Copywriter, technical writer, translator (FR>EN, ES>EN, IT>EN), journalist

A cost-effective way to build a business website

This article is the first of a two-part series. Part Two publication date TBA.

WordPress, widely known as a blogging platform, is also the engine behind many law firm websites. Should you use WordPress to build your firm’s site?

What is WordPress?

WordPress is a content management system (CMS) that keeps design separate from content. This separation makes it easier to add content to a web site. People can simply paste text into a browser window and click Publish.

Whenever somebody visits a page, WordPress finds the relevant content in its database, and then applies design to the content according to the theme (a package of design and features) of the site to build the page.

Jennifer Johannesen, a Toronto-based WordPress developer with more than 220 sites under her belt (including that of this article’s author), notes that lawyers prioritize navigation so that visitors can “drill down” to specific areas of a site. That’s where the nature of WordPress shines. “WordPress is already a database,” she explains, “so people can search by name, specialty, practice area — they can get to what they want to find.”

Members of the vast WordPress developer community create both themes and plug-ins, which you can think of as “apps” that provide extra features to a site that WordPress doesn’t offer out of the box.

The WordPress software is free, as are many themes and plug-ins. “WordPress is a good choice if you’re on a limited budget and need to bootstrap your website,” says Steve Matthews, president and founder of Stem Legal Web Enterprises. “Unless you’re very tech-savvy, I think WordPress is the easiest of the major CMS products to get into production.”

“Just keep in mind that DIY without any coding experience is very time-intensive,” Matthews adds. “There’s going to be a learning curve.”

While several people at Deeth Williams Wall can access the firm’s site, associate James Kosa says they use an outside firm to manage it. “It’s not difficult, but it’s time-consuming to update,” he says, noting that the firm typically spends several hundred dollars each month for website maintenance.

Starting a WordPress site

The firm website supports cash flow, not the other way around, so Matthews recommends firms publish their sites quickly. “Give yourself permission to launch a ‘Version One’ website. Nothing online is permnent, including this site,” he says. “The faster you finish tinkering, the sooner you focus on the deliverables that are your business.”

“Know when your startup period is over,” Matthews says. “Then upgrade the site. New businesses are forgiven for bootstrapping; established businesses look cheap, and turn away work without knowing it.”

If you choose to bootstrap your own site, beware the difference between and If you build your site on, the address will read (LawFirmName) From a branding perspective, you need to omit the “wordpress” part of the address.

Dot-org offers a downloadable product that you can install on your hosting company’s servers. Many hosts also offer “one-click” WordPress installs. Johannesen uses them when they’re available, but she has reservations. “When you do the one-click install, it means that the host knows about it,” she explains. “That’s not a bad thing but some hosts force WordPress updates on you if you don’t do them yourself.”

Handling updates

Information technology experts tend to let other people experience updates or new products so they can avoid the often-costly “bleeding edge” but many one-click install customers can’t take such precautions. That fact doesn’t sit well with Johannesen. “Most people don’t know what to do if something goes wrong with an update,” she says.

Securing a WordPress site

Updates help protect sites from malicious hackers. That said, site owners and developers can go beyond regular updates to keep sites secure.

Matthews doesn’t like certain WordPress structures that make sites easier for hackers to exploit. For instance, each site’s login directory (the url you type to sign in to the “back end” where you can administer the site) typically reads (“/wp-admin” or “/wp-login.” Matthews recommends changing this when WordPress is first installed.

Databases like those in WordPress contain tables, each of which has a name. In WordPress, each table’s default name starts with “wp-” so changing the names of these tables closes a potential security hole.

Kosa asked the developer for his firm’s site about this matter. The developer replied that it would not be a good idea on an established site like “Such changes could bring down the entire site if not performed absolutely correctly and comprehensively,” the developer wrote.

Site owners typically keep the default “superuser” name “admin.” This name is one-half of the login details needed to access the site. Knowing the user name, hackers can throw an unlimited number of password attempts at a site to gain access.

Matthews recommends site owners thwart these dictionary or “brute-force” attacks using the Limit Login Attempts plugin ( and an .htaccess password.

“It’s a quick, simple fix to change that superuser name,” Matthews adds. “You can get rid of the ‘admin’ name too.”

Using forms on websites to collect client information may seem to make sense, but not to Kosa. “We do not use our website to collect any confidential information,” he says, noting that he would not want client information stored on the site.

Matthews mentions another option: to have the site e-mail form information to the firm, keeping none of that information on the site itself, using a plug-in like Contact Form 7 ( “You can qualify the caller, push an enquiry to the right person,” he says.

Matthews recommends firms register their sites with Google Webmaster Tools. “It’s free, and it warns firms if any malware or intrusions are taking place,” he explains. “Sometimes these compromises aren’t visible to the average user, and are only displayed to Google.”

Toronto lawyer Omar Ha-Redeye, who runs about a dozen sites using WordPress including his eponymous site and the one for his firm, Fleet Street Law, trusts both the WordPress community and the software’s security protocols. Besides, he notes, “other platforms are no less vulnerable to attack.”

Looking for tips on how to improve a WordPress site? Watch for the next article in this series.

This article originally published in Lawyers Weekly Magazine. To view a PDF of the article, click here.