
In Defence of WordPress - ezequiel-garzon
https://ma.ttias.be/in-defence-of-wordpress/
======
girvo
I like PHP.

Right, yes, I know, that makes me crazy, but modern PHP is a fine language.
HHVM, Hack, Composer, Packagist, the PSR standards: all of that comes together
for a nice development workflow. PHP's shared-nothing architecture by default
makes horizontal scaling an exercise in simplicity.

But: I don't like WordPress. Yes, it can autoupdate -- and that's certainly
better than how things were prior, however WordPress' core code is horrendous.
There's a reason why security issues are consistently found.

The bigger issue is the sorry state of most plugins; the bulk of
vulnerabilities that end in compromise of WordPress sites are not from the
core itself, but the plugins. An autoupdater for those certainly exists, but
it doesn't help you if the people writing the plugins to begin with have no
clue how to write not-insecure software.

These days, I avoid WordPress like the plague. When I do have to work with it,
I've dragged it kicking and screaming into 2015: It lives in a Docker
container, is fully 12-factor, completely managed through Composer (including
Wordpress' core itself) and all code that I write for it is proper unit
tested, PSR-4 autoloaded namespaced classes; this allows me to avoid crappily
written plugins and rely on battle-tested libraries instead.

If and when it gets compromised, I can restore the Docker image within
seconds, or lock it down as straight HTML by exporting it as a static site
temporarily. WordPress can be decent if forced to be, but it's a lot of work
and I'd much rather use something that doesn't have so much cruft clogging it
up.

I mean heck; you still can't run the latest version of WP on anything other
than MySQL, despite technically having a DBAL. Absolutely crazy, considering
we have Doctrine or Propel!

~~~
8ig8
Knowing about WordPress and the typical use case, what do you use instead?

~~~
ceejayoz
Most people would be fine with a static site generator like Jekyll and a
third-party commenting system like Facebook or Disqus. As a bonus, it costs
pennies to host such a thing on S3.

~~~
jacques_chester
> _Most people_

We in technology are not "most people".

~~~
ceejayoz
Anyone who can manage a WordPress install should be able to get Jekyll
working, but I'd like to see it get a user-friendly GUI that takes care of the
grunt work.

------
dantiberian
A lot of people here are talking right past each other.

Is it good that WordPress has automatic security updates? Yes.

Is it bad that WordPress vulnerabilities are still so common? Yes.

Are Drupal, Joomla, or Magento better at this? It sounds like the answer is
probably no.

Does that excuse WordPress because it is better than other frameworks with
marginal track records? No.

For such a widely used framework, WordPress' security record is dismal.
Automatic updates are a great feature, but they don't replace the need for the
framework to be a lot more secure.

For someone hosting their personal blog on a $5/month VPS this is probably
good enough. For a bank to run WordPress is borderline professional negligence
at this point [1]. A lot of the comments seem to be assuming that because the
update was rolled out withing a few hours, that their window of exposure was
pretty small. The window of exposure to WordPress vulnerabilities isn't from
the time the patch is released until you are updated, it is from when an
attacker discovers the vulnerability and you are updated.

[1]: [http://ma.tt/2015/04/a-bank-website-on-
wordpress/](http://ma.tt/2015/04/a-bank-website-on-wordpress/).

~~~
pyre
Someone should do a study on where these security bugs are coming from. Are
they in new features? Introduced from refactors of old code? Are they due to
the plugin infrastructure? Is it all in old code?

~~~
punjabisingh
The bugs are coming from everywhere.

In my view, the worst ones are the ones coming from core. They've come from
old code (i.e. the comments XSS due to overly large comments) or from
including other libraries (i.e. genericons vulnerability).

I think this sort of stuff is bound to happen since WordPress is slowly
becoming the kitchen sink trying to keep up with all demands of the users.

The good part is:

* They are increasing their unit tests coverage.

* With auto-updates, the huge amount of sites that use WordPress are not left in the dark. So I consider it a feature even if it comes at a price. When the software is being used at the scale that WordPress is, it is a needed feature.

------
falcolas
So, your website can auto update itself. Know what that infers? A compromised
WordPress instance can also update itself, to be whatever the attacker wants
it to be. Hey, look, DB credentials as well, in an executable file (which can
be "updated" right alongside the rest of Wordpress).

And how do these updates happen? Via a cron system, built into WordPress. It
also has its own storage system (whose functionality can be altered at runtime
by plugins), dynamic content management (via PHP (!) stored in the DB), its
own networking stack, and more abstractions than you could shake a branch at.

Hell, I can't even figure out how to turn off cron requests (despite
explicitly setting DISABLE_WP_CRON in wp_config.php). I block those at the
nginx layer, but the noise is aggravating.

So many vectors of attack, so few ways to protect yourself.

~~~
mst
> A compromised WordPress instance can also update itself, to be whatever the
> attacker wants it to be

By this point, you're already on the other side of the airtight hatchway.

[http://blogs.msdn.com/b/oldnewthing/archive/2006/05/08/59235...](http://blogs.msdn.com/b/oldnewthing/archive/2006/05/08/592350.aspx)

is a good example of this point.

The goal here is to avoid the compromise in the first place, so the attacker
stays on the correct side of the hatchway.

There are plenty of logical reasons to hate wordpress, but I don't see that
this is one of them.

~~~
falcolas
> By this point, you're already on the other side of the airtight hatchway

Not really. Having the ability for a web process to write its to files which
it then executes actually opens up whole new vulnerabilities. For example: one
popular PHP exploit is writing a PHP file, then executing it on the remote
system. Can't write a file? Can't execute the exploit.

Reading and executing PHP out of the DB, and also writing user input to that
same database? Same problem. Triggering system-altering actions based on an
unsigned token? That's a vulnerability.

Letting an application be able to do more on a system than is absolutely
necessary to operate is a great way to give control and information over to
others.

~~~
girvo
_> Not really. Having the ability for a web process to write its to files
which it then executes actually opens up whole new vulnerabilities. For
example: one popular PHP exploit is writing a PHP file, then executing it on
the remote system. Can't write a file? Can't execute the exploit._

You're definitely correct, but there can be two different contexts to execute
PHP; with differing permissions. If I was to rebuild how WordPress does it's
autoupdating, I'd get rid of the god-awful HTTP "cron" crap, and have a proper
PHP CLI that can do the updating, that runs on the server and is never exposed
outside of it, and then WordPress itself, with the core outside the webroot
and the uploads folder with zero executable permissions.

Still not perfect, but it'd be a hell of a lot nicer than how it currently
runs.

~~~
plorkyeran
Replacing the self-updating with an external updater does eliminate the
problems with self-updating, but it's not a viable option for wordpress's
primary deployment target of terrible shared hosting.

------
cothomps
Nice!

As much as Wordpress gets bad pub, there is certainly the open ways in which
security is handled and patches are distributed. Far better in most ways to
commercial CMS (and even some open source) where systems seem to run unpatched
until a system upgrade or a security incident.

~~~
JeremyMorgan
clearly some folks are downvoting because unpopular opinion.

Come on, folks.

~~~
themartorana
Seriously! It's not even civil dissent, most of it is mean grandstanding.

Wordpress is ubiquitous. There are more technically challenged users than
technically inclined. So here are your options - auto updates, or I'm guessing
millions of outdated, incredibly vulnerable sites sitting on shared hosting
boxes out there. I like my Webfaction account, I'd prefer the other tenants on
my server to be as up to date as possible.

Just such unnecessary snark. The guy wrote a blog post. He's being skewered
for it.

------
JeremyMorgan
Ok, I'll be the devil's advocate here. I hate Wordpress, I really do. But
there is a reason it's so successful.

Show me another similar CMS (if that's what you want to call it) that's as
easy to install and use, in any language or platform.

Django and DotNetNuke are the only ones I can think of that come close, and
neither of them are as easy to install and work with as Wordpress. That's why
it's so popular.

Sure most HN visitors are developers working with better stuff and wouldn't be
caught dead using WP but if you're a non developer business person looking for
a quick solution it can't be beat!

We should all be working on an easy to use, yet more secure alternative.

------
cthalupa
People always beat up on software that has security vulnerabilities.

The thing is, the auto update feature is not an affirmative defense for the
criticism. There are probably plenty of legitimate defenses out there -
developing secure software is quite obviously something that is hard to get
right.

But offering auto-updating is only a defense against arguments claiming that
updating WordPress is a pain in the ass, not people claiming that the codebase
has lots of security flaws.

You also can't use other software being garbage as a defense for why some
other piece of software isn't garbage.

You have to evaluate the actual merits of WordPress in regards to the code
quality, chance of being exploited, etc. It updating automatically when
exploits are made public is not the same thing as not being vulnerable to
frequent exploitation, nor are other frameworks failing in some other way
exoneration for any failings WordPress might have.

To be clear: I don't care about WordPress, and do not have a stance on whether
or not it's great or awful. All I know for sure is that it is certainly quite
popular.

But this article is built upon a shaky premise and lots of logical fallacies.
If you want to write about how awesome it is that WordPress auto-updates, then
write about it. Just don't try to use that as a defense for criticism about
other aspects of the codebase.

------
notlisted
I was never a big a fan of WP, but… I agree the ease of updates is an
extremely important feature, especially for non-technical users. I'm working
on a small conversion project migrating content from a Joomla site to
Wordpress. The original site was running on Joomla 1.5 (Support for this
version ended in Sept. 2012!). The upgrade path was too cumbersome so the
clients just "took the risk". It was compromised several times but "cleaned up
as best we could". Needless to say, we're ditching that server.

Still not a fan of WP self-installs, but hosted on WPEgine with smart tech
support, automatic daily snapshots with the option for non-technical people to
back up or revert the whole thing with a single-click is super simple. For
added security and performance we'll be using cloudflare DNS, applied a plugin
to hide any evidence of wordpress use and use just a few well-known and
maintained plugins. Nothing is perfect, but ease of use, ease of upgrades and
ease of maintenance go a loooooong way. It's mighty budget-friendly too.

~~~
edgarvaldes
What plugin are you using to "hide" Wordpress?

~~~
jbeales
It doesn't matter because it won't help much, if at all. The script kiddies
are running scripts that check for known files in several popular CMSs, so
unless the plugin makes major changes to WP's behaviour, WordPress will still
be findable.

~~~
greg5green
Hell, I even had a non-important, BS Rails app get shut down on shared hosting
(Webfaction) because someone tried random WP exploits on it (some plugin that
accepted a POST and could be exploited via the payload). Rack stored the
payload in a temp file and Webfaction saw the tmp file as a new file I didn't
upload and suspended the app.

The first time it happened, I just deleted the file and went forward. The
second time, I just deleted the app. I know I could write a script to deal
with this, but it was just a test, playground type app. All it did was make me
say I needed to move my "blog" off WordPress and stop trying to host Rails
apps on Webfaction.

PS: The domain the Rails app was on had never hosted a WP site ever before. WP
is just so ubiquitous that that they were just trying to hack any site -- even
one that had like 3 organic visitors ever.

------
bovermyer
WordPress's code is badly designed and written in a language that I no longer
believe serves the best interests of the Internet in general.

WordPress as a globally managed app is FANTASTIC. Automattic does a superb job
of keeping on top of just about everything that comes its way. They do great
work over there, and I'm really proud of that whole team.

~~~
coldtea
> _WordPress 's code is badly designed and written in a language that I no
> longer believe serves the best interests of the Internet in general._

It's 2015. This is not your grandparents PHP.

Besides PHP serves the largest website on Earth (Facebook) and a good 20% or
more of the rest (via Wordpres, Drupal et al).

~~~
gnaritas
> Besides PHP serves the largest website on Earth (Facebook) and a good 20% or
> more of the rest (via Wordpres, Drupal et al).

Popular != good. None of those points mean anything, PHP is still a badly
designed language that lacks consistency and makes language designers feel
like puking. It's a collection of hacks more than a language.

~~~
coldtea
> _Popular != good._

That maybe so in pop music and matters of taste.

In the context of software, popular as in powering half of the web means
stable, reliable and battle-tested.

That it doesn't satisfy some ideological purity doesn't mean much.

All languages have crappy parts, especially the more popular ones. C++ has a
pile-on-kitchen-sink design, and yet it powers 90% of the desktop software
world. C has horrible safety mechanism, and it rules in systems programming.
Javascript, the other web darling, I won't even get into that. Java has all
the legacy SDK crap and the needles boilerplate ceremony, and it just got
closures like yesterday.

Sorry, but the world isn't built on Haskell and CL, and even less so in Dylan
or whatever exotic thing you have in mind.

~~~
gnaritas
> In the context of software, popular as in powering half of the web means
> stable, reliable and battle-tested.

No, it doesn't, it merely means popular.

~~~
gnaritas
Additionally, context is never relevant, popular doesn't mean quality in any
context. Something can be both popular and quality, but popularity doesn't
make something quality.

------
BorisMelnik
Let's ask one question: what CMS, CRM, programming language, operating system,
etc doesn't come out with major security flaws every once in a while?

All of them, even OpenBSD. Software has bugs, and security flaws. It is not
how buggy they are, but how well we patch them from a larger scale and that,
WordPress does extremely well.

~~~
krapp
One of the biggest strengths of Wordpress is also a fatal flaw - the
flexibility of its plugin system, and how easy it makes finding and installing
plugins and themes. Each is its own self-contained web application that runs
with the same permissions as the application itself.

Yes, this applies to any open source application, but given how huge
Wordpress' plugin landscape is, it's a big problem even if you assume the core
application itself is secure (for the sake of argument.) Almost nobody pores
over every line of code in every plugin before they install it (much less each
update) - at best they just check to see if it has a high rating.

------
ac29
The article and many commenters miss a critical flaw: wordpress only auto-
updates minor releases. 4.1.0 will be updated to 4.1.x, but not 4.2.x or
beyond.

I built a WP site about 6 months ago on 4.0.x (current at the time), since
then it has required 2 manual updates to get to 4.2.x.

As many others have noted, plugins are a bigger problem. They often break on
new major releases and update less frequently. There is a lot good about
wordpress, but the update cycle and security problems are a huge maintenance
issue.

------
Nyr
What's up with this nag? [https://i.nyr.es/Captura-de-
pantalla-2015-05-15-a-las-3.07.3...](https://i.nyr.es/Captura-de-
pantalla-2015-05-15-a-las-3.07.37-CQGEkbBxnP.png)

Your site is a simple WordPress blog, I'm sure you can perfectly host it for
$1/month.

~~~
themartorana
Seems unnecessarily snarky, unless I should have read some implied smilie
emoticon...

~~~
mahouse
Not snarky at all. That popup was an unnecessary annoyance.

~~~
themartorana
I feel like there's something about a mousetrap and a mouse here.

------
jqm
Updating plugins often breaks things. For instance, I updated our AD plugin
for a company blog a few days ago and no one could log in. I had to do some
research and eventually the plugin was rolled back from backup.

Can't wait to see what auto update breaks.

Not a fan of Wordpress. It's a lot more work than it's worth.

------
mahouse
So your point is that it does not matter that WordPress is a huge mess as long
as it updates automatically?

~~~
Mojah
No, my point is that not everything that WordPress does is _evil_.

Its auto-updates protect a very large part of internet-facing websites of
getting hacked. And it's not something a lot of other CMS's have integrated.

~~~
falcolas
Self updating requires overwriting its own files (or access to your FTP
credentials). Enabling this goes against almost every website/server hardening
guidebook out there.

It also requires allowing loopback HTTP requests in response to every incoming
request to implement a pseudo cron system.

There's a good reason most other CMSes don't implement automatic updating.

~~~
mst
If an attacker has code execution, I've already lost. Whether they have to
inject it every time or can write it to the filesystem isn't really the point.

The current system is better than no automatic updates.

One that uses a separate user that has write access would be superior, but
many users don't actually _have_ a separate user to cron that job as.

~~~
toast0
If the webserver can write to the web root, that means an vulnerability that
allows arbitrary writing can be escalated to code injection.

In a same environment, the web user wouldn't be able to write to the file
system at all, much less the web root.

Sanity being rate doesn't really justify only offering auto updates to the
insane.

~~~
mst
They created something that makes the most common sort of deployment more
secure.

This is a net improvement and therefore entirely justified.

~~~
falcolas
> This is a net improvement and therefore entirely justified.

The first does not imply the second. "Our bank is secure because we change out
the locks every few days. To facilitate this, all of the locks have their
screws on the outside - it was too much work to have someone around to open
the doors for the locksmiths all the time."

Interested in hearing how many recent vulnerabilities in WordPress were
prevented by not allowing arbitrary writes, whitelisting URLs, and blocking a
whole mess of WordPress set headers?

All of them which have occurred in the last year. We've kept up-to-date with
our updates, but every security vulnerability which has triggered a major or
minor update was prevented not by WordPress updates, but by sensible system
security.

~~~
dfcowell
I don't think anyone is suggesting that you should compromise your security to
enable auto-updating. Automatic updates are never better than correct file
permissions.

The point here is that a large number of WordPress sites _are_ running with
file permissions such that the web server can write to the web root.

By trying to auto update, those sites with poor file permissions get a minor
security benefit (shorter time between patch release and patch application)
while all of the installations running with safe file permissions are entirely
unaffected.

There's no downside to a secure site having the automatic update code. There's
a small upside to an insecure site having it.

------
wodenokoto
So what happened to Wordpress? Their slogan used to be "Code is poetry" and
today they are the punchline of every bad code anecdote told.

~~~
fsk
The only projects that nobody ridicules are the ones that nobody uses.

------
DigitalSea
I think Wordpress gets a lot of unfair blame. I often see the size of its
code-base touted as one of the reasons to avoid its use. It seems the general
consensus amongst a lot of developers out there is that Wordpress isn't OOP.
Seriously when was the last time someone building a Wordpress website had to
do anything outside of the wp-content folder? I have been working with it for
like 8 years now. I used it before it even had half the CMS features that it
has now. Making Wordpress completely OOP isn't going to make it any better
than it already is, nor will it make more people visit your website or make
you breakfast in the morning.

I don't care if the Wordpress code-base is a mixture of procedural and object-
oriented PHP code, I use the hooks/actions system to change things, I never
have a need to go into the wp-includes folder unless I am trying to work out
how a new feature works that isn't fully documented (which is extremely rare).
I also see people calling PHP a bad language because of the way Wordpress was
built on-top of it, like some can't make the distinction between the language
and the prolific CMS built on-top of it.

When a Wordpress website gets hacked, you know who should also shoulder the
blame? The developer that set it up and or the server admin that setup the
server. If you're setting up Wordpress on a server that doesn't have the
appropriate folder permissions set, the wp-config file moved back one level
from root (and thus not publicly accessible), you're using the default "wp_"
database table prefix and you use FTP to move files to and from the server
because setting up SSH access intimidates you, then it is your fault as well.
A properly secured Wordpress installation is very difficult to attack. Sure it
doesn't protect you from all attack vectors, but it goes a long way. Making
sure your username in Wordpress isn't admin always goes a long way. On all
Wordpress sites that I monitor I see numerous brute force scripts being run
trying to guess the password for a user named "admin" jokes on them, no such
user even exists, so they just instantly IP banned (which is annoying because
some seem to cycle through thousands of IP addresses). Running an old version
of Wordpress and you get attacked, is it Wordpress' fault or your own?

People love to bash Wordpress, but you want to know the harsh reality? There
is no better alternative (trust me, I tried looking once, I legitimately spent
weeks trying alternatives and found nothing better). Wordpress is the number
#1 CMS because it is the best, regardless of its code-base, nothing else
compares. Some people will try telling you to use Drupal, but they generally
don't know what they are on about. "Oh, don't use Wordpress it gets hacked all
of the time" \- no, it doesn't. Your lack of technical competency is the
reason you get hacked all of the time. A bad workman blames his tools.

My personal blog gets 3k hits per day, I see numerous attempts to hack my site
and in the 5 years I have been running Wordpress on my personal blog alone, I
have never been successfully hacked once. Because I don't just set Wordpress
up using the default settings, I use strong passwords, I use unique usernames,
I lock file and folder permissions, I move credentials out of the root
directory.

Wordpress is slightly cursed in that it has a low learning curve, it makes it
incredibly easy for just about anyone to setup their own self-hosted Wordpress
installation. While exploits are not the users fault, a lot of the most common
hacks you see on Wordpress were in part due to the fact the user kept a
default setting or set something up incorrectly.

The auto update functionality is great in Wordpress, I don't think this
feature alone is a big selling point for the CMS. The auto-update
functionality in Wordpress doesn't always work, but it is better than nothing.
As the author points out, particular Drupal and Magento are both so
complicated (even though they have clean code-bases) that they make it
difficult to perform updates or do basic tasks people take for granted in
Wordpress.

Compared to the number of times I have been infected with malware and viruses
over the years as a Windows user (many times due to my own fault), Wordpress
does not even register on the Richter scale of insecurity and annoyance in
comparison.

Lets start taking responsibility for our own actions, developers. We can't
blame PHP and Wordpress for all security issues. Somewhere along the line you
need to make some effort and not assume a CMS or framework has your best
interests at heart or has covered every possible angle.

------
stephentmcm
Yawn. More excuses for using a big old pile of spaghetti code with no testing
or dependency management. Auto-updates? big deal, any decent framework can
roll out updates on composer.

~~~
Mojah
Yet here we are; \- Drupal 7: manual updates, or funky drush commands \-
Magento: requires running shell scripts (!!) to patch at the CLI \- Joomla: no
auto updates \- Typo 3: no auto updates \- ...

Composer helps, but it helps developers. It does not help the average user
that has no clue on how to apply those patches.

People download a CMS from the internet, throw it on a cheap host and expect
it to work. Updates? What are those?

~~~
stephentmcm
And that's the problem they shouldn't be doing that. Hosting a website is not
a fun weekend project you get from Target/Walmart as a DIY kit.

People wouldn't be happy if I started building my own car to just drive around
where ever I felt like, making it 'easy' and 'safe' to just throw up a website
anywhere is an excellent way to get hacked.

~~~
coldtea
> _Hosting a website is not a fun weekend project you get from Target /Walmart
> as a DIY kit._

Why? It's not like most websites are mission critical.

Heck, even if a major business website went down for a couple of days, it
wouldn't be that much damage anyway compared to other things that can and
regularly do happen to the supply chain or market...

> _making it 'easy' and 'safe' to just throw up a website anywhere is an
> excellent way to get hacked_

Yeah, and so? Getting hacked is the end of the world?

~~~
stephentmcm
For Mummy-blogger's site about how awesome her kid is? Probably not the end of
the world, expect that now her site is sending spam and hosting malware. You'd
be pissed if your neighbour left their house unlocked while they went on
holiday and it turned into a crack-den.

