Understanding and Mitigating Website Platform Risk

Platform risk occurs when your business relies on a third-party service provider. Typically, the concept of platform risk is applied to platforms like Facebook, YouTube, TikTok, or Google. These platforms allow you to build a branded profile and interact with their users. But these platforms aren’t the property of your business, and you could have your branded profile and audience ripped away without warning or recourse. Platform risk can also apply to software downloaded and run on your hardware, physical or virtual. WordPress in 2024 exposes your brand to platform risk.

WordPress is released under the GNU General Public License v2 and claims to provide “The four freedoms”: the freedom to run the program for any purpose, the freedom to study how the program works and change it to make it do what you wish, the freedom to redistribute, and the freedom to distribute copies of your modified versions to others. Taken at face value, this sounds amazing and doesn’t sound like platform risk at all.

But as with many things, the surface level can be deceiving. Much digital “ink” has been spilled, chronicling the litigation between WP Engine, Automattic, and the founder of WordPress, Matt Mullenweg. Unlike the earlier platform examples, the platform risk inherent in WordPress has nothing to do with corporate entities but is instead centered around Matt Mullenweg and his personal ownership and sponsorship of WordPress.org. Considered the official home of the WordPress Open-Source Software project, WordPress.org provides downloadable copies of the core platform, over 12,000 free themes to customize the look and feel of a WordPress site, over 60,000 free plugins to add functionality to WordPress, support forums, and the infrastructure for one-click updates with individual WordPress websites. Remember, this functionality is provided on a domain owned by Mullenweg, hosted on servers personally paid for by Mullenweg.

As Uncle Ben told us, “With great power comes great responsibility.” Providing update infrastructure for the software used by 43% of the websites on the internet is a great power. But we’ve also seen that “Absolute power corrupts absolutely” when millions of websites were cut off from receiving security updates at Mullenweg’s whim. Using software that can have critical functionality disabled by one person without warning is as significant a platform risk as using a Facebook account as your only online presence.

What can you do to mitigate this platform risk and ensure that your brand’s online presence is safe, secure, and stable? The first option, and the most complicated, takes advantage of the GNU General Public License. Using the version of WordPress that you are currently using for your website, you can perform what’s called a fork, that is, you begin writing code to address any security vulnerabilities, address stability, and add new functionality to the platform to meet the needs of an evolving modern website. You can also clone the WordPress.org theme and plugin repository to replace the platform’s default connection to WordPress.org – a connection that is so critical to the functioning of WordPress that when WP Engine was blocked from accessing WordPress.org by Mullenweg, it became impossible to edit any content on the website. If that sounds like a lot of work, it is. The top 10 contributors to WordPress currently devote over 5,000 hours per week to the project.

I’m going to assume that you’re not looking to staff an entirely new department just to mitigate platform risk for your website. Option 2 is a lot more palatable for your IT department and budget. You can migrate your website to a fully managed platform like Squarespace to remove the possibility of losing access to updates or having to maintain your website’s code base. Squarespace provides you with the functionality needed by 99% of non-eCommerce websites: SEO tools, privacy law compliance, drag-and-drop content editors, and ADA accessibility compliance. And because it’s a hosted platform, Squarespace takes care of software updates and server security and removes the need to cobble together add-ons to build a functioning website. The support at Squarespace also helps with any website issue, so no more being pushed around to multiple vendors when something goes wrong with your website, and 24x7 availability means they can help whenever you need them. An all-in-one platform, corporate governance, history of stability as a publicly traded company, and lower platform risk. What could be better?

Option 3 is the full mitigation strategy for businesses serious about their web presence. We start with a responsive, conversion-optimized website built on Squarespace, one of the only web hosts with 100% uptime over the last 90 days. But we want to go further and prepare for a disaster where Squarespace crashes. Even with robust infrastructure, multi-hour outages have hit billion-dollar companies like Netflix, Facebook, and Delta Airlines. Servers are computers, and eventually, an outage will happen. But your business doesn’t have to be a victim of an outage. BerryBuckley has created DRecovery to distribute an up-to-date, fully functional snapshot of your website on an array of servers in multiple data centers around the globe. Your domain’s DNS will be served by Cloudflare to allow for automatic failover in the case of an outage at Squarespace. DRecovery is the platform risk mitigation and disaster recovery solution for businesses that need their website online, collecting leads 24/7.

Avoiding platform risk is key for any business, and while that risk no longer comes from the usual suspects, it’s even more real. Your mitigation strategy may look like maintaining your CMS code in-house (option 1), switching from a cobbled-together platform to an all-in-one platform like Squarespace (option 2), or launching an automated disaster recovery solution (option 3).

How do you plan to avoid platform risk?