[partiallypro]

Saying Wordpress is a security nightmare is like saying Windows is a security nightmare. It has broad use, it has tons of people using it with outdated or unmanaged plugins on installs that haven't been updated in years...Some running near extinct PHP versions. If managed properly, put behind a firewall, etc it is quite safe. The hatred of Wordpress is laughable. It has its limits, but it meets most small-medium sized business needs when the project calls for minimal needs.

[krapp]

As a product you're right - Wordpress serves the needs of small business and non-coder users perfectly well, arguably better than any alternative outside of hosted services like Wix (or, obviously, hosted Wordpress.)

However, as software, Wordpress deserves the hate it gets. There is no real security or firewalling or permissions limiting of plugins, there is no hint of modern PHP practices like Composer integration, routing, or the use of a templating language (and no, PHP itself doesn't count) and the amount of cruft it carries with it for the sake of backwards compatibility makes it insanely complex and far more bloated than it needs to be.

Wordpress in principle is a wonderful, useful product, and anyone trying to compete with it needs to closely study what it gets right (ease of deployment, ease of extension, ease of configuration, auto-updates, plugins, etc.) as well as what it gets wrong. Wordpress in practice, though, needs to be tossed into a pit and burned.

[chiefalchemist]

> "(ease of deployment, ease of extension, ease of configuration, auto-updates, plugins, etc.)"

But those are The Right __and__ The Wrong.

For example, adding Composer to the WP "stack" makes sense. But now you've eliminated 90% (?) of the WP "developers."

That is, in the Universe of WordPress Composer is more friction, not less (i.e., ease of use).

Long to short, for better or worse, WP is Justin Bieber. It will never be Radiohead.

[krapp]

>But now you've eliminated 90% (?) of the WP "developers."

Maybe, but it wouldn't be impossible to rebuild plugins around Composer and PSR standards. And doing so would make them better organized, and make it easier to manage third party dependencies. If you were going to build Wordpress from scratch, today, that's probably what you would do - just make plugins a special case of Composer dependencies.

The only question is, whether you would still have as robust an ecosystem with a more restrictive framework? Probably not, but the quality of plugins would probably be higher.

[chiefalchemist]

I think before we worry about plugins and themes it would make much more sense to bring WP core itself up to date. What good is a nice, clean, properly organized plugin, if it's sitting on a foundation of sand.

I filed a core bug report once. Long to short, if I passed (I think it was) false to a core function, I got very unexpected results. The dev that replied to me said, "Well then don't do that." Huh?

The idea that the function should check, that it should be aware that humans (and their code) make unexpected mistakes, was completely foreign to her / him. I lost a lot of faith that day. I lose a bit more every time I go poking around in core code. I'm no Super DevMan. So when __I__ see bad patterns you know something is wrong.

p.s. Fwiw, even the lead dog (i.e., Automattic) has some nasty code habits. Simply dumbfounding.