Counterpoint: I've had a Wordpress blog for almost 20 years, I've never paid anyone a dime. I don't know PHP, and I only use two plugins, both of them free. With a little bit of Googling you can just hack together whatever you need, because there is a lot of documentation for Wordpress. The author is a web dev, so I'm surprised their first thought was that they needed a plugin to load a font.
It's because customizing a Wordpress theme is a daunting task at first, especially if you try and use the builtin editor instead of taking a theme and stripping it down. WP's page layout and templating is... Different. Which is why it's turned into its own specialism / industry.
Again, though, we're talking about a web dev who had previously been managing their own hand-rolled blogging solution.
Something like sticky menus should be trivial for any web dev: find the menu you want to make sticky in the web inspector. Modify the styles inline until you make it work. Grep the theme for the selector that you modified. Copy your modifications.
It's because you don't want to leave a pile of shit for the next person to clean up. If you're maintaining code, and a function seems to be returning the wrong value for the ticket/bug you're investigating, do you comment out the whole function and just return $right_answer, or do you investigate what's going on so that the function is returning the wrong answer for a given set of args.
By that same extension, a custom hacked up theme is the "return 4; /*" of site maintenance.
By using a plugin, the person that follows you doesn't have to be a webdev who could float a css div blindfolded.
Do you manage the Wordpress blog installation yourself?
As part 2 will detail, the whole purpose of switching to Wordpress was to reduce the work load of building/maintaining the site. I fully agree, Wordpress is swimming in tutorials, docs, and sometimes guides disguised as advertisements for a paid theme.
Re. changing fonts - My actual first thought was 'Surely I just need to find the settings in WP that let's me change the theme's font', and my experience was that Wordpress did not 'natively' support this.
As someone who is on a, uh, "sabbatical" from programing after 10 years making WP work for gov, edu, and various businesses I have worked on many hundreds of WP sites.
I still use it for my personal blog and for marketing my various projects.
The article doesn't have a lot of meat, but I think the title alone was interesting.
My primary issue with the WP ecosystem is how folks end up paying for GPL software.
Leaving aside my opinions about the actual legal weight of commercial plugins in that ecosystem, having a bunch of systems with un-patchable software (until you pay for the latest release) has caused a whole lot of problems for the world.
There are other problems with WP of course. I'm completely burned out on trying to fix things with it, so hopefully I can find some other work when I get done trying to be a musician.
However, I find the community is quite unique in its lack of tolerance for the idea that GPL means GPL.
I started my career on Wordpress. In a lot of ways it was where I learned to program. I'm surprised you stuck w/ it as long as you did, guessing the cash must of been pretty good. To me once you're deep into the internals and writing your own plug-ins you might as well just build something custom. I think it's a good middle ground for someone technical and willing to put in a lot of time but not the know how to truly make something custom.
Indeed, money was okay and I was remote and fullt time w/ 30-hours and benefits for 7 years of that. I asked for a raise given the economy and was denied, so f- it :D Now that my kids are grown I can afford to be a sound engineer and musician.
If I were introducing young folks into building stuff for the web (and I am considering doing that locally), WP would be my platform of choice for the reasons that you state. It really isn't bad if you are doing mostly what it is designed to do. It's got a lot of horrible parts to the code base, but if you never have to touch them (and there is a lot of equally shitty code written to aid in that effort) then it doesn't really matter.
However, if you're integrating an ERP and a SSO system that has many thousands of users, it gets to be a bit hairy. You're correct that at a certain point a wholly custom solution makes sense. But if the shop where you're working is married to WP because that is where all the success stories they know how to tell live, then WP it will be.
WP has had so many major compromises over the years I gave up on it and adopted using Drupal as a framework. I think Drupal focuses far less on for-sale modules and themes, which makes it far less exploitable. The way themes and modules are implemented are more secure than WP as well, and there has been a pretty good community running Drupal for many years now.
A lot of people try to impose the same kind of "name brand" identity on open source software, and it just doesn't work. Underneath, it's based on the same code and libraries, and a lot of the time it's vulnerable to human agenda and human flaws.
You might as well just have whatever normal for-pay license. The reason it is an issue is that not just that it's not legitimate GPL (which is ethically wrong to me- it's literally stealing from a community).
The issue is that it splits up the repos which messes with the upgrade structure. That's fine until you get a security issue and the community can't collectively update to mitigate the issue until the people using the software have paid for their liceneses.
To your point about rebranding stuff, people do that but it's not discussed often in the community. Personally, I feel like white-labeling people software sounds like a community service.
But there really isn't any money in that and it's shunned by the community, so you get a lot of malware created (which is, once again, a problem created by the culture around selling GPL software as if it were closed-source).
Anyhow, other than a few large plugins, the people making real money in the space are doing custom work and leveraging the open source, which is the "real" solution and what folks are doing in other ecosystems as far as I can tell. There are plenty of folks making money off "commercial" WP plugins, but IME that's not the main source of income into the economy around WP.
So selling GPL software is unethical, but selling proprietary software is? That's an unusual point of view!
I don't have WP experience and don't understand what "splits up the repos which messes with the upgrade structure" means. I can sort of understand the argument that not buying a new license can prevent upgrades, but, I still think it's within the spirit of the GPL. As a user of said plugin, you can choose to make the necessary changes yourself (or hire someone for it). Or look for a gratis alternative.
To me it sounds like the GPL is doing exactly what it was designed for.
I've seen enough cases where folks have paid to "get around" some problem and it's ended very poorly, often require extensive work that could have been don correctly the first time with some bespoke code instead of many layers of kludges.
Could just be a problem with low-rent software dev in general, but the plugin ecosystem doesn more harm than good in that area, at least IME.
Clever title, not a lot of meat here. I have this same reaction whenever I try a new tool. How do I do this? Does it require an addon? What are the upgrades? All pretty basic 101 stuff for a new user. When I jump from WordPress to Shopify, Wix, Squarespace, Weebly, I have all the same questions and frustrations.
A fair point - I had the intention of publishing them all together and got distracted. I thought I'd share the post here, as I now actually do have all the parts lined up and will have them ready within the next 2 weeks.
>"For each of these design problems, I eventually found a fee-free solution:"
Sticky – WordPress 6.2 (released in March this year) adds native sticky support.
Non-standard font – Twentig plug-in.
Latest 3 blog posts – Team Tangible‘s Loops & Logic plug-in.
Gallery Lightbox – dFactory‘s responsive lightbox and gallery plug-in.
And here's the problem with WordPress. That's literally 4 lines of CSS and two lines of PHP, for which the author has now exposed themselves to four seperate third party plugin developers that he must trust explicitly forever.
I'll grant you the sticky, the font, and heck, I'll even toss in the latest 3 blog posts too, but how in the heck is a gallery lightbox anywhere near 4 lines of CSS and two lines of PHP?
And unless I'm missing something, doesn't injecting PHP either require a plug-in or actively building on to a wordpress component?
>but how in the heck is a gallery lightbox anywhere near 4 lines of CSS and two lines of PHP?
Most implementations are massively bloated as a legacy from the jQuery days when that was neccessary. CSS is incredibly powerful now, and the browsers are all evergreen, so it's pretty trivial to implement a pure CSS/HTML gallery:
This is fully featured, with indexing, scrolling, animation, etc., but you could slim that down even further to just a few lines for a simple automated slider. Obviously doesn't work if you need managed control, but 99% of gallery use-cases are just flipping through a homepage hero like the OP.
Appreciate the link. I agree that CSS has come a long way. Not sure I agree this carousel covers 99% of the use cases, if that's what you meant?
Regardless, my motivation was to implement as little as possible, as the whole motivation to switch to Wordpress was to not minimize what I'd have to build. I will make a note to detail that better in the future. Appreciate the candor.
When I was younger and much more into PHP as a language WordPress was a great fit for me. WordPress templating was rather obtuse for what's supposed to be a view layer and plugins made use of some pretty exotic APIs that I found hard to understand when not being knee deep in WordPress-land.
Recently I moved my static blog (what it's been since the WordPress days) to Django and Wagtail and my experience has been night and day. I think a big part of that is that Python is one of the languages I code in with some regular amount of frequency and that Django is one or two layers of abstraction below a thing like WordPress, which is much more appealing and intuitive for me as a programmer.
That's to say, pick a platform in a language you like and an abstraction layer that ensures you'll continue to have fun.
Good advice. For me, I found that I would on occasion just have large blocks of time away from my site, meaning any sufficiently complex contextual understanding to maintain it withered away. Hence my move to Wordpress which I plan to detail next.
Tell me you don't understand the difficulty of maintaining a really useful and complex free tool without...you know.
All the writer has done here is screamed their ignorance (which, to be fair, is not at all simple) of the complexities of using free/open source and also maintaining something huge and complex WITHOUT being huge jerks about it.
I do wish there was a simpler way to essentially do two tiers of "service" -- but for now, "you either 'pay' in terms of digging in and learning or you 'pay' with real money" seems pretty reasonable.
I find Wordpress on the whole incredibly useful and the functionality it does offer is great, not complex.
My issue is with the omission of what I perceive to be some basic and universally useful features. What's basic is - of course - subjective, and you're welcome to disagree.
As noted in my article, I share your preference with a basic paid tier just to get in the door.
I honestly like the Wordpress developer model. I’ve written themes and plugins. I’ve learned how to write tests for both. I like how they released the “wp-cli” so I can manage Wordpress outside the web GUI. It sometimes does feel a little janky in a lot of ways but it offers a lot of value as a framework.
Wordpress gets a lot of undue hate, imo. It just works, at least for me and my workloads. I worry I’ll encounter some legendary source of friction that turns many devs off to Wordpress but so far I haven’t. YMMV.
Is this post talking about hosted wordpress? Because it makes no sense at all otherwise (and even then…)
Wordpress is fully customizable. Why would you need a plugin to make a menu sticky?
Either I am missing something here or this OP was trying to much with its Star Trek references to actually understand how Wordpress works
I'm talking about using native Wordpress functionality on a managed service. Yes, Wordpress is customizable of course, but the goal was to consider the functionality provided in its basic form without payment, and which features required payment.
Granted, changing the CSS is straight-forward, but not necessarily for everyone switching to Wordpress.
No, not wordpress.com, but a managed hosting provider. That means that wordpress core is managed by the hosting company, but you can install any plugin or theme. In the article they compared it to wordpress.com, so I'm sure it's not about that.
Wow, you're right. It looks like they are talking about some other managed service.
That makes the post even more meaningless since they don't even say what managed service they are using. It seems they are complaining about what some unnamed managed service is charging them and framing it as criticism of WordPress.
What do you even mean by vanilla wordpress?
Get a hosting service with a DB for a couple bucks a month, install wordpress, do whatever you want with it by following the wonderful documentation that is anywhere on the internet.
What else is there to talk about?
Well, if you're talking about vanilla WordPress, the article doesn't make any sense. Vanilla WordPress is completely free. There are no fees for adding different fonts or any of the other things you say you were charged for. So if it's not a managed service charging you those fees, where are they coming from?
Wordpress core is quite secure, remove write access outside the upload folder. It contains sticky post now and the query block. A light box has varying requirements so there is not one solution but try the builtin gallery block.
And as the article mentions it has a healthy ecosystem.
User discovers paid plugins from third parties, blames first party, completely ignores the plethora of free plugins and the ability to also add it yourself, manufactured outrage ensues.
Allow me to note that you only get to using plugins after upgrading your tier. Strangely, their lower tier plan is called 'Premium'.
Another fundamental thing requiring upgrade is access to the canonical address if you're using a custom domain. Control over canonical address configuration should be integral part of any paid plan, in any platform.
I hope the author goes more in detail about how the plugin "Loops & Logic" solved their need of listing the newest blog posts. Looks like it's a flexible templating system. https://loopsandlogic.com/
Huh, all plugins in the plugin repository are GPL compliant. If you can find one that isn't, please notify the plugin team, they will deal with it.
What you might mean is that there are GPL plugins that you can use with a third party service that you have to pay for. And yes, that is a grey middleground that is allowed at wordpress.org.
I wonder if 'hostile' is the right word, but I certainly agree that very functional things felt oddly missing. It is definitely super subjective as to what's 'very functional' and part of a basic package, but I'd definitely prefer an entry level cost and then have a more expanded base version of Wordpress.
I manage a network of 300+ WordPress sites. These vulnerabilities, are they in the room with you now? I'm joking of course but like Windows, WordPress is attacked because it's ubiquitous. Yet, here I am running a network of 300 sites with over 600 deferent plugins and hundreds of themes over a span of almost a decade without major issue. How is this possible? Should I pick some obscure CMS instead? (aka security through obscurity). WordPress has served my clients well despite being "riddled" with security holes.
also, modern WP and WP from 10 years ago are very different beasts. Now most of the risk is in plugins, and if you're careful about plugins - it all works okay, without security issues.
I've been deploying WordPress for 10+ years and would agree. WordPress is much safer and mature, it's the plugins and sometimes the themes that are the problem now. But we monitor, and patch. No big deal.
That critique would be fair if I was talking about my one WordPress site but I'm talking about hundreds, maybe even a thousand if you count sites I've built that came and went. It's a pretty decent sample size (IMHO) both for the number of instances but also the time period (10+ years). And it's also not 300 clone sites, each one was built unique, and each has their own mix of plugins & themes.
Unless you manage every Wordpress site out there, you're biased.
YOU, are a technical person and understand the value of updates, vetting plugins, etc, yet a majority of these sites aren't run by people like you/me.
They are run by end users, with all of the baggage.
You have a point, to an extent. I wholly disagree with your stance on WP though.
It's got issues, numerous issues, and a majority of the sites aren't professionally managed.
You're worried about your fleet and that's great. I'm more concerned with the internet as a whole and Wordpress is just vuln after vuln.
I'm happy your systems are secure. That's great.
Unfortunately, that doesn't apply to the 1000s of installations done by amateurs, lax IT, etc. etc. that make the WP vulns a much bigger issue than the 300 you manage.
I'd say WordPress is worst in class for security, compared with all other software and all operating systems. WordPress even has a hidden folder for hackers to put plugins that will not show to administrators, unless you go browsing the file system! I've never encountered any worse software than WordPress for security and usability, and I doubt it is just because of it being everywhere.
It is amazing how much time and effort in the world that has been lost because somehow it became the standard.
Quality WYSIWYG editors and hosting tools will come back with a vengeance soon. As soon as austerity and efficiency returns to the economy.
Surprisingly I've run a handful of WordPress sites for 10+ years now, some with quite a few plugins for e-commerce stuff, and haven't had any issues with sites getting hacked.
I mostly think it's due to updating quickly, generally I update the next day and manage it all with a central service, and just not using unknown plugins that don't get updates.
I used to fix hacked Wordpress sites, top causes were:
* Using a plugin written by a someone who has no idea how SQL injection attacks works.
* Failure to update WP/plugins after a known security vulnerability.
* Poor general security practices. Tip: don't use your domain name with the "o"s replaced by "0"s. Also, don't create a secret backdoor into your site because the owner has trouble remembering his password.
All good points, I've seen some sites with every plugin years out of date when I've helped friends with theirs, weak passwords, that sort of thing.
I've always done my own hosting too, just a minimal setup of nginx, php-fpm, and mariadb on a 1GB RAM VPS. That way I can keep the server side up to date with security patches, instead of relying on a webhost that may not do it.
Backups run nightly offsite, and I monitor the sites with Change Detection so if a plugin update does break something or in the worst case a site gets hacked, I know fairly soon and can either fix it or roll back to a backup.