Experience Cloud is deceptively easy to start and easy to get wrong. Spin up a site, drop in some components, and you have a portal — and possibly a data exposure waiting to happen. Building 15+ dynamic community pages for customers, partners, and internal users taught me that the real work is in the data-access model and the component architecture, not the page builder.
Security is the architecture
External users are the highest-risk audience in your org. A community's sharing model has to be designed deliberately, not inherited by accident:
- Least-privilege profiles and permission sets — external users see exactly what they need, nothing more.
- Sharing sets and sharing rules to grant record access by relationship, not blanket org-wide defaults.
- Guest-user hardening — the most common Experience Cloud mistake is an over-permissioned guest user; lock it down.
- FLS enforced in Apex behind every custom component, so the UI can't leak fields the user shouldn't see.
In a community, assume every record could be requested by someone who shouldn't have it — and design so the platform says no for you.
Reusable components beat one-off pages
Fifteen pages built fifteen different ways is a maintenance nightmare. The win comes from a small library of configurable LWCs — a record list, a detail panel, a request form — that drop into the page builder and adapt via properties:
// A list component made reusable through @api properties,
// so admins configure it per page without new code.
import { LightningElement, api, wire } from 'lwc';
import getRecords from '@salesforce/apex/CommunityController.getRecords';
export default class RecordList extends LightningElement {
@api objectName; // configured in the Experience Builder
@api title;
@wire(getRecords, { objectName: '$objectName' }) records;
}Now a new page is a configuration exercise, not a development project — and a fix to the component fixes every page at once.
Design for self-service
The point of a community is deflection: letting users do for themselves what they'd otherwise open a case for. That means fast pages, clear navigation, and surfacing the right records and actions for each audience — customers, partners, and staff each seeing a tailored experience from the same platform.
Takeaway
Great Experience Cloud sites are secure by default and built from reusable parts. Get the sharing model right first, enforce FLS in every custom component, and invest in a component library — then scaling to dozens of pages is safe and fast.
Building or securing an Experience Cloud site? Happy to help.