
WordPress is now 13 years old - just_observing
https://wordpress.org/news/2003/05/wordpress-now-available/
======
falcolas
A few free safety and performance tips when dealing with wordpress:

\- Whitelist IPs for access to your wp_admin and wp_login.

\- If you have the skills to automate WordPress updates yourself, remove all
write access (except for the uploads folder) from the user WordPress is
running as (i.e. www-data). It's all just unzip and untar over the structure
of the directory anyways.

\- If you remove write access, you might as well block the "cron" as well.

\- Limit the WordPress DB user to the usual crud operations; don't let it
create or alter tables.

\- If you feel like getting really into it, whitelist explicit URLs.
Maintaining it isn't really too hard, and it reduces your attack surface
significantly.

\- Set up even a simple nginx cache in front of WordPress - even a 1-5 minute
cache will let your site run on crappy hardware and handle HN or Reddit with a
minimum of sweat.

~~~
INTPenis
May I add a very general tip for web servers? Mount /tmp on its own volume and
set the noexec mount flag.

I've seen too many old php apps fall due to files uploaded and executed from
/tmp. Bulletin boards, blogs, but this was all 8 years ago.

~~~
jlgaddis

      nodev,noexec,nosuid
    

is how I've mounted /tmp (and several others) for going on two decades. I've
never been a fan of installers creating a single partition by default and I
wish they didn't do it.

Years ago, like you, I saw an out-of-date web app get hit by an exploit but
was "saved" because of some of those mount options.

I'm a big fan of SELinux on public-facing servers too (especially web servers,
for the same reason), but that's an argument for another day.

~~~
INTPenis
I wanted to add nosuid too but I kept it simple, thanks for adding your own
two cents.

Edit: Also a big fan of SElinux, high five!

------
firasd
The fundamental lesson WordPress taught me is that the product wins over
technology. Even back in 2004 it was clear that the internal code wasn't that
great. So what? It installed delightfully quickly, and let me create posts
with valid markup and good typography right out the box.

And then the community management and plugin/theme ecosystem. For example,
Drupal may have a more programmer-approved API, but (at least when I worked
with it back in 2011) it was a hundred times more complex to make a custom
content-editing form in Drupal than in WordPress. Again, product over
technology.

~~~
emodendroket
I was always a little bit weirded out by features for ease-of-use that
required you to go against what the documentation described as security best
practices.

------
scotchio
Say what you will about WordPress - its codebase, security, speed,
architecture, DB schema, whatever. Haters are going to hate.

It's a pretty amazing accomplishment what Automattic has done by staying so
popular and relevant for so long.

Looking at it from a non-hardcore programmer's perspective:

* Quick to learn backend

* Easy to use plugins for non-devs

* Painfully maintaining backwards compatibility overtime

* It just works. Built to run from basically a potato of a server. E.g.: HTTP/transport check [1]

[1]: [https://github.com/WordPress/WordPress/blob/master/wp-
includ...](https://github.com/WordPress/WordPress/blob/master/wp-
includes/class-http.php#L430)

~~~
nocman
"Haters are going to hate." \-- by using that phrase you make it sound like
people are criticizing WordPress without cause.

I haven't looked into it recently, but as I remember it, in the last 13 years
there have been abundant legitimate reasons to criticize WordPress (many in
the categories you listed). Yes, some people will hate on something just
because they don't like it (regardless of any merit it may have). But I
wouldn't lump in all of the people with _legit_ criticisms of WordPress into
the same group as "haters".

------
blueside
Wordpress is still massively popular and after 13 years, I hope this still
isn't true:

<azonenberg> wordpress is an unauthenticated remote shell that, as a useful
side feature, also contains a blog

~~~
nisa
The core is hopefully audited and so far except some XSS problems no remote
exploits are know for the last few years?

However having an usable remote exploit gives you a shell on more than 20% of
the websites.

------
shaqbert
I remember my first install. It was glorious, started posting like a madman.
At some time - when gaming Google was the thing, say 2008 - had thousands of
sites based on WP.

Then I had my first major vuln and spend my week-end fighting fires. Then I
had my first encounter with encoding mess ups... an add-on going wild...

Fond memories...

~~~
blueside
I remember thinking back then, and sometimes now I still do, that I would
gladly pay a fee for a togglable feature that let me exclude all wordpress
sites in my search results

------
pgrote
13 years ago Movable Type and Blogger owned the space. MT was for folks who
wanted to install software on their own server, Blogger for those who wanted a
hosted option.

Blogger was bought by Google a few months before WP appeared.

~~~
NKCSS
Fun note: you could let Blogger publish to your own FTP and host it that way
and use the site only as the CMS.

------
bigbadgoose
oh, wordpress, the burner, breaker of balls, mother of confusion, queen of the
seven installs, protector of the bots. blood of my blood, i bow to you and
swear my allegiance until the internet shall break.

------
return0
I only recently tinkered with wordpress/buddypress plugins for a hobby site. I
can see why it became so popular. It's dead easy to start tinkering because it
forces you to learn very little. Just find the place where you want to hook
your code, and dump tons of godawful code in there. That means that people use
1000 different styles in their plugins, but its the big price to pay. In
comparison, try tinkering with oxwall without digging deep into their object-
oriented code.

------
projectramo
I alternate between thinking how great Wordpress is, and how it isn't so
great.

If you hit its (admittedly broad) use case, you are great, but if you go even
a little off, its a pain.

~~~
jordanlev
To me, what's great about WordPress is how they've fostered and managed their
community and maintained backwards compatibility to an impressive extent. The
code itself on the other hand... oy vey.

------
w001y
Wordpress is, imo, the reason PHP has historically gotten a bad rap.
Needle/haystack/type/performance PHP jibes aside etc etc, WP has been the
single point of contact for situations where my company has had to remediate a
hack/data breach/script kiddie scrawl. I've seen full hosted servers being
unplugged with no comebacks, tens of thousands of dollars in rebuild costs,
lost clients due to security concerns.. the culprit? _pointing over there_

The easy retort is "just keep it patched and up to date", natch. The ongoing
costs/technical debt involved in maintaining a Wordpress install sometimes
ends up being greater than what it cost to roll the thing out.

Wow, I'm getting old and complainy.

~~~
davemac8
I think it's more likely that the low barrier to entry required to build a WP
site is what has caused these issues, well, in the past, anyway.

What you are describing could be attributed to any poor quality code, it's not
specifically WP core that is to blame, but rather poor quality code built on
top of it.

In regards to managing WP sites being costly and taking up time, I manage many
WP client sites and find the opposite to be true (I did write the code for all
of them, though)

------
legitster
Wordpress's success has to be down to it's ecosystem. There are other CMSs
that are better targeted to more specific uses, but the amount of options and
choices to a web designer with Wordpress are unreal.

------
wpserver
Wow, congrats WP!

------
Cthulhu_
The problem I have with wordpress - and any php project for that matter - is
that I'm afraid of the code. I've done some template editing for WP and it
already scarred me enough.

But maybe I just prefer writing and working in my own familiar codebases
instead of spending a small amount of time in that of others, a curse that a
lot of PHP developers have (the "I'll write my own framework / cms" curse)

~~~
kyriakos
Its template system is ugly. There are projects that bring modern templating
to WordPress though e.g. [https://github.com/tormjens/wp-
blade](https://github.com/tormjens/wp-blade)

Consider though that when its template system was "invented" there wasn't much
else available and people back then used to mix code and html all the time
(both PHP and ASP developers). In their attempt to keep it backwards
compatible we still have to suffer through the template system.

~~~
connorjburton
Timber does this too if your like your Twig.
[http://github.com/timber/timber](http://github.com/timber/timber)

Disclamer: I'm on the dev team

~~~
mountaineer22
Also the [http://roots.io](http://roots.io) project is pretty interesting with
their "alternate" template implementation and workflow.

------
20years
The community and massive amount of plugins developers created and still
create for Wordpress contributes to its success.

Same thing with Minecraft. The huge community of modders pushed Minecraft to
be as huge as it is.

Developers flock to both because they themselves can gain recognition and make
money off these platforms.

I personally love the success story of both because they both started off
small and initially had no intention of getting this big.

------
mountaineer22
Anybody attending Wordcamp in Asheville this year?

------
accounthere
At this point I don't think Wordpress is going to change their codebase into
something more modern and secure. Is there any other easy to use blogging
platform like it? PHP based because PHP is everywhere, based on a modern
framework (symfony2, laravel, etc), jinja-like template system, support for
databases other than mysql?

~~~
return0
> and secure

Given it's popularity , i would assume wordpress is (by sheer force of Trial
and error ) the safest choice.

~~~
accounthere
Yet the Panama Papers thing happened.

------
hochchristoph
I've started a small WordPress cheatsheet for myself here:
[https://github.com/CHH/cheatsheets/blob/WordPress.md/WordPre...](https://github.com/CHH/cheatsheets/blob/WordPress.md/WordPress.md)

More tips always welcome :)

------
NKCSS
I'm not sure if it's me, but when ever I see WordPress in a news article, the
first association is always with 'Mass Hacks'...

~~~
themodelplumber
It's a much safer platform these days...

...most of the sites with really important data have long since migrated away.
Haha

~~~
kyriakos
WordPress itself is not as insecure as people make it to be. Its code base
gets a lot of scrutiny and security issues are fixed promptly. The problem
begins when you start installing plugins... which most of them are coded by
designers-turned-programmers who needed to add a new function to a client#s
WordPress site. Reading their code its obvious that they are build by mix and
matching tutorial and example code they googled.

~~~
emodendroket
I haven't dug into any of this stuff, but wouldn't a smartly designed plugin
system give plugin code fewer permissions to prevent precisely this sort of
issue?

