[CM30]

Is this a WordPress thing or a software with a developer ecosystem thing?

Because that's always the catch with any script really. If you're using third party themes and plugins for anything, then you're putting trust in the developers of said themes and plugins that they know what they're doing coding and security wise.

The exact same situation is true of everything from WordPress to Drupal to vBulletin and XenForo to MediaWiki and Magento.

[lowercased]

With something like squarespace or wix (or even WP hosted), you're putting more power in the hands of the centralizing host, which is both limiting but also can reduce security issues.

The "sheer breadth of the ecosystem" in self-hosted WP is also where so many of the problems come in (compatibility between products, security issues, etc).

I'd argue it really is worse in the WP scene vs Drupal, partially because of the 'ease' of the code for newbs to get started. There's no culture of automated testing in the WP community at large, but some other platforms at least allow for that. There are people who write clean and well-tested WP products, but they're likely a minority, if you're looking at the ocean of stuff released over the last 5-10 years in the WP space.

[calibas]

It's not exclusively a Wordpress problem, but in my experience it's especially bad with Wordpress.

[Silhouette]

Indeed. Staff at the hosting service I use for professional purposes have always been very down on WP. My understanding from our various conversations is that for any systems where they were providing some sort of managed security service, it was a time sink to keep everything up to date. For any shared hosting systems where they weren't also managing the security, there would be frequent compromises and then that would get things blacklisted, so potentially other customers using the same shared resources could be negatively affected in at least two different ways. They don't seem to have become noticeably more positive about any of this in recent times despite the arguments about WP security being better these days, which suggests that there is still enough of a problem to be concerned about.