If you’ve ever searched for an NHS GP practice website provider, you’ll have noticed something: a lot of them look remarkably similar. That’s not a coincidence. Many are built on WordPress using the NHS Nightingale theme — a free, open-source template released by NHS Leadership Academy that anyone can download, install and use in about twenty minutes. No technical knowledge required.
That’s not necessarily a criticism of Nightingale. It was created with good intentions and does a reasonable job of looking NHS-compliant. The problem isn’t the theme. The problem is what’s underneath it: WordPress.
At Tree View Designs, we made a deliberate decision from day one to build everything from scratch. Our own platform. Our own code. Our own infrastructure. Here’s why that matters for your practice.
What is the Nightingale theme — and who’s using it?
The Nightingale WordPress theme is a free, open-source template built on the NHS Digital frontend library. Released by NHS Leadership Academy, the codebase is published under the GNU General Public License v3.0. This means anyone — including a freelancer you've never met, a generic web agency with no NHS experience, or a provider who set up last week — can download and deploy it in minutes.
Some website providers have developed step-by-step processes using the Nightingale template and NHS Blocks plugin, offering to build GP practice websites as a straightforward commodity service. What this means in practice is that the website your patients use to book appointments may be functionally indistinguishable from dozens of other practices down the road — and built on the same underlying software stack.
The WordPress security problem
WordPress powers a huge proportion of the internet, which makes it the single biggest target for cyberattacks. Security researchers have tracked over 64,000 vulnerabilities in the WordPress ecosystem, with new critical vulnerabilities regularly discovered across WordPress core, plugins and themes.
These aren’t theoretical risks. In late 2024, a critical authentication bypass vulnerability (CVE-2024-10924) was discovered affecting millions of WordPress sites — ironically in a security plugin — allowing unauthenticated attackers to log in as any existing user on a site, including administrators.
A critical remote code execution vulnerability in Elementor Pro, one of the most popular WordPress page builders with over 5 million active installations, allowed unauthenticated attackers to upload and execute arbitrary PHP code on affected websites, with a CVSS severity score of 9.8 out of 10.
For a GP practice handling patient contact forms, online registrations and appointment requests, this isn’t just an IT problem. It’s a patient data problem. And under UK GDPR, it’s your problem as the data controller.
It’s also worth noting that the Nightingale theme’s own documentation acknowledges that XML-RPC — a known WordPress attack vector — remains enabled by default, and that this triggers National Cyber Security Centre monitoring alerts. Not ideal for a platform holding patient information.
We built ours from scratch. Here’s what that means.
Our platform — the same one powering sites like The Hoxton Surgery — was designed and built entirely by our own development team. Not a template. Not a theme. Not an open-source CMS with thousands of publicly known vulnerabilities.
This means we control every line of code. Every security patch. Every update. Every integration. There is no plugin ecosystem for attackers to exploit, no third-party theme to abandon, and no generic admin panel with a publicly documented login path.
We’ve also achieved Cyber Essentials Plus certification — the highest level of UK Government cyber security certification, independently verified — precisely because we control our infrastructure completely.
The comparison
| Feature | WordPress + Nightingale | Tree View Designs |
| Feature | WordPress + Nightingale | Tree View Designs |
|---|---|---|
| Platform | Open-source, publicly available | Custom-built, proprietary |
| Security vulnerabilities | 64,000+ tracked CVEs in ecosystem | No public vulnerability surface |
| Who can copy it | Anyone with internet access | Not replicable |
| Plugin dependencies | Multiple third-party plugins required | None — all built in |
| Cyber Essentials Plus | Not standard | ✓ Certified |
| NHS Benchmarking Tool score | Variable | Scored on every site before launch |
| WCAG 2.2 AA accessibility | Dependent on theme configuration | ✓ All sites from day one |
| DSP Toolkit compliance | Requires manual management | ✓ Built into platform |
| Annual penetration testing | Rarely included | ✓ CHECK-approved, every year |
| Patient data stays in UK | Not guaranteed | ✓ UK-only hosting always |
| Support from people who built it | No — generic WordPress support | ✓ Same team that built your site |
| Update control | You or third-party manage it | ✓ Managed proactively by us |
What this means for your practice
Your website isn’t just a digital leaflet. It’s a clinical front door. Patients use it to request prescriptions, book appointments, complete registration forms and access sensitive information. The platform it sits on matters — not just for performance and appearance, but for compliance, security and your NHS contractual obligations.
Choosing a WordPress-based provider because it’s cheaper or quicker to set up is understandable. But the hidden costs of a security incident, a compliance failure, or an inaccessible website that fails the NHS Benchmarking Tool are considerably higher.
We’ve been building NHS GP practice websites since 2009. We hold Cyber Essentials Plus. We score every site against the NHS Benchmarking Tool before launch. And we’ve never once relied on a free theme that anyone else can download.
That’s not us being difficult. That’s us taking your patients’ data as seriously as you do.
Want to see the difference for yourself? View our case studies or get in touch to discuss your practice website.
