Even the PHP developers have chosen to ignore WordPress in language evolution considerations, as the WordPress community refuses to do accept kind of progress for their project - they still use the unsafe, outdated mysql-API without parametrised queries, for example.
Whatever you do in 2023—if you can avoid it, don’t use WordPress as a CMS.
WordPress is the FLOSS alternative to Wix et al. It is the only practical software that enables people to create and self-host an online presence without having to type a single line of code, and without being beholden to a large centralized platform.
No, a static site generator that requires knowledge of Markdown and a few lines of bash doesn't count. A CMS that requires you to hire a professional to even get started doesn't count, either. It might seem strange to developers like us, but there are lots of people out there who are simply allergic to code. They can use PowerPoint and maybe even Photoshop, but show them a blank terminal and they'll just freeze. WordPress, on the other hand, can be navigated with a bunch of point-and-click, drag-and-drop, buy this and add that and change the options a bit. Just like PowerPoint, it barely works, but it works.
Very few people in our startup bubble seem to care about these "I want a website, but no code please" people, and when we do we often treat them with contempt. How hard can it be to copy and execute a few commands, after all? But apparently that market is large enough to attract a sustainable ecosystem of plugin and theme sellers. WordPress has this market completely cornered. It won't magically disappear just because it's built in crappy code. Understand the users, on the other hand, build a good alternative, and that billion-dollar market might become yours. :)
it wouldn't be hard to put together the base of wordpress in python on top of django. but hosting companies for decades cared only about mod_php and had no one click uwsgi/fastcgi solutions.
although this still doesnt answer why wordpress became king of the hill in the php ecosystem. was textpattern/drupal/joomla/etc that much worse/harder to use?
in the end wp just looked a tiny bit more professional and an easier name to remember for the masses. this technical dept will be paid for many years to come.
1-point-click installations failing, to failing standard templates, tutorials that are only for version 2 and not 3, because that's a video right now.
Talk is cheap, but execution is where it is.
Isn't that the entire point of Ghost?
That's the thing.. if you want to take down wordpress it should be something current wordpress users can easily install on their current hosting with zero extra config to do. No terminals no server settings to deal with.
A wordpress install is literally drag and drop the files onto the server with ftp and open the web address. Enter some details for the mysql dB via a ui and that's it.
After that there are thousands of themes and plugins that let you do anything from ecommerce to a drag and drop blog without much effort.
Can it? I can write code but I'll be damned if I can figure out how to make something that doesn't look like a fourth grader in an Intro to the Internet, 1995 Edition class made it.
If you own a wordpress site for your business and you want to change your dev or agency then you will have no problems finding people who understand WP and can work on/fix your site. It might cost you but you'll have no issues finding people to work on it.
Use anything else and you'll be hunting down people who can and want to work on it.
The other major issue is, the paid plugin ecosystem is vast in wordpress and because of that many problems can be solved with a plugin. The conversation typically goes "If this were on wordpress we'd buy this plugin for $xx and we'd be done in a few days, but it's not so we can build it for $xxxx and it'll take at least 2 weeks."
Client hears that and ends up on wordpress next redesign.
Code quality ultimately doesn't matter to site owners so long as the site works.
And yet, it runs 50% of all websites and 30% of all ecommerce websites.
...
Apparently it is not god awful. If running 50% of the web is godawful, anybody would want their software to be that much 'godawful'...
Empty elitism contrasting the actual reality of life and business...
At this point you will definitely think "Oh, but the people dont know about good code quality".
They don't. And they don't have to know. They know what reflects on their websites, businesses, actual livelihoods. Those who use WordPress are not disattached MBAs managing gigantic organizations. They are people whose lives actually hang on those websites and ecommerce sites. What the software does actually dictate their income, their livelihoods.
For that reason they absolutely don't care about any esoteric programming paradigm or code quality which is !supposed! to impact their livelihoods greatly, but for some reason, it just doesn't. Definitely not to the degree that the proponents of criticism like yours think it does.
Only WordPress came forward as the software that cares about those end users' websites, businesses, livelihoods, by prioritizing them instead of 'good quality code' or programming paradigms and protecting backwards compatibility as if the existence of the world depended on it.
Whereas all the other competing software and even actual services including large tech giants on the other hand, literally played with people's livelihoods by introducing backwards incompatible versions in the name of 'better code and programming' - breaking the websites and shops that those people's lives depended on.
And it turns out that you can break someone's website or ecommerce site by introducing backwards incompatible updates once, twice, and a third time you wont be able to do that because that person will have moved on to a software that doesn't play with his livelihood like it was a little hobby project.
That's precisely why WordPress won. While in mid 2000s all the competitors were breaking their users' websites by pushing out backwards-incompatible versions, WordPress fought tooth and nail to protect backwards incompatibility.
The result is trusting users and a gigantic ecosystem of plugins and themes that allows anyone to do literally anything they want. People became able to just click a button to install a plugin and make literally complex features happen.
What was happening on the side of competitors during that period? Well, they were forcing people to write entire freaking modules just to add one measly form on their websites. Because, 'coding paradigms'.
That's why the flower shop owner somewhere in Oregon runs his local flower business on his WordPress site and the notable anime blogger somewhere in Tokyo is on WordPress more than 15 years. WordPress treats their websites with care, knowing that those sites and shops are actually those people's homes on the Internet, and refrains from breaking anything or doing anything that could impact those people negatively in the name of 'better paradigms'.
Speaking of better paradigms, is there any yet?
Back in mid 2000s OOP was the end-all-be-all. Everything had to be OOP. All the cacophony even forced WordPress to introduce objects everwhere around its code. Because, 'better paradigms', right.
And then a few years later suddenly functional programming is much better! Or, half of the programmers say so. Suddenly everyone is going in the other direction, whereas the die-hards of OOP still insist that it is 'the thing'.
It was just a few years ago that hooks in React were going to change everything. Everybody! Move to hooks! Then it just turns out that hooks aren't so good after all. Literaly 2 year fad. Also everyone has to move to React or some other bloated framework, because, you know, you have to have a 'modern' frontend, right. Then suddenly people start saying that maybe not everything needs that much dom manipulation after all, and rendering everything on the server and serving the user something that his or her device can handle is much better. Who would have thought. But all of these cacophony forced even WordPress to adopt some React. Because, 'modern', you know...
So this kind of programming fads even impacted WordPress, but WordPress still spent the effort to avoid any of those fads from breaking people's websites.
And that's why its 50% of the web and 30% of all ecommerce today. Because it prioritizes its users and their livelihoods. As opposed to programming fads and elitism.
...
Make no mistake - this paradigm does not only cripple the competitors of WordPress. It also cripples software industry in general, including tech giants. Living in our own world, thinking that the paradigms we have in programming are all important for everyone as opposed to just a fraction of our modern tech jobs, we prioritize the wrong things instead of prioritizing the actual users of the software and their livelihoods. Leading to literally crippling people's websites, apps and kicking their livelihood in the butt, losing them to whichever ecosystem that does not do such neglectful and out-of-touch things. An excellent example of this is shown by Google. It turns out even being a top tech giant does not allow one to avoid the repercussions of not prioritizing the users and instead playing with their livelihoods as if they were pet projects.
https://steve-yegge.medium.com/dear-google-cloud-your-deprec...
Also $wpdb->prepare() uses parametrised values. Not everywhere in WordPress core is it being used. Most plugins use it for direct queries (not that common), but I don't know if the plugin team refuses plugins when they are not using it.
And the fact that it’s 2023 and we’re somehow ok with the biggest web application there is not using parametrised queries in its core completely stumps me. Time and time again, SQL injection attacks in Wordpress or it’s plugins pop up. PDO with parametrised queries simply eliminates this issue.
True, but plugin authors not caring about using them is the primary issue, and that doesn't change just because wpdb uses a different API under the hood.
They appear to be a hand-rolled PHP version of imitation client-side parameterized values, not the actual database library ones.
https://github.com/WordPress/WordPress/blob/master/wp-includ...
To the contrary, with each PHP iteration, "bad code" is executed faster with fewer energy utilized.
This leads to PHP itself having to make bad compromises for the future to keep the Wordpress code of millions of websites running; this leads to developers wasting time trying to accommodate Wordpress in plugins and themes; this leads to new developers growing up with bad standards and outdated practices.
I’m not complaining Wordpress doesn’t follow the latest trends or won’t add arrow functions everywhere. I’m complaining they actively block the way to the future, like a senile senator with lots of unmerited influence and decade-old opinions.
Instead it's just wild wild west, code review is a pain because every plugin and every developer working with WP has radically different structure and coding practices approach.
In regard to WordPlate project - I can guarantee that huge amount of plugins and themes won't work correctly with this modified, non-default project structure.
Thank you, I'll happily keep working with WordPress.
If you’re happy with Wordpress, by all means, keep on going. My critique isn’t targeting you.
I have the luxury to be able to refuse Wordpress projects. In fact whenever I can I replace Wordpress with Django.
Marketing people insisted on WordPress so we reluctantly put it off in its own isolated network and expected bad things to happen. And, they did...
- WordPress consultant hired by marketing people while "editing the theme" introduced an infinite loop which caused OOM killer. That's when we learned you can point-click your way to editing actual php code in the admin web interface! Complete and total chaos and anarchy.
- Content manager "upgraded the SEO plugin" which downloaded from the Internet some hot-new code which used some language features beyond the version of php we were running, and bam, the whole thing was 500s, and everyone freaked out!
- Content people messed up the syntax editing the theme trying to change contact info in the footer, site wouldn't load anymore, they panicked and reverted the whole theme back to the stock default, and then ops people had to help them resurrect from the daily git check-in of the 1gb docroot they set up after the last time this happened.
It's a rough ride all around...
You should probably think about giving certain users like 'content people' the 'Editor' role if you don't want them doing administrator stuff like editing the theme file directly.
I'd imagine most CMSs where you give your client full administrator access can cause issues with them doing things they shouldn't, like blindly upgrading plugins.
Which SEO plugin gave you that 500 error? Most WordPress plugins have a 'Requires PHP' header that specifies the minimum PHP version required and refuses to install otherwise.
Fear not, you can also introduce infinite loops with a good old code editor and ship through FTP or git or whatever. Also work with different CMS and languages.
Who was responsible for setting user roles on that site ? Who gave admin access to a consultant without having a conversation with ops ? If there's an op team, why isn't there a staging environment for that site ?
> - Content manager "upgraded the SEO plugin" which downloaded from the Internet some hot-new code which used some language features beyond the version of php we were running, and bam, the whole thing was 500s, and everyone freaked out!
Content manager shouldn't be given admin rights to a Wordpress installation. Why did op team allow content managers to upgrade software ?
> - Content people messed up the syntax editing the theme trying to change contact info in the footer, site wouldn't load anymore, they panicked and reverted the whole theme back to the stock default, and then ops people had to help them resurrect from the daily git check-in of the 1gb docroot they set up after the last time this happened.
Isn't that also one of op team's job ? Manage backup and restore ?
Seriously, you can replace WordPress with Joomla, Drupla, Ghost here and the story is the same.
Well, when a developer writes code in an editor, they probably are working in a development environment with tests and version control, etc.
Why is there a web editor that changes the application's own running code? And why in the world would I expect that that would exist, and be on by default, for me to have to go and figure out how to turn off?
> Well, when a developer writes code in an editor, they probably are working in a development environment with tests and version control, etc.
This can be done with WP, but you are totally right and I should also have pointed out that the consultant should have asked for a staging environment or at least set up his modifications on his local copy of the site. He/she worked on prod and that's a big no-no.
> Why is there a web editor that changes the application's own running code? And why in the world would I expect that that would exist, and be on by default, for me to have to go and figure out how to turn off?
Ah, I think I now see where you are coming from. but:
> Marketing people insisted on WordPress so we reluctantly put it off in its own isolated network and expected bad things to happen. And, they did...
Well, if op team was aware of WordPress's reputation (and rightly so) it's a little bit on them to preemptively mitigate some of the risks especially if marketing team isn't aware of it. I suppose there wasn't enough hands on deck to do so deep enough at the time it happened or maybe office politics got in the way, etc.
Anyway, some security practices for WordPress suggest to change some file ownership (so only sysadmin can do maintenance work for core, plugins and themes via wp-cli), see https://wordpress.org/documentation/article/hardening-wordpr... which lead me to suggest that git may not be the best option for backup (since it doesn't preserve user ownership). Something like Borg, Restic or a file system based backup/veam/etc. is a better option.
> Why is there a web editor that changes the application's own running code?
Well, in the before time, it would give anyone running the site the ability to modify theme/plugins if they didn't have access to FTP.
Totally agree, I don't see any reasons to keep this around. But any plugins or themes can add a section in the dashboard with a web editor able to modify anything the webserver can modify, so... it's mitigation more than prevention if themes and plugins upload aren't locked.
I hope I am not coming off too strong ? I would likely do the same kind of mistakes if I was asked to host a django something.
Yes, and that's what they did. But it seems a broken design when it takes all that to change some copy in the footer.
In addition:
Helped by providing a more reasonable editing experience (for a website - not "just" a blog).
Both of these are paid. I think I would have preferred a managed host that provided backup and staging - but that would probably cost a little more (cash, fewer hours) - than basic php+mysql web host.
Other than those two - I think we got rid of all third party plug-ins, except for a theme or two (different theme for different sites).
Made wp just about manageable.
Personally I still can't stand the wysiwyg "works 90% 80% of the time) editor - but then the marketing people were responsible for updates - and with wp they could do it themselves.
Seems like in every HN thread regarding Wordpress this is brought up, but later the thread fills up with horror stories of sites being melted down when non-technical users are left to manage these Wordpress sites. Just my two cents, but that supposed benefit of Wordpress seems more like wishful thinking.
Sorry Facebook, you can go and... you know what!
It's not a great assumption anymore (since many WordPress installs are now set up by agencies and dev teams for non technical clients), but it's likely a holdover from the days when most people installing it were also the main designer, developer, content writer, etc (read, bloggers).
At the end of the day, if you tell me that WordPress is an application framework, that themes are code and plugins are dependencies, then okay -- devs own it and there's code reviews and staging environments and deployments and migrations and all the rest.
But if you tell me it's a CMS so marketing people can have a blog, I just ... thought it would be simpler.
Because CSS, because HTML tags are rendered server side and that H1 should be a H2 or that tailwind div soup is funky, or the company team member pages needs ACF to keep tracks of member profiles because editing the page by hand takes too much time,etc.. webdev :/
The other option is things like Elementor or Divi which aim to give content team the ability to modify layouts (and even links to dynamic elements in db) but it's a whole another mess (but it wouldn't be your, yeah !).
Someone at WP is aware of it though, hence all the work on gutenberg and front-side editing (FSE) which ultimately should turn WP into a complete headless CMS.
> Why is plug-in code not sandboxed? These are WordPress problems.
Definitely ! Wait until you have a plugin breaking wp-cli so you can't deactivate it... rm wp-content/plugins/foobar-plugin -rf to the rescue.
> At the end of the day, if you tell me that WordPress is an application framework, that themes are code and plugins are dependencies, then okay -- devs own it and there's code reviews and staging environments and deployments and migrations and all the rest.
> But if you tell me it's a CMS so marketing people can have a blog, I just ... thought it would be simpler.
Yeah, if marketing just wanted a blog and no forms to collect resumes, polls etc. I'd have given them a ghost or a very reduced/amputated WP and signed binding agreements that no plugins or themes would ever be installed on it.
But would you also agree it's a totally insane capability, let alone default, for a CMS to offer a web interface to edit its own running application code? With no VCS integrated or rollback mechanism...
I was too naive to know I should look for a thing like that to disallow.
IMO WordPress' big flaw (and key asset) is its commitment to backwards compatibility. The upside of this is that it was very easy for people to pick up and deploy it on PHP hosting in the 2000s, leading to its massive growth. The downside is that, as a WordPress developer, you're saddled with sticking to decisions made years ago.
It's definitely not your fault that this is unclear, the WP.org documentation does a poor job of explaining the pitfalls. After 5-10 years of working with it you come to understand the weird kinks...
Sorry for piling on your comment.
https://github.com/roots/wp-password-bcrypt#readme https://core.trac.wordpress.org/ticket/21022
With an admin password you can probably upload some executable code, but if you can find a database dump online I doubt you'll have too much effort exploiting a WordPress plugin anyway.
Just because Wordpress plugins are notoriously bad quality, you absolutely shouldn’t be lax with password security.
I have never seen such a badly coded mess.
I ask every downvoter to prove me wrong. I'm sure none of them have ever seen any piece of WordPress code (or documentation, or anything else).
* features People say that “you can just add a plug-in” for whatever, and that’s true. But so many things that should be core are not (advanced custom fields, forms) and other features have no place in modern WordPress (comments). Gutenberg is an incomplete answer to page builders. While the page builders are impressive, they still have a pretty substantial learning curve.
* cost I’ve been using WordPress for over a decade and it’s fallen woefully behind other CMS’s. Recently I spun up a site for a client and the plug-ins cost over $1000 just to get them going. That isn’t _WordPress’s_ fault, but it doesn’t help.
* speed WordPress inexplicably gets slow after about a year unless it’s managed by someone with masters-degree level skill. It’s like the system gets tired. The caching plug-ins help, but why doesn’t WordPress offer better caching itself?
* deploying Recently, I decided I’d had enough. I was doing a one-day build for a small marketing site and it took two hours to deploy because the “yoast” plug-in broke the WP CLI’s ability to search and replace the database for URL’s. Not to mention that source control is a nightmare because people can install their own plug-ins from the dashboard.
I’m writing an open source visual page builder for Laravel. It fixes the problems I see with WordPress for building marketing sites. Think of it as a blend between the visual ease of Webflow and the programmatic power of Laravel. By default, it’ll run off of SQLite (but any sql db will work), so they’re awe only two things living outside source control - the SQLite database and the uploads folder. That makes managing transitions from dev to production an absolute breeze.
I’m very excited about it! It should be ready for beta testing in a few weeks…if anyone wants to give it a shot, let me know.
> Recently I spun up a site for a client and the plug-ins cost over $1000 just to get them going.
I think that's the wrong way around - you/your client could buy stuff costing a thousand dollars because of the huge wp ecosystem (however dysfunctional it may be - I once looked briefly at how to write and sell a wp theme - and quickly moved on to different pursuits). Now, how much value did you get from that? That's one of the big draws of wp.
Im sure your new system will cover 80% of that - but what about the themes and plug-ins someone else needs?
As far as costs go…
Beaver builder - 250 Custom fields - 100 Faceting - 100 forms - 150 Import/export - 100
It doesn’t take long to get to $1000!
The new system I’m working on will be extensible for various needs using new composer packages. So if someone wanted to write an obscure form handler, they could trivially add it to Prodigy as well.
Please do - but note that those are typescript frameworks/systems - not php!
I'm not saying "don't build stuff in php", just that for me, if I was going to throw out support for wp themes and plug-ins - I wouldn't see much point in staying with php and similar architecture to wp. But for those comfortable with modern php it might be great.
Stephen@bate-man.com
and I’ll add you to the list!
I’m glad I’ve been able to develop on https://wagtail.org/ for the past few years though. Usually such a pleasure to work with.
This isn't a critique, I use WP intensively, and we heavily modify and extend it as well, but the familiarity of the team (in dev, seo and content) is pretty much the only selling point, because we shut down most extra features (feeds, rpc, json-rpc, emojis, gutenberg, comments etc etc etc), use a complex varnish-setup, do image optimization etc outside of it and most plugins aren't really good, so we roll out something custom instead. Getting rid of it it isn't an option for us because we're so committed and have built so much custom stuff around it, but with a green field, I'm not sure.
Gutenberg isn't a thing for the folks I work with, nobody there likes freedom (freedom only leads to errors!), everything is form-based (ACF is slow but it works, and here, too, it's not users setting up the fields, it's developers) with a few shortcodes to pull in special elements.
I'm not complaining, I like building tools and solving problems and using WP allows for plenty of both, but in hindsight WP is slowing us down, I believe. Of course, it's hard to predict the scale of things when you start, so having something you can quickly iterate with is useful.
It's not to say there aren't some that say sod it and have their own UI library. But quite a few leverage wordpress admin styles and conventions (such as the wp_list_table).
But the quality is all over the place, much like with composer packages.
Craft CMS. Statamic. Expression Engine.
