Hacker News new | past | comments | ask | show | jobs | submit login
Why Wordpress? (johnmaeda.com)
75 points by shervinafshar on Jan 1, 2017 | hide | past | web | favorite | 83 comments

What are the alternatives? Is there any other free, self-hosted, open source CMS that out-of-the-box allows an average non-tech person to publish content, images, etc. with such ease and nicely designed admin GUI? Easy to install, can be installed on any cheap shared hosting and will work fine, has automatic updates, content is searchable, has tones of themes free or cheap to choose from, it's fairly easy to customize and reasonably safe, as long as developer doesn't get crazy with plugins and has a basic idea of web security it's just fine. Code is ugly as hell and I hate it as much as everyone else, but site owners don't care about it, as long as the interface is nice and easy and cheap to use. And also there's a ton of helpful videos and tutorials to give to your clients to learn how to use it (so they don't bug you at all on "how do I do this"). Developers are cheap and readily available if you don't want to provide support which is a huge benefit for the customer, not being stuck with a custom solution and having to pay a new site each time he changes the developer.

I'd be very happy to use something else, more secure and better written, but what comes even close?

I will add as a Software Engineer, I use WordPress to document my world expeditions[1] because it works, and I don't want to mess with code while using crummy internet in West Africa.

I have never seen a better alternative for what I do.

With Varnish in front of it, the server doesn't break a sweat with 1,000 concurrent connections (according to Analytics)

[1] http://theroadchoseme.com

Drupal 8 is very user friendly out of the box. (For publishing, you could maybe go further and use a distribution like Thunder - http://thunder.org/)

I am currently evaluating October CMS. Give it a shot! Disclaimer: not affiliated with OctoberCMS at all. I'm evaluating it as a CMS platform for client projects.

Take a look at Concrete5. It's a LAMP stack like Wordpress, MVC under the covers, a common sense architecture, and highly extensible. It has an exceptional, in-context UI for content editing that is the best I've seen, and a good core team and community that is very active.

One area that Wordpress wins is with respect to the overall number of themes and plug-ins, but that's pretty much it.

I tried it a few years ago and it was not ripe yet. Community to small, bugs to severe.

The WYSIWYG editor is still nice though. But it adds a lot of complexity if you want something it can't do. Somme abstracted forms in wordpress are easier.

What about Joomla or Drupal? (Although does anyone use them anymore? As WordPress got more popular I've seen more and more serious sites running WordPress and leaving Joomla). But for a business, a proprietary CMS is a management mess (proprietary as in custom designed) because you can't switch web companies.

Wordpress is a great platform if you use well rounded plugins, actively manage it, have it behind a Firewall, and run a security suite (like Wordfence.) But really, you should have any CMS install behind a Firewall.

I really like Wordpress, it gets a lot of hate; but it's easy to develop on allowing for fast turn around, has the best editor of any CMS around for client happiness, and has a robust ecosystem. I'm in charge of around ~150 websites that run Wordpress, and I moved them all under an active management platform with always up to date plugins, themes and core. I inherited a lot of them with my new job, but I am slowly putting them all behind Cloudflare's firewall and setting up the appropriate page rules to keep them safe. I often scan them and compare them against the core to make sure there have been no changing of core files by a hack. I also have them on scheduled back-ups to private Azure blobs and have alerts set up with Azure's monitoring tools.

It takes a while to set all of that up, but once it is set up your install is pretty safe against any sort of attack relative to other CMSs. Another great thing about WP is if it IS hacked, it's pretty easy to fix. Other CMSs getting hacked is quite the chore to hunt down, especially the other major PHP based CMSs. I'm looking at your Magento & Drupal.

I think about what is best for turn around, has the best cost/benefit, and what makes clients happiest, and so far that is Wordpress is the answer 90% of the time. Until that changes, Wordpress will continue to run a huge chunk of the web. I do grant you that a lot of lazy developers and unmanaged/out-of-date installs from agencies, small businesses and individuals are hacked very often and are often turned into zombie sites. There's no doubt about that. But just taking some basic common sense security measures can do wonders and keep you and your clients safe(r) from attack.

Do you have a good guide for setting up a bunch of WP sites securely/properly? The ones I've found all just have a few tips here/there and many conflict each other. Haven't found anything "complete".

I see WP Engine touted as a solution. My limited experience with a client several months ago was "hey, we're getting really big, we need better security and better performance", they shop around, and get sold (in a literal sense) on WP Engine. Signed up, and my friend started to try to migrate things over. Oh... yeah, they don't actually support many custom plugins - you could select from some blessed ones, but the client's traffic was all using a custom theme and set of plugins. Those wouldn't run on WP Engine.

I too (and many others) could make most WP hosting really secure if I got to say "you can only use these 9 plugins (or whatever the number was) and no, you can't put any custom code on the server at all".

EDIT: Indeed... every moderately-sized WP project I've worked on ends up being dozens of plugins (more than 15 being average, and one recent one having about 45 active plugins). Every time I mention that to anyone I know who 'does' WP they all recoil in horror and say "I'd never even work on that - that's impossible! Why would you need that many plugins ever?!" And then I think... they don't really understand WP, or they don't understand clients. Or... yeah, it must be my problem, because I'm somehow not good enough to deliver everything a client asks for in wordpress (requirement) in the mythological "3-5 plugins" everyone tells me is their max.

EDIT2: The client project referenced above was getting tens of millions visits per month, and as such the WPengine number I was told was somewhere in the region of $1500/month.

What do they use so many plugins for?

I took over supporting/developing a WordPress site and one of the first things I did was delete a bunch of pointless plugins. I wound up writing quite a few of my own for different tools and left some third party plugins so there are still probably 10 active between 3 sites on a multisite install.

I installed Google analytics directly in the header of the custom themes on each of the multisites.

There were no comments so all of the comment plugins were pointless, as were all the form plugins except for one.

So, why so many plugins? Am I missing something?

Install woocommerce - you'll end up with 12-15 plugins off the bat.

Would you like to force everything to be SSL? Another plugin. Do you want a contact form? Another plugin. Do you want to disable the bizarre update messages from ignite woo that won't go away? Another plugin. Oh, you want some slider-carousel thing on some page? Another plugin. Caching? Another plugin. Image optimization? Another plugin. Some sort of 'maintenance mode' to deal with taking down the site for upgrades? Another plugin. Social sharing buttons? Another plugin.

I could keep going, but perhaps you get the picture. And the argument could be made that 90% of these are not needed, and there's other ways to deal with the requirements. In my most recent excursion, I'd taken over a project from someone else, and this was it. Any changes to anything would require investigation, custom code, and still require some sort of UI to manage things, all of which cost time and money, which were in short supply, so this particular project kept going with dozens of plugins.

You want to do an upgrade to WP core? You've got 30+ plugins to test. Or... just click 'update' and hope for the best. Or test each plugin and upgrade process on a separate server. Again, back to relatively large amounts of time and money expended just to keep up with wp core to avoid inevitable hacking attempts.

I have another multisite install I was brought in on over the summer, with 165 plugins. It's just another version of 'crappy legacy software and undocumented crap with no documentation' which we've all seen, but it is also quantified by "number of wp plugins". No, not every site is using all 165. But there were/are > 40 sites, with various groups using various combinations - there's 0 good reasons for all of these to have been combined (over several years) in to one massive multisite mess, but it was, and it's taken many people far too long to unravel some of the mess to extricate some sites.

Yes, some of this is just a 'bad code is bad code' rant, but given the mindshare that WP owns, it would seem to be incumbent on them to raise the bar with respect to tools for plugin management (as just one example), give developers better starting code and samples and guidance for what's acceptable and what's not. A paid certification program which would vet code for 'best practices' would be something I think would help improve the landscape in short order (and no doubt has been considered by some over the years).

So I think you're agreeing with me? I can't really tell.

I agree that knowledge of best practices is really important, because why would you need to run a plugin on top of your site to force HTTPS?

I use Apache to force HTTPS, Apache to handle error documents, etc. My themes each have their own cache manifest.

It's common sense / best practice to have a second server to test updates on, that's what I do. Given I only have 12 plugins with a handful on active on each site, it doesn't take too long. I also add and develop plugins on the second server.

IMO the shittiest thing about WordPress is the library so by and large I choose not to use it when it isn't necessary, so pretty much everything besides querying posts and accepting AJAX calls since they make it nearly impossible to otherwise.

In general, I try to develop apps/plugins that run 100% independent of WordPress and just write a wrapper for the library that's used for administration on the WordPress dashboard.

An example of this is a plugin that's more or less a long test, with some custom GUI and other requirements (save progress, download CSV, take notes, etc). I wrote it to WordPress standards and used a short code to add it to a page. It was slow, sooooo slow.

So, I rewrote the entire front end to be an independent app that uses a custom DB table, propagated by a plugin on the WordPress dashboard. Result? 80% faster load times.

Another example, I made a simple app that gets some data from another custom DB table and sends tweets, triggered by cron. It uses a SQLite DB to track a few settings and a list of users to mention.

I wrote a wrapper for the library with a simple API to manage settings in the WordPress dashboard.

Unless there is a drastic change to WordPress's plugin system these apps will always work. Even if there is a change, pretty much all the code that WordPress cares about is displaying the settings page and receiving AJAX requests.

It might not be by the book but it's faster and in my opinion, pretty logical. This way apps are portable and can be transferred to other platforms easily, not necessarily other WordPress sites on shared hosts but they're custom so that isn't the point.

* Edit to say, I wouldn't recommend any non technical user maintain a WordPress e-commerce site, anyways. Square makes it so easy, hosted secure and has tools for inventory and other things, too. All included in standard credit card processing fees.

I'm sure they aren't the only ones but I was amazed at how simply someone could set up a site, as I know someone who has a store and uses square for payment processing already.

> It's common sense / best practice to have a second server to test updates on, that's what I do. Given I only have 12 plugins with a handful on active on each site, it doesn't take too long. I also add and develop plugins on the second server.

WP specifically makes this non-trivial, because post and db data has hardcoded path info in it. Export/import a database? You have to make changes to it. For something that is 10 years old... an import/export system that acknowledges the reality of plugins and separation of data would be nice.

SSL? When you're running wordpress, and you think "I want everything to be SSL"... you look for a plugin. I wouldn't and don't, but this particular system was something I inherited.

20+ plugins in WP systems seems to be something I run in to far more often than the "expert dev/ops guy who knows about SQL and can handwrite in 5 plugins what takes 15 by normal folks" systems.

I think you're in the minority when it comes to being able to be 'good' with wordpress. As I was suggesting before, part of the appeal in wordpress is there's a low common denominator. Someone who came across your WP code that used custom tables, (instead of throwing EVERYTHING in to either wp_options or post_meta)... they'd be lost. Honestly. Really. I see it quite often. People writing plugins and themes and selling WP solutions not having the foggiest idea how to write or use SQL.

"Square makes it so easy, hosted secure and has tools for inventory and other things, too. All included in standard credit card processing fees."

This particular client was sold on "you can customize everything in woo/wp". There were a number of technical things they wanted to do which Square and others do not do, and they'd already tried with other hosted solutions as well (3dcart, for certain, and maybe another).

What we inherited (and what I normally get in most projects that get referred) is an undocumented mess of stuff that is not in version control of any sort, a mishmash of various versions of libraries, etc.

CAN you build 'decent' code in WP? Without a doubt, it's possible, but the defaults still go against commonly accepted dev practices. The more configs go in databases ("wp_options for everything by default"), the harder migrating between various environments is (I can't just pull code, for example, because db configs are required for everything to run correctly). That's not insurmountable, but you're working in an environment where these common tools and practices are a) not provided and b) not-understandable or accessible by the majority of the developers in that community.

I think you're missing two things: (1) there are clients who demand administrative access, and since they pay the bills, they get it (2) maintainability. As much as I detest WordPress, and as garbage as many of the public plugins are, what would be even worse is having my team take over support for one of your sites with your custom plugins. Ramp up cost is a very real thing.

I suppose so. I like to think my custom plugins are well written and maintainable. I attribute this to the fact that I identity as a JavaScript engineer with some classic OO tendencies (shout out to Gilfoyle). More or less I write JavaScript and Java/C# so I'm not some dipshit writing WordPress plugins w PHP/Wordpress as my first and only language and framework.

The nicest plugin I've seen [code wise] is the Jasig CAS authentication plugin, and for that I had to modify it to specify the behavior I wanted (custom 500, 501 screens, don't upsert user). So, whenever an update comes around I have to either ignore it or modify the code. Honestly, I think that's even against the license since I didn't publish my changes.

Absolutely - and by the way, I was in no way knocking you or your code! The level of polish or viability of a custom plugin for us would just be secondary to the fact that it was custom to begin with - that's all I was trying to get across.

>So, why so many plugins? Am I missing something?

Many people treat WordPress as a fully featured CMS/CRM that runs their entire business. They often have multiple complex custom developed plugins.

You can build whatever you want in your theme and build admin for it using custom post types. If you just trawl the bottom of the barrel for any plugin that does kind of what you need, you're going to end up with a nightmare like what you describe.

"the bottom of the barrel for any plugin that does kind of what you need,"

Many of those "bottom of the barrel" solutions are someone else's attempt at building "whatever they wanted" with custom post types, theme options, etc.

Dismissed Wordpress for many years, then I found WPEngine (I know, mentioned below, but I have some points to make). Edit: Not affiliated with them in any way. Just a really big fan.

My number one reason for WPEngine is their excellent support, both in terms of response times and general knowledge. They have never let me or a client down.

My time is money (or the client's money). Yes it's much more expensive than self-hosting, but my hourly rates are much more than their professional plan costs each month. One unfortunate issue and they'll spend more on paying me than they'll save on hosting elsewhere for a year. This is also how I "sell" WPEngine to new leads. It's not a hard sell.

I now have 12+ client sites there. Some several years and none have suffered a single issue of a compromised site. I've actually used WPE's (free) service to migrate compromised sites to their platform and get them cleaned as a feature to garner new clients.

The WPE interface allows me to switch between them in an instant. Add to that general performance/caching, security/firewall, automatic updates, daily snapshots and reverting to a previous version with one click, on-demand backups, the staging site functionality, free automated SSL certs, CDN (pro plans), etc etc

It has come to the point that I don't accept any projects that don't agree on hosting there.

PS Fought battles with many different CMSs --e.g. don't even get me started on Joomla or even Drupal-- and don't believe that wordpress is any more vulnerable than other CMS sites. Moreover, there are so many WordPress developers out there, that I can safely promise that me getting hit by a truck is really not a problem.

Edit 2: I limit plugins to the absolute minimum. I avoid free plugins whenever possible. Buying highly rated plugins with support from places like ThemeForest is really really useful and well worth the money.

I love wordpress, but I don't love PHP, updates, security flaws, or hosting. I haven't done it yet, but I'm considering using the Simply Static plugin[0] to migrate to generated static pages from my wordpress instance, which sidesteps all of those problems.

[0]: https://wordpress.org/plugins/simply-static/

I would also look into the myriad of static site generators that are probably much faster than the WP static site plugin and use modern tools and libraries.


Roots is mentioned, but the team has since developed Spike which is built on a more modern stack:



This all defeats the purpose of using Wordpress and making it user friendly for clients.

Wordpress could solve a lot of security issues by using a newer version of PHP, but they are scared of breaking legacy items. Also using things like Wordfence and Cloudflare solve most of the basic Wordpress security issues.

> Wordpress could solve a lot of security issues by using a newer version of PHP, but they are scared of breaking legacy items.

There's nothing stopping you from running it on PHP 7.1 (and we are on our client sites). There's not a great amount that could be gained by WordPress (the project) by dropping support for the older versions; the main gains would be namespacing and closures.

That said, I do think it's time to drop 5.2 support. 5.2 is down to single digit percentages: https://wordpress.org/about/stats/

I've looked into Jekyll before, but I'd prefer to use a plugin for ease of migration and Wordpress's user experience.

Because people who don't actually know how to build websites are fooled into thinking they have a tool that will fill that knowledge gap, despite the security implications that they are oblivious to.

It's the first choice among a huge number of web devs though, which seems contrary to it being that the person deploying it doesn't know better.

It's the Microsoft Word of Web Content Creation, if the people you're building a site for have any pre-existing experience with creating and editing content online it's probably with Wordpress. That puts it ahead of 90% of the opposition off the bat because the client is already comfortable with the platform. Developers like programming more than they like teaching people how to use the sites they built.

When I make a site for a client, I can't always guarantee I'll be available in 6 months, 2 years, 5 years, whatever. Using PHP and Wordpress guarantees they'll be able to find developers in the future.

People keep saying wp is bad. Ye it is from your point of view. But there are maybe billions who have no clue how internet works but they want a site/blog/shop whatever. Many of them don't even think about paying someone to make a website, or pay for tools.

So they pick wordpress: 1 click install in cpanel, no html, css, js, php knowledge whatsoever, pick a free theme from millions of themes, pick plugins from millions free ones, done. Maybe a bit of google to personalize it but that's it.

What do you offer devs who can make a quick 50 bucks in afternoon installing a plugin/theme, or even 100 for a quick website with admin panel and all that easy stuff?

There is a market for everyone and cms's will live one way or another. The simple & free stuff will always be more successful.

I don't think anyone is questioning that WP fills an important niche. The problem is that as used in many cases, it has some serious problems. Being able to "pick plugins from millions free ones, done" is great UX out of the box and terrible in the long term when the inevitable compromises and lack of support sets in.

I used to have a WordPress-based blog. It was indeed a nightmare to keep up to date, unless a bit after version 2, where they included the option of automatic updates, and the whole thing was a bit more manageable. Not because it was too much of a problem before (download the compressed file, uncompress, move to the correct folder), but because sometimes an update came out and I didn't notice. Had malware installed once, was a nightmare to get rid of.

For a variety of reasons, the blog crashed and when I started a new one, I chose Pelican[1]. Haven't looked back.

[1] https://github.com/getpelican/pelican (linking to the github repository because the main site happens to be down https://github.com/getpelican/pelican/issues/2079).

Another not-WordPress alternative is a software called NibbleBlog [0] which is nice because it's also written in PHP and will likely be easy for existing wordpress admins to deploy. No change in tooling. This also doesn't require a DB, it can run from flatfiles.

[0] - http://www.nibbleblog.com/

>This also doesn't require a DB, it can run from flatfiles.

How difficult would it be to get WP to run off of sqlite? I'm not familiar with the code base to know.

No idea but from the one time I've looked into the code base I'd say that if it takes any modification of the source: very dificult unless one of the code maintainers is interested. Honestly, go take a look it was very scary. That's why I switched away from WordPress. A friend and I got attacked by some bots that did some emailing through our sites. After that I switched off and he did some intense web-admin work to make sure "it was never going to happen again" (tm).

NibbleBlog was drag and drop. My friend went to hell and back to fix these exploits. WordPress has more features but also more ins-and-outs to learn. The choice is up to you if it's worth it.

Also from what I remember NibbleBlog stores JSON files and doesn't use SQLite in flat-file mode. Very handy.

> How difficult would it be to get WP to run off of sqlite?

Hard, but not impossible. WP has a pluggable database connection class that you can override, but it doesn't have a DBAL. You'd have to modify queries to remove MySQL-specific things.

It is possible though: https://wordpress.org/plugins/sqlite-integration/

WordPress is fantastic for what it was meant to be: a blog. When people try shoehorning it into e-commerce and other things it turns into a real mess. There's no real structure to the application itself, which leads to promoting a procedural, "dump everything in a functions.php file" type of programming.

Wordpress (with auto-updates enabled) + modsecurity with the owasp ruleset = I've never had a problem. I'm sure if someone targeted me specifically that statement wouldn't be true, but I don't fear having a Wordpress site on the Internet at the moment.

I never got into WP, but had multiple good experiences with Drupal. The problem for me is that WP gives you a good foundation, but if you don't know how to develop on that foundation, write your own plugins, or control your own security, you end up doing what 99.5% of the people do that use WP:

1 - use a C panel "one click" install of the CMS from your web host

2 - start looking for plugins to give you the functionality you want

3 - install said plugins without sand boxing them or even testing them for vulnerabilities.

4 - end up getting hacked and then wonder what happened

It's true that for the most part the WP core is pretty solid, but its the billions of sketchy plugins that people use that create vulnerabilities and allows their sited to get hacked.

Anyone who invested in Drupal 6 got screwed because they only support one backwards version and Drupal 8 is a non-trivial migration and even Drupal 7 requires conversion of code.

One of the great things about WordPress is the plugin ecosystem. This is also a something of an achilles heel, especially when it comes to security. WordPress seems to attract a lot of lowest-common-denominator coders who create plugins. So while the WordPress core is now pretty solid when it comes to security, the various plugins are almost never coded to the same standard.

I have to wonder if WordPress added a small cost and verification system at front, similar to the app store, if third-party code would be of higher quality.

There is a lot more process around plugin submissions and how they get listed than there used to be. See https://developer.wordpress.org/plugins/wordpress-org/detail...

An alternative would be for plugin authors to achieve a Core Infrastructure Initiative Best Practices Badge, which is free and shows a commitment to secure coding.


Disclosure: I'm the co-author of the badge at the Linux Foundation.

Is there a single plugin that has been granted the badge?

The policy docs don't seem specific enough in areas where plugin developers need help (ie. don't use superglobals, raw sql or PHP scripts outside of the plugin load process) while being an over burden in less important areas (ie. requirement that each project have a security expert, and CI builds)

Having an audited plugin repository for Wordpress is an idea i've had in the back of my mind for a while now. I believe it's something a lot of businesses would pay for

The badge project is less than a year old, and there are several WP plugins registered, though none at 100% yet: https://bestpractices.coreinfrastructure.org/projects?q=Plug...

I agree that a big part of wpengine's value is the validation they do of certain plugins. A business model that could charge for information of which plugins are most safe would be challenging.

The goal of the Badge project is to incentivize improved behavior by the plugin authors.

Some WordPress plugins have started working on getting a CII best practices badge. None have gotten it quite yet, but there's no reason they can't. There's no cost for the badge, and the criteria are general "common sense" criteria that most people would agree are reasonable.

That shouldn't be surprising. The CII badge process opened in May 2016, so it's only been available for about half a year. I expect that most WordPress plug-in authors don't even know about it (yet).

> I have to wonder if WordPress added a small cost and verification system at front, similar to the app store, if third-party code would be of higher quality.

I think that's likely. At the very least, someone could run some static analysis on the plug-in with rules very specific to WordPress (e.g., "don't use superglobals"). That could really help.

However, there are many general "good things" that plug-ins should do. Trying to recreate a list of general good practices would take a lot of time, and be a pain (trust me!). Instead of reinventing the wheel for a list of general good practices, I suggest using the CII best practices badge identify general good practices, and then if you wish, create a separate list of rules specific to WordPress. That'd be much easier.

Disclosure: I'm technical lead on the CII best practices project. But it's still a good thing :-).

WordPress is the most flexible and the most easy-to-use platform I've used. WordPress offers so many cool themes both free and premium. Here is the cutest WP theme I've ever found - https://www.templatemonster.com/wordpress-themes/monstroid2.... . It can be used for setting any website, from a simple blog to a full fledged e-commerce store.

The question should be "what".

Static HTML will often fit the bill

This is my everyday at the moment. WordPress's biggest success, in my opinion, is that it is synonymous with "website" for many incoming clients. I get "We need a WordPress site" far more often than "We need a website", and they're almost exclusively asking for the latter once we break down the business goals. Always feels like I'm starting from an entrenched position though.

Do you have a good way to let clients update their site if it's static? I'd love to ditch CMSs, but asking my clients to write HTML is a stretch and expecting them to sync changes over SSH is right out.

Yeah, absolutely. To be clear, we haven't ditched the concept of a CMS altogether, we've simply shifted the paradigm to get the client's focus back on managing content instead of managing a site.

Our current setup is using a static site generator (we're Rubyists on Middleman - https://middlemanapp.com/ - but take your pick here) to build the actual site. However, the content itself lives in a cloud-based CMS (we're on Contentful, but Prismic and Siteleaf are also good choices) - this is what the client has access to. During the build proc, the SSG polls the CMS and grabs all the latest content to package into the static site.

On publish of any piece of content in the CMS, a webhook hits our build proc (either Codeship or Netlify) which in turns fires a rebuild of the site (which in turns pulls down the latest content).

For us, the best part about the setup is that it's virtually impossible for the client to break the site. They could certainly make it look like hell - but they can't break it. On top of that, if they somehow, someway, manage to break the build by simply editing content, then the new site is simply never deployed.

Let me know if you have any more questions - I love talking about this stuff.

Oh, that's a great solution! Webhooks are probably the missing link, since I've already looked at and used generators. I could even host a text editor on a server for them; there are enough decent HTML5 editors that the UX wouldn't be an issue. Thanks!

WP felt like a good default 'go to' choice 10 years ago. Certainly, in the last 5, it does not feel that way to me, even though I still do use it for some projects (myself and my clients) but it's not a default, nor is it by any means the only tech stack I work in (< 10% of my work is in wordpress - various PHP and Java/Groovy make up most of the rest of my work).

There are a few things which don't get called out very much, but which were/are some of the underlying motivating factors for people defaulting to wordpress (perhaps as a more root underlying reason behind some of the 'large ecosystem' reasons people typically default to).

A primary one which gets overlooked is that fact that WP is about the only 'framework' of any sorts in any tech stack which allows people to simply move files up to a server. There are no command line incantations to run, no npm/build stuff to use, no compiling, etc. It's about the only platform I can point someone to where they can do an install themselves, and still make modifications later (days/months/years later). Many do 'one click' installs via cpanel or whatever, but even outside of that, the process to install and make changes later is about as basic as you can get - editing and moving files - nothing else needed.

Secondly, in the realm of web frameworks (whether we describe it as one or not, wordpress is indeed a framework, albeit possibly reluctantly for a while), it's one of the few that comes with a username/password/registration process ready to use, out of the box. Anyone looking to build any extension/plugin can count on a standard user/pass/registration/recovery process being there. Most other web platforms shun this most basic aspect, comparing their routing options and ms-oriented benchmarks. I think ASP.NET MVC v4 came bundled with a standard user/reg system?, and one might throw Drupal/Joomla in that camp too. Outside of that - certainly all the major PHP platforms for years - symfony, zend, kohana, code igniter, ez, etc - all gave you parts, then told you to build it youself. Typical rationale was "everyone's needs are different".

So... people 'build it themselves', thinking their own needs were 'different' from everyone else's (hint - vast majority of times, they're not), then we wonder why things get hacked, and point the finger at the devs themselves who... shouldn't have to be reinventing that wheel every other month. Devise in Rails seemed to have been a go-to for a while, and many other languages tend to coalesce around 1-2 frameworks and 1-2 user/auth libraries, but the PHP world is just too damn big for much consensus...

Except in Wordpress. Whether it's good or not, it provided enough of the basics in a standard way to become the basis for people to build on. And... build they did - often extremely poorly (no, really, not everything should necessarily go in to 'wp_options' - session data? really? and I have to run my own stuff to clean it up?)

These low barrier to entries have been at the root of why WP has gained so much popularity and control.

I certainly know there are 'good' ways to develop with WP as a basis, if you wanted to. And some people really want to. But doing things too 'correctly' from a dev standpoint (migrations, testing, dev/staging/prod setups, etc) means you're now fighting against the WP core principles of 'move files up and execute'. The core of WP doesn't support these concepts, and tacking them on feels... tacked on. You're also alienating yourself from the 99% of wordpress developers (in every sense of that word) who do not even understand those concepts in the first place - they will never be able to use or contribute to your code/project/tool. At some point, doing things the 'developer' way conflicts so much with the core ethos of WP, that you're fighting the base, and there's probably not much benefit (outside of latching on to the name recognition) and you're probably better off in another tech stack.

WP itself providing some 'blessed' approaches for creating plugins with testing processes, standard/defined way of importing/exporting plugin data, and other attendant issues around plugins would solve problems for larger-scale developers/users, but might very well alienate many of the folks who were earlier adopters. But... at this point, where else would those folks go?

If you have an existing web application (i.e. Rails or Django) and need to add in CMS, Wordpress becomes suboptimal very quickly. If you're doing work for a client website, they want you to spend as few hours ($$$) as possible launching a CMS. For that there are modern API-first CMS like https://buttercms.com that were built to quickly integrate into any tech stack. Which means you remain very productive working in technology you're comfortable with instead of learning PHP (in the event you're well versed in Ruby or Python, for example).

I hate wordpress. Always having to be updated, plugins that fall behind or also need to be updated, duplication of images instead of using original and styling or scripting it instead - same image creates 30 images in some templates. Change a template and things break. I've never understood why people keep touting it.

can we talk about the action/filter hell, the mess that is wp_query and the hackish way to get structured data integrated in wp (see acf for example)? digital agencies loves wp, and you will always get to use it in a non blog way with messy plugins and themes, and this is a pain.

Or you can dump it on medium, which looks better on mobile devices and looks cooler in general.

I'd love WordPress to be on GitHub rather than squirreled away on... Actually I have no idea, I've never actually found it. I bet you can't find it within 2 minutes from reading this, go on, give it a go...

Told you. Get it on GitHub and watch how much better it becomes.

Also sorting out the versioning would make it more usable.

There's a mirror of it at the obvious place[1], with instructions on how to contribute in the header.

This took me the time it took to type in the URL as a guess. "wordpress github", "wordpress source" both have this as the first result.

[1]: https://github.com/wordpress/wordpress

Because you want to get hacked.

Umm, wordpress is a useful widely supported lowest common denominator

I'm looking at the "dead" comment by PravlageTiem. I understand that PravlageTiem was being sarcastic, and some people feel that sarcasm undermines the tone that is supposed to prevail on Hacker News. But still, PravlageTiem raises an important point:

WordPress has historically been a security nightmare.

Possibly there was a tone of anger in the way PravlageTiem expressed themselves, but the security flaws in WordPress are worth discussing any time that WordPress is discussed.

Certainly, when I have a freelance client, and they ask me "Should we use WordPress?" I typically answer with some long version of "It has a good admin section for non-technical users, and also designers love it, but it also has a lot of security flaws."

I'd love to move client's mostly static sites to Pelican or Hugo. But that means that every time they want to tweak something that isn't content, I get a phone call. So I stick with locked-down* versions of Wordpress, configured to automatically update, and hope for the best. So far, I haven't had any trouble, but if a site did get hacked, I have backups on hand to deploy a new server in seconds.

*Besides best security practices for the server, database and Wordpress install, and clients aren't allowed to install new plugins or tweak the actual source code. The lightweight UI customization that themes provide is usually enough.

This is exactly the reason why I'm building Pragma (it's a static site builder with client focused UX) http://www.laktek.com/2016/11/29/introducing-pragma/

Awesome. Signed up for the beta.

Cloudcannon provides a similar service for Jekyll, which we use for our public facing site

Yeah, I wish I could recommend WordPress to people because it's really nice at what it does, but the security flaws are too serious.The fact that it takes months for them to fix serious vulns reported to them only makes it worse.

Seriously, there are youtube tutorials about 'How to Hack Wordpress.' It can't get much worse than that:


How about putting a tool like Incapsula on top (free option offers 2 factor authentication) which makes hacking just a bit harder.

2 factor authentication is great, but it won't stop an attacker from using an XSS attack to get the authentication cookie.

In general, security isn't something that can be tacked on as an afterthought, it has to be built in from the beginning.

> WordPress has historically been a security nightmare.

This. And all this started around the same time - in 2006 -- when Stefan Esse, the PHP security expert "resigned".

In a blog post in 2006 (that can no longer be found) Esse was quoted as saying he quit > "because among other things they were resistant to his finding bugs in PHP, and had refused to patch some of the bugs he found."




PHP is the backbone of WordPress and none of the core team members have taken any of it's security holes seriously, many of which can be traced back to PHP's security hole. They simply come out with "It's the Plugin-Developer's fault" every few months when a security hole is found.

I don't think it's in their best (business) interest to fix WordPress' security holes any time soon. Because Matt Mullenweg, and other "Wordpress Security" companies like Sucuri Security, even WP Engine, all charge an arm and a length (WP Engine is 100$ a month for a simple blog serving < 25K pageviews a month) by selling "Peace of Mind" security with Wordpress if you use them / host with them.

I believe you're referring to Stefan Esser. The blog post in question can be found here[0]


> WordPress has historically been a security nightmare.

And the Sistine Chapel is a country church.

The bad guys of the world do nothing but find new Wordpress installs and take them over. It's a mess. I'd love to see the next year of Wordpress releases spent on nothing but fixing internal security issues and dealing with some of the upstream PHP stuff.

50% of my inbound traffic is people trying exploits.

If Django (for example) was as popular and as user-friendly as WP, there would certainly be DJEngines out there charging what WPEngine charges. It's not about security problems, it's about the fact they charge less than I (for example) can. For my clients to get from me what they get from WPEngine would easily be $1000/month, rather than $99.

One of my clients spends $99/month on WPEngine, and $5-20K per month on the advertising and social media that brings in all their new traffic. They have five people on staff, who probably cost $80-100K per month. $99 for WPEngine is a blessing--it frees them up to think about what's important, rather than wondering whether their tech provider is handling backups.

Your arguments about WP security are not strengthened by the point about WPEngine costs.

$25/mo. The $100/mo package includes up to 10 sites.


For context, here's what the dead comment says:

""" Because it's ability to generate a limitless supply of zero-days makes it easier for us in San Francisco to go after blogs we don't politically agree with.

Isn't that right, Mr. Altman. :D """

That's why wpengine is such an excellent choice for a lot of users.

On the topic of PravlageTiem, the issue of WordPress' security flaws seems to be incidental to his attempt to accuse Sam Altman of censorship. If I had to guess, that would be why the comment is dead. I wouldn't call that sarcasm.

Even with WPengine, security issues are a very common thing. WPengine can keep some things up to date, but plugins and themes are exploited often. Worse, an enterprise deployment at scale is a huge nightmare. Exploiting WP sites on HackerOne can be a very profitable business for many.

Not to mention, it doesn't matter if things are kept up to date when Wordpress takes months to issue a patch for critical security problems.

> wpengine is such an excellent choice for a lot of users.

Here we go! Like I stated in my comment, companies like WP Engine, Sucuri and other can easily charge 100$ + for what costs < 5$ to host, because it's wordpress and they "guarantee" a secure un-hackable website.

Fear is a great motivator.

Another great motivator is that $30 or $100 is utterly trivial in the context of any website that has some actual business value and investment in its content and design. I know we're all conditioned to think web services should be nearly costless but I happily pay my WPengine bill for multiple sites every month and consider them keeping an eye on things a very good value for my fairly nominal expenditure.

WordPress out-of-the-box is pretty secure, and there's a team who actively work on security, including a specific security lead. The main issues most people run into are with security of plugins and themes.

This is basically a result of plugins and themes being run as part of the main process (they're just regular PHP code), which is practically-speaking unavoidable.

That's not to say that WP is 100% impenetrable, and any large and mature software is going to have bugs, some of which may turn out to be security-related. The best defence against that is regular updates (inc. auto-updates, which are built in).

(I work at an enterprise WordPress agency where we build large sites for large clients (media orgs, banks, etc). I'm also a committer to WP core, and hence on the WP security team. I'm also one of the leads on the WP REST API project, and was running the HackerOne project until the API was merged into WP.)


Problem(s) solved.

Disclaimer: not affiliated in any way.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact