[joekrill]

You're absolutely right. The big issue (for me, at least), is that it's a security nightmare. At least last I used it. It seemed there were security exploits popping up every day. Either from the core codebase, or from some random plugin everyone seemed to be using. I think that was just the nature of how their plugin system works? I'm not sure if anything's changed, but _maintaining_ a WordPress install is not fun and requires constant - almost tiring - oversight.

[dpau]

I used to help artists with setting up Wordpress portfolio sites. But the constant maintenance required (updating Wordpress & plugins, making sure that all plugins are secure and maintained, and checking after each update to make sure nothing was broken), as well as the rise of platforms like Squarespace, Wix & Weebly, means that I no longer recommend Wordpress for those types of clients. Artists just want to show and sell their work, not deal with whether or not a plugin update is compatible with their version of Woocommerce.

[CM30]

Is this a WordPress thing or a software with a developer ecosystem thing?

Because that's always the catch with any script really. If you're using third party themes and plugins for anything, then you're putting trust in the developers of said themes and plugins that they know what they're doing coding and security wise.

The exact same situation is true of everything from WordPress to Drupal to vBulletin and XenForo to MediaWiki and Magento.

[lowercased]

With something like squarespace or wix (or even WP hosted), you're putting more power in the hands of the centralizing host, which is both limiting but also can reduce security issues.

The "sheer breadth of the ecosystem" in self-hosted WP is also where so many of the problems come in (compatibility between products, security issues, etc).

I'd argue it really is worse in the WP scene vs Drupal, partially because of the 'ease' of the code for newbs to get started. There's no culture of automated testing in the WP community at large, but some other platforms at least allow for that. There are people who write clean and well-tested WP products, but they're likely a minority, if you're looking at the ocean of stuff released over the last 5-10 years in the WP space.

[calibas]

It's not exclusively a Wordpress problem, but in my experience it's especially bad with Wordpress.

[Silhouette]

Indeed. Staff at the hosting service I use for professional purposes have always been very down on WP. My understanding from our various conversations is that for any systems where they were providing some sort of managed security service, it was a time sink to keep everything up to date. For any shared hosting systems where they weren't also managing the security, there would be frequent compromises and then that would get things blacklisted, so potentially other customers using the same shared resources could be negatively affected in at least two different ways. They don't seem to have become noticeably more positive about any of this in recent times despite the arguments about WP security being better these days, which suggests that there is still enough of a problem to be concerned about.

[photomatt]

Check out Jetpack, it can auto-update all your plugins, and has a "Rewind" feature with real-time backups so you can one-click take your site back to a previous state if anything didn't work.

[dazc]

Jetpack has some nice features, the comments form especially. It is, however, very bloated - especially since you'll often only use 2 or 3 features on any one site.

[photomatt]

Since Jetpack code is also what we run on WP.com (tens of billions of pageviews) it goes through a huge amount of performance tuning and optimization. The way modules work when you turn them off they don't have any overhead, similar to turning off a plugin. If you were using literally one thing it might feel like a lot, but as soon as you use 2-3+ things Jetpack does it's a lot more efficient than separate individual plugins to accomplish the same task.

[chiefalchemist]

Can you give a couple examples of when / how Jetpack has to be a single plugin, instead itself being a suite of individual plugins?

If the knock on that product is bloats, and the compromises adoption, how is X a benefit to those who refuses to abopt the whole alphabet?

[coldtea]

It's not like features you don't use slow you down, or that the < 1 MB of code they take on disk is important.

[ryanwaggoner]

I did a lot of WP dev from 2007 to 2011 or so, and I still run my businesses on Wordpress today. I hadn't really dug into Gutenberg yet, but I just played with https://wordpress.org/gutenberg/ and I think a lot of people are overreacting. It's a very big change, but it feels like the right move for the future of Wordpress. I'm sure it's not easy to move a community forward in a new direction when there is a global ecosystem comprised of tens (hundreds?) of millions of websites, developers, designers, users, and entire companies invested in the status quo. I don't envy you!

Also, appreciate you still stopping into HN to chat :)

[chiefalchemist]

Hi Matt. Maybe not assume everyone here knows who you are? And instead at some point make note of the bias in your recommendation?

HN =/= WordCamp etc.

Tia :)

[goatherders]

As a free market tends to do, this has been largely solved. Perfect Dashboard, iThemes/Liquid Web and others now offer technology that auto updates core and plugins and rolls them back if anything breaks. 95% of the old pain of updating and patching is solved with these tools.

[sxp62000]

The only way to ensure your wordpress sites don't break is to reduce reliance on plugins. A decent host like DigitalOcean doesn't hurt either. Squarespace is ok for simple sites, but once clients start requesting additional features it becomes a nightmare.

[rob]

> but _maintaining_ a WordPress install is not fun and requires constant - almost tiring - oversight.

This isn't true. I've been running and managing 15+ WordPress websites for over 5 years now and not once run into any issues like you're describing, and I certainly haven't lost sleep or become 'tired' over it.

Using a good tool like ManageWP (or InfiniteWP, or any of the others, take your pick) makes managing multiple WordPress websites a breeze (e.g., it alerts you every morning with what updates are available), and with their paid backup/restore functionality there's really nothing to worry about if something did go wrong. Combine all this with a nice WAF or security plugin and you're fine. Or you can use a service like MalCare that combines both.

If you go months and years without updating, then yes you're asking for trouble like any other piece of software.

Too many people used WordPress over 10+ years ago and just stick to the same speech about PHP and WordPress and security and all that and how everything is so bad, and that a different CMS that nobody uses in a obscure language is sooo much better and secure (that won't be here in a couple of years in all likelihood.)

[jjeaff]

The fact that you even mention that you get security updates "every morning" is an indication of how much work keeping a WordPress site secure can be.

I think it is just wordpress' ubiquiti that has made it a security issue though. Attackers are quick to build exploit bots the moment a new vulnerability is found and they scour the web for unpatched sites.

So if you don't stay on your toes, you will get pwned sooner or later with a wp site.

[rob]

> The fact that you even mention that you get security updates "every morning" is an indication of how much work keeping a WordPress site secure can be.

Sorry for the confusion; I mean if there's a WP/Plugin/Theme update, I get notified every morning so I can go in and update (if needed.)

[1123581321]

Your last paragraph is wrong. WordPress is a headache for people who keep their CMSes up to date. The speech about why Wordpress is a poor choice for a lot of projects has changed over the last decade, but it’s still true to say — possibly truer than ever. PHP is a lot better than it used to be, but not Wordpress-style PHP. There are great CMS alternatives that are also written in PHP and are better, secure, and set up so that they will be around for years.

[AustinG08]

My answer to this problem has been the plugin Wordfence. It's primary feature is a WAF whose rules update continuously and intercepts every request. Having worked at several agencies I've seen and inherited many hacked sites. I have never had a site be infected with a clean install using Wordfence. knocks on wood

[dpkonofa]

Same here. WordFence has been a god-send. My agency offers fully custom sites, WordPress sites, and even builds on sites like Squarespace for people and I always differentiate them for clients. If it's a site that we'll end up managing, I always install WordFence and the developer license for it is incredibly reasonably priced. It's a 100% recommend from me for anyone considering it.

[fujipadam]

I use Wordfence and always thought it was good. But good to know that a lot of others find value in it too. Btw, looks like wordfence is getting killed with all the traffic from HN. Hopefully the increased sales will make it up to them :)

[mmaunder]

Wow. Founder here. Thank you!

[weci2i]

I'm a lone developer in a marketing agency. I manage hundreds of WordPress sites. Some are my own work, many are not. As someone who has inherited more than his fair share of compromised sites, thank YOU! WordFence is the immediate fix for 99% of the hacks I see. It stops malicious activity in its tracks until I can patch the issues. There are simply no other plugins even close to the quality of WordFence.

[AustinG08]

Well thank you. I'm a big fan of your newsletter as well :)

[tonyb]

I used to do sysadmin work as a web hosting company and security nightmare is exactly the phrase I think of when I think of WordPress.

Many mom and pop type businesses find the lowest cost web designer they can find to build them a WordPress site then get upset with the hosting company when "the server gets hacked" and their site is redirecting to a malicious site.

WordPress is certainly a powerful platform but the fact that it is so easy for someone to get started is also a weakness because those people don't understand it isn't just set it and forget it.

[skrowl]

Don't forget about the 'low cost web design' market. If you're buying a web design for south of $500, you're PROBABLY getting a WordPress next next finish install with a default template and some minor tweaking.

I've screened / interviewed so many jr web "developers" who don't actually know how to develop a web app and they claim that installing WordPress plugins is development experience.

[GeneralMaximus]

That's a fair point. I usually spend some time hardening my WordPress installs, and keep all of them updated. I also disable a few features of the WordPress dashboard, including updating WordPress core and installing themes/plugins. I do these tasks from the command line using WP-CLI.

This setup lets me do 99% of my everyday work using the WordPress UI. For the remaining 1%, I can SSH and use the command line. I've had a scare or two in the past, but in general my websites haven't been large enough to be lucrative targets. Maybe someone who's running larger blogs can chime in on the security issues.

If you want a one click solution, DigitalOcean's WordPress droplet has a lot of security stuff pre-configured for you. They even integrate fail2ban with the WordPress login screen, which is something I never even considered of doing.

[caseydm]

I agree security issues are the main drawback. This can be mitigated by using managed hosting providers. I've had several wordpress sites running on managed hosts for years with little oversight and no issues.