WordPress vs custom-built: What businesses actually get for their money

Most conversations about WordPress vs custom websites generate more heat than light. WordPress advocates point to its flexibility and ecosystem. Custom advocates point to performance and security. Both camps are right about some things and wrong about others. What's missing is an honest accounting of what you're actually getting and what it actually costs — not just upfront, but over time.

Let's cut through it.

What "custom" actually means

First, a terminology problem: everything gets called "custom" now. A site built on a Divi template with some colour changes is not custom. Nor is a Squarespace site with a custom domain. When we talk about a genuinely custom-built website, we mean code written specifically for your business — no CMS framework, no drag-and-drop builder, no template as a starting point. HTML, CSS, JavaScript, and any server-side code built from scratch for your requirements.

This distinction matters because it's the core of the cost difference. Custom development is labour-intensive. You're paying for a developer's time to build things from nothing instead of configuring an existing system. That's a real cost — but it produces a different kind of asset.

The honest case for WordPress

WordPress powers over 43% of all websites on the internet. That market share exists for good reasons. Here's what you're actually getting when you choose it:

• A content management system that works. If you need to regularly publish content — blog posts, news updates, product listings, team bios — WordPress's admin interface is genuinely good. Non-technical staff can update it without developer involvement. This is a real operational advantage.
• An enormous plugin ecosystem. Virtually any functionality you can imagine — booking systems, membership portals, e-commerce, forms, SEO tooling — has a WordPress plugin. The best are excellent. The worst are security liabilities.
• Developer availability. If your original developer disappears or you want to switch agencies, finding someone who knows WordPress is easy. There's no lock-in to a proprietary system.
• Lower initial development cost. A well-built WordPress site can be delivered faster than the equivalent custom build, which matters when budget is a constraint.

At GhostRoutine, we build WordPress sites — properly, at a NZD $10,000 fixed project fee. That means custom design, clean code, no bloated theme frameworks, and only the plugins that are genuinely needed. A WordPress site built this way performs and holds its value. A WordPress site thrown together with a multipurpose theme and thirty plugins is a different product entirely.

The honest case for custom

Custom sites make the most sense when:

• Performance is critical. Static HTML/CSS/JS sites load faster than anything WordPress can produce by default. There's no PHP processing, no database queries, no CMS overhead. For businesses where page speed directly affects conversions — particularly e-commerce or lead generation — this matters.
• You need something WordPress can't do cleanly. Complex interactive applications, unusual data structures, real-time features, or deep integrations with business systems are often cleaner to build from scratch than to force into WordPress's architecture.
• You want a smaller attack surface. WordPress sites are targeted constantly because WordPress is everywhere. A custom static site has essentially no server-side attack surface — there's nothing to exploit.
• You never need to update content yourself. If your site is essentially a digital brochure that changes twice a year, the CMS you're paying to maintain isn't earning its overhead.

The security conversation you should be having

WordPress's security reputation suffers unfairly in some ways and accurately in others. The WordPress core, maintained by Automattic and a large contributor base, is reasonably secure. The problem is the ecosystem around it.

According to Wordfence, which runs one of the most widely used WordPress security tools, the overwhelming majority of WordPress compromises come through vulnerable plugins and themes — not WordPress core. An outdated plugin with a known vulnerability is an open door. Sites running unmaintained themes or plugins bought from discount marketplaces are consistently the attack targets.

Custom sites aren't automatically secure — custom code can have vulnerabilities too — but they don't inherit the WordPress ecosystem's attack surface. They're not indexed in plugin vulnerability databases. Automated scanners targeting known WordPress exploits pass right over them.

Total cost of ownership — what people miss

The upfront build cost is only part of what you'll spend. Consider the full picture over three years:

WordPress ongoing costs

• Hosting: NZD $20–80/month depending on quality
• Premium plugins with annual renewals: NZD $200–800/year across a typical setup
• Developer time for updates, plugin conflicts, security patching: variable but real
• Backup and security monitoring tools

Custom site ongoing costs

• Hosting: Often cheaper — static sites can be hosted on CDNs for near-zero cost
• No recurring plugin fees
• Developer time for content updates if no CMS is attached
• Lower ongoing maintenance burden

Neither choice is objectively better. Both can be built well or built badly. The question is which platform suits your actual operational needs, your team's capability, and your appetite for ongoing maintenance. Get that answer right and the platform becomes a secondary decision.