#Security & Sustainability Review: Custom PHP/JS vs. Headless CMS website

Hello everyone,
I’m not sure if this question is within the scope of this help channel, so my apologies if it isn’t. I’m hoping to get professional guidance I can trust.
I am currently volunteering with a nonprofit organization to transition their website from a basic GoDaddy builder to a custom-coded solution hosted on Bluehost, and I want to ensure my approach is both secure and responsible.
My original plan was to build a WordPress site on Bluehost to take advantage of the framework and add custom code when needed to get the looks and aesthetics and needed functionality. Plugins were not an option to keep costs low and avoid plug-in bloat. However, I found WordPress extremely limiting and it was just easier to write html, JS & CSS. So I decided to switch to a custom-coded approach. I am now building the frontend with HTML, CSS, and JavaScript, and for the backend, I plan to write custom PHP to interact directly with the Bluehost MySQL database. I intend to use established libraries/APIs for specific tasks (like Stripe for payments) but keep the core logic proprietary.
The Concern: My main concern is that as a beginner, I might be jeopardizing the project by coding everything myself—specifically regarding security vulnerabilities that a CMS like WordPress usually handles automatically (e.g., SQL injection, XSS, and session management). In discussing this with AI (Gemini/ChatGPT), the AI suggested a Headless WordPress approach to mitigate risks and get the best of the worlds
Project Roadmap:
Now: Mostly static pages + Donations button + subscriber-only document access.
Later: Tiered Membership accounts , Digital product storefront.
Questions:
How significant are the security risks of a beginner writing custom PHP/JS for a site that handles user accounts and donations, compared to using a CMS?
Is a Headless Wordpress a viable option? pros & cons? Alternatives?
I appreciate any candid professional advice on whether this is a valid path.

There are many free plugin options in the Wordpress ecosystem.”limiting” is not a word that often accompanies “Wordpress”. That’s why it’s so popular, you are able to customize it any which way your heart desires , it has the flexibility and freedom to create whatever you want. Shared hosting like blue host often requires something like a VPS to be able to install packages and APKs too.

As far as the security, if you are asking the question and you’re not confident that you have the knowledge to develop securely, (esp when implementing connections to stripe and payment processing), just don’t! This is a recipe for disaster.

I would really urge you to try Wordpress again. If you’re on BlueHost they’ll pre install it. Use free plugins, like for my nonprofits I use GiveWP to accept donations and connect with the orgs Stripe and PayPal accounts. It’s been a great solution for years now.

What you’re describing is a huge undertaking and idk how much budget your ninprofit has for this but it’s probably not enough for you to customize built what you’ve described, esp as a beginner.

Thanks a lot @bleak mirage for your insights. I’ll give WordPress another go. I must be missing something — given its popularity, it clearly works well for many people.