directory integration. A couple good-looking WordPress solutions you can try:

Document management in general

I love WordPress, but I try to keep an open mind and temper my bias. I thought for sure Plone was the hands-down winner against WordPress when it comes to document management. Lo and behold, I found the WP Document Revision plugin–a fantastic set of tools that gives your WordPress installation all the document management features you’re likely to need. Some of the document management buzz words it provides:

  1. Track, store, and organize files in any format
  2. Collaboratively draft, edit, and refine documents–with or without the Edit Flow plugin
  3. Fine-grained authentication control
  4. Document versioning
  5. Government- and enterprise-grade security

This plugin wasn’t developed by a couple of hacks in a garage between video games, either. WP Document Revision was developed with a grant from Google.

A note about search

I have to mention that, currently, the documents you manage with WP Document Revision are not searchable. That is, you can search for the documents by name, but searches will not return documents based on their content or document properties / metadata. Plone, on the other hand, can index at least DOC and PDF files for fulltext searching.

You could add a search tool outside of WordPress, from a number of other providers, to provide fulltext search. Options and recommendations for that, however, are beyond the scope of this article.

Potential Dealbreaker: The human side of the equation

Is your client already heavily invested in Python? (Good Luck)

This could actually be a deal-breaker for you, before you even get to meaningful facts about the tool you need. People tend to use tools they are familiar with for any job that comes along. This makes sense to some degree, as it leverages expertise and any hardware / software investment involved. It may be difficult or impossible to sway a client deeply invested and in love with Python.

Weakness in Plone’s complexity

Python has a number of web-friendly modules, they’ll surely point out. While that may be true, Plone has to run on top of several different component layers, adding to its complexity. And while your client may be the world pro at Python for database manipulation, game development, or physics tools, they can still be missing the experience to effectively troubleshoot and enhance a web system like Plone.

Indeed, the web-specific Python tools are often multi-layer frameworks with their own evolution and skillsets. Plone itself runs on top of:

  • Five/z3, which relies on:
  • CMF, which relies on:
  • Zope, which sits on top of:
  • Python.

If any of your client’s stakeholders are not wed to Python, you might get a foot in the door by pointing out this complexity.

Good luck, fellow WordPress developers–and don’t get Ploned!


13 Responses

  • Hi, I’m a Plone core developer. You raise some valid critiques here as well as some helpful info about how to match some of Plone’s core features using WordPress plugins. Please let me correct you on a couple details though.

    Regarding security, Plone continues to have a better record than WordPress. I just searched the National Vulnerability Database and found 21 results for Plone and 400 for WordPress. Also, note that when we fix an issue we release a hotfix that is valid for multiple previous Plone releases (one of the abilities we gain from using Python), so they aren’t tied to the main release cycle, and customers don’t have to pay for an expensive feature upgrade just to get security fixes.

    On the subject of speed, you’re right that WordPress can also be fast when configured with appropriate HTTP caching. I could call that cheating, since you end up benchmarking the speed of the reverse proxy cache rather than of WordPress, but I won’t, since a well-tuned Plone site also takes advantage of proxy caching. I also don’t consider the ZODB’s database-level caching to be cheating: why discount a good design choice that leads to a noticeable improvement to the user?

    Overall, as a developer who has built sites using both WordPress and Plone, I am happy with both tools and would consider them again for future projects.

    • New Recruit

      Hi David–indeed, Plone’s track record continues to shine in regards to the number of security vulnerabilities. However, the 400-some items in the National Vulnerability Database include issues with 3rd-party plugins and older core versions of WordPress. With the huge number of installations and larger 3rd-party developer base, this is bound to increase the raw number of reported vulnerabilities. The actual negative effects of this number on installed WordPress sites is difficult to capture, but in listening to the web community it doesn’t seem WordPress sites are going up in flames.

      Regarding caching, ZODB’s caching is not cheating. Using it in the benchmark without enabling similar functionality in the other solutions is. (The author of the benchmark did point out these were all base installs, though.) The W3TC cache solution for WordPress I mentioned provides more than just HTTP caching. It provides opcode caching, and does query- and object-level caching. Those are all important to bring MySQL performance in line with ZODB, trying to level the playing field. This is in addition to W3TC easing the use of Content Deliver Networks and HTML/CSS/JS minification for further optimization. That said, W3TC is a plugin, and may require more configuration than just using Plone with ZODB out of the box.

      I agree there is room in the world for WordPress, Plone, and others

  • Hi there, another Plone guy here. When I read your post, I read it like this: “TL;DR: Plone sucks, use WordPress” which is understandable, as you are a WordPress guy. However, I suspect if you ever had to “use Plone in anger” you might feel differently. As someone who uses both regularly (Plone “integrator” for a living, WordPress end user.) I’m fairly confident that the decision to use one or the other is usually based on a combination of: “Use the right tool for the job” and “Plone people use Plone, WordPress people use WordPress.” (or Python people use Python, PHP people use PHP)

    In Plone-land, if someone asks for “a full featured blog” we immediately point them to WordPress. Plone has blog-like features, but it falls short as a blog when stacked up against WordPress. When someone asks us to implement a “public facing website or intranet for an organization”, we say Plone can do that well.

    I don’t doubt that there are WordPress plugins that can match Plone feature-for-feature, but I personally won’t be using them because I have an investment in Plone. So, if I’m doing a website *for* a client, I recommend Plone without thinking because I know Plone. If I’m making a recommendation *to* a client (who maybe has a staff of WordPress people) then I’m not necessarily going to suggest they go with Plone. It depends on what I think is best for them.

    So it’s not always as simple as matching feature-for-feature, and the human factor is more than just “potentially a deal breaker’, it should be the most important thing.

    • New Recruit

      Hi Alex — a well-worded reply. Indeed, one thing I would not try to do is sway Plone developers to become WordPress developers. If a client had a staff of Plone people, I’d still point out the larger overall experienced labor pool for WordPress and more numerous hosting choices. In the end, as you say, it’s up to the client and what they’re most comfortable with.

  • Comparing features as you did is not very meaningful. We all know that, whatever is the technology, we can do everything with everything.
    Technology does not actually matter, what does matter is the people who use it.
    And Plone people are truly committed to quality.
    That is something I notice painfully everytime I have to develop/deploy/maintain using another framework than Plone.

  • Plone absolutely rocks! I mostly do Plone development so that makes me biased, being biased doesn’t make me wrong though :).

    Firstly, I’ll say that my company has used WordPress on a project (pretty much a blog) and it worked admirably. However there are some scenarios where I would consider it irresponsible to recommend WordPress.

    Here are two (there are others): (1) Searchable documents are important when your client’s project revolves around that, without sounding over the top, given that Plone solves that problem, out of the box, without add-ons and that it is a standard feature, I could not recommend WordPress for such a project. (2) Security, I double checked again today, there are 400 vulnerabilities listed for WordPress, one which was published last week and considered to be of HIGH concern. There are 21 for Plone and last issue was published last year!

    • New Recruit

      Hi David–2 good points I will also add to. (1) Even though WordPress has some excellent document-management plugins, the lack of searchable documents is indeed a deal-breaker for many. Despite some excellent document management plugins for WordPress, the requirement for searchable documents should probably send you looking for a different solution. Also, be aware your clients probably assume that searches will include fulltext document searching, so if you’re pitching WordPress, make sure the lack of fulltext search is understood by your client. (2) Security–I did not mention that the FBI and other government offices chose Plone partly due to its performance in security. That said, you might think 400 vulnerabilities multiplied by the huge number of WordPress installs would mean utter disaster and egg all over the WordPress face. We’re not seeing that, so while all holes need plugged, none seem severe enough to sink the ship.

  • Paul,
    Another Plone developer here. I think much of what I have to say has already been said by the others that have weighed in on thread so far. We manage host about 200 Plone sites and about 3 WordPress ones. Those WordPress ones take more time to manage than the 200 Plone sites put together. So all other things being equal I’d still chose Plone. Of course that said it always depends on the problem you are trying to solve. As you pulled out above from (I presume) Alex Limi, Plone is not really intended to compete against your small $5/mo simple public website scenario. That said, Plone is a very simple system to install (one-click installer) and I know of plenty of Plone installations that have been left to their own devices and still running fine many years later. I’m not advocating that approach, but just saying that Plone just gets on with the job at hand and keeps trucking along.

    I’ve installed Plone in the duration of a 3-minute lightning talk (from bare OS to Plone running in 3 minutes). And Plone is probably the easiest CMS out there to theme as you don’t need to know anything about Plone itself to do basic theming and can just take any existing HTML theme and use that with it.

    The BIGGEST area that I think Plone really has something unique amongst other CMSs is the configuration management and deployment. Plone uses a system called buildout which allows you to easily deploy version controlled instances of a site. I’m not talking about content, but I’m talking about features, functionality and code. With a single buildout file I can mandate that the site is built out with a cluster of instances, a configured varnish cache, a number of add-ons (of a specific version and their dependancies), a custom skin and custom code of my own etc. None of the other systems I know of have anything close to this (Drupal has drush, but that is not quite the same). I really don’t know how you would manage repeatable, testable, incremental deployments of WordPress. Our developers can grab the buildout.cfg file from our SVN repo and run buildout on that and have a complete working copy of the site as it looks in production locally on their laptop.

    I recently took part in a CMS Smackdown event in which both Plone and WordPress were represented amongst others, my notes of this and the pitch I did about Plone is here:


    • New Recruit

      Hi Matt,
      Thanks for the CMS Smackdown link–looks like some great stuff to go through.

      WordPress and Plone are each best suited for different markets, for sure. The Sharepoint-replacement intranet is certainly more up Plone’s alley. The Plone buildout system is yet another strength in that area.

      Ease and availability of installation are probably still in WordPress camp, though. As I visited the most popular hosting providers, I couldn’t find Plone as an easy install option, whereas a WordPress install took about 4 clicks. Again, this is a different market than what it seems Plone targets: It seems Plone’s strengths don’t cater to someone looking to get a site up in a hurry.


      • “It seems Plone’s strengths don’t cater to someone looking to get a site up in a hurry.” As I said, it is a question of priorities. Plone has a one-click installer, and buildout can give you a new site in about 3 minutes. But the point is for the type of projects Plone is best suited to (larger more complex deployments with customisation to suit customer requirements) then what does a couple of minutes matter?

        Yes, you can install WordPress on some $5 a month host in a few clicks, but after you have added half a dozen add-ons, configured their specific preferences, added a theme, hidden some features, etc can you REPEAT that exact deployment? No. You have to note down all the clicks you did and re-do them again. That is not good for a software engineering point of view in the long term. Why do I know this? Because Plone was the same 6 years ago. We learnt that lesson and moved on.

        A very good document that details the market Plone is aiming at and the types of projects it is well suited for in comparison to its competitors go and check out the Plone Roadmap:

        Oh, and if you do want click-to-install Plone then check out Ploud: you can get a site up and running in about 10 seconds and install a number of pre-selected add-ons (a bit like

  • I’ve developed and supported both Plone and WordPress sites and have been a code contributor to Plone since 2005. I recommend WordPress to my clients when it is a good fit for their needs, for example, blog and simple CMS sites that have relatively basic permission, workflow, and security needs.

    You seem to suggest that just because someone has written document management and intranet functionality plug-ins for WordPress, it can compete with Plone in these areas. Personally, I haven’t found this to be the case. Do you know of any large organizations that are using WordPress in such a capacity? Personally, I’ve not heard of any. I do, however know of two major banks/investment brokerages, half a dozen federal agencies, and several Fortune 500’s who are using Plone for such purposes.

    Speaking as someone who has significant hands-on experience with both systems, I think that your article falls short of its potential. Rather explain the relative strengths of each system, and describe scenarios where each would make a good fit, you seem determined to make a one-sided case for WordPress. This is unfortunate, as I think decision makers need more balanced and unbiased comparisons of the available web platforms.

    • New Recruit

      I tell you what–you folks are all so polite and well-spoken! Couple of quick things:
      1. My post is unabashedly slanted towards pushing WordPress over Plone. That’s mainly because this entire site is a resource for WordPress folks, and I wanted to see if there were any footholds in a standoff between the two systems.
      2. Security: I’m doing a follow-up article on WordPress security as a result of some comments.
      3. Document management: While an excellent document management tool exists for WordPress, any developer should be certain their client understands what it means that they still would not get full text searching of the contents or metadata of managed documents. This is no small point, as most clients will think “search means search it all, right?” Plone does this type of searching already for the main documents folks will likely manage.
      Hats off to you all for continued excellent work on Plone and for this intelligent discourse.

Comments are closed.