Hacker News new | ask | show | jobs
by 9dev 1210 days ago
Just reading this again gives me a backflash of the horrors of working with WordPress. If you haven’t seen the source, you don’t know just how god-awful the code is - and it just won’t die, because of all the ecosystem traction it has.

Even the PHP developers have chosen to ignore WordPress in language evolution considerations, as the WordPress community refuses to do accept kind of progress for their project - they still use the unsafe, outdated mysql-API without parametrised queries, for example.

Whatever you do in 2023—if you can avoid it, don’t use WordPress as a CMS.
8 comments
kijin 1210 days ago
There's much more to WordPress than the ecosystem. If we just think of it as a legacy tool that is only limping along because of the plugins, we will forever be perplexed that it continues to exist.

WordPress is the FLOSS alternative to Wix et al. It is the only practical software that enables people to create and self-host an online presence without having to type a single line of code, and without being beholden to a large centralized platform.

No, a static site generator that requires knowledge of Markdown and a few lines of bash doesn't count. A CMS that requires you to hire a professional to even get started doesn't count, either. It might seem strange to developers like us, but there are lots of people out there who are simply allergic to code. They can use PowerPoint and maybe even Photoshop, but show them a blank terminal and they'll just freeze. WordPress, on the other hand, can be navigated with a bunch of point-and-click, drag-and-drop, buy this and add that and change the options a bit. Just like PowerPoint, it barely works, but it works.

Very few people in our startup bubble seem to care about these "I want a website, but no code please" people, and when we do we often treat them with contempt. How hard can it be to copy and execute a few commands, after all? But apparently that market is large enough to attract a sustainable ecosystem of plugin and theme sellers. WordPress has this market completely cornered. It won't magically disappear just because it's built in crappy code. Understand the users, on the other hand, build a good alternative, and that billion-dollar market might become yours. :)

link
minusf 1210 days ago
php's success is tightly connected with LAMP, namely apache mod_php and mysql/mariadb.

it wouldn't be hard to put together the base of wordpress in python on top of django. but hosting companies for decades cared only about mod_php and had no one click uwsgi/fastcgi solutions.

although this still doesnt answer why wordpress became king of the hill in the php ecosystem. was textpattern/drupal/joomla/etc that much worse/harder to use?

in the end wp just looked a tiny bit more professional and an easier name to remember for the masses. this technical dept will be paid for many years to come.

link
cricalix 1210 days ago
Anecdotally, yes Joomla and Drupal were much harder to work with and get them to look "nice".
link
MonaroVXR 1209 days ago
Using other static website generators and CMS would be easy, but I beg to differ with Gatsby, Sanity, Vercel and more.

1-point-click installations failing, to failing standard templates, tutorials that are only for version 2 and not 3, because that's a video right now.

Talk is cheap, but execution is where it is.

link
DoctorOW 1210 days ago
> Understand the users, on the other hand, build a good alternative, and that billion-dollar market might become yours.

Isn't that the entire point of Ghost?

link
kijin 1210 days ago
The installation guide for self-hosted Ghost assumes that you have at least a virtual private server, and gives you a bunch of commands to type into a root shell. By that time, you've already lost 90% of the people who would have chosen WordPress.
link
MonaroVXR 1209 days ago
I thought Ghost was pay only?
link
beezlewax 1210 days ago
Its written in node js though right? You can run php and mysql almost anywhere you want. Even the most basic hosting setups are pre configured for this. Apache is preinstalled on most cheap shared hosting.

That's the thing.. if you want to take down wordpress it should be something current wordpress users can easily install on their current hosting with zero extra config to do. No terminals no server settings to deal with.

A wordpress install is literally drag and drop the files onto the server with ftp and open the web address. Enter some details for the mysql dB via a ui and that's it.

After that there are thousands of themes and plugins that let you do anything from ecommerce to a drag and drop blog without much effort.

link
nicoburns 1210 days ago
The "run everywhere" advantage is eroding. These days you can get container based hosting that can run anything for cheap too. It's not quite as easy for the non-technical user yet. But I suspect it will get there.
link
MonaroVXR 1209 days ago
Even developers and tech people are having difficulties with installing Wordpress, but that's just my experience. So I don't think it's that easy.
link
igetspam 1210 days ago
> WordPress, on the other hand, can be navigated with a bunch of point-and-click, drag-and-drop, buy this and add that and change the options a bit.

Can it? I can write code but I'll be damned if I can figure out how to make something that doesn't look like a fourth grader in an Intro to the Internet, 1995 Edition class made it.

link
dageshi 1210 days ago
There's no clear cut alternative CMS to use, that's the issue.

If you own a wordpress site for your business and you want to change your dev or agency then you will have no problems finding people who understand WP and can work on/fix your site. It might cost you but you'll have no issues finding people to work on it.

Use anything else and you'll be hunting down people who can and want to work on it.

The other major issue is, the paid plugin ecosystem is vast in wordpress and because of that many problems can be solved with a plugin. The conversation typically goes "If this were on wordpress we'd buy this plugin for $xx and we'd be done in a few days, but it's not so we can build it for $xxxx and it'll take at least 2 weeks."

Client hears that and ends up on wordpress next redesign.

Code quality ultimately doesn't matter to site owners so long as the site works.

link
pibechorro 1210 days ago
Except they dont. Leveraging 30 plugins makes the sites a constant hack target and perform piss poor in SEO page speed test, etc. That lets fix it with plugins attitude works for entry level sites, but if you actually are profitable and competitive its more trouble than hiring someone to build a lean site, even if using WordPress for content in the backend. Less is more.
link
dageshi 1210 days ago
By the time you've reached 30 plugins of actual required functionality that effects page speed and existing caching solutions can't help you then yeah you probably need to build it custom, but there's a big old gulf of time before you reach that point where WP will serve just fine.
link
igetspam 1210 days ago
What's the alternative? I am not a creative type and I've been desperately trying to find something like a CMS that is simple enough that I don't have to think about it and featured enough that I can have things like personal profiles behind a login (for a brownie troop). WordPress seems like the same nightmare it was when I first looked at it however long ago but so do all the rest. Is there something better?
link
rastographics 1210 days ago
processwire.com. You have to build your front-end pages using whatever html/css template you want, but moving over to Processwire from wordpress was a breath of fresh air.
link
igetspam 1210 days ago
Thank you! I'll take a look. I've been playing with Ghost for the last 30 minutes (based on a comment below) and that might be my move but I'll definitely look at this too.
link
lukeholder 1209 days ago
Craft CMS is well worth it.
link
unity1001 1210 days ago
> If you haven’t seen the source, you don’t know just how god-awful the code is

And yet, it runs 50% of all websites and 30% of all ecommerce websites.

...

Apparently it is not god awful. If running 50% of the web is godawful, anybody would want their software to be that much 'godawful'...

Empty elitism contrasting the actual reality of life and business...

link
9dev 1210 days ago
Just because we don’t have a better choice doesn’t make Wordpress a good choice.
link
unity1001 1210 days ago
If another choice was better, it would break out in the last 25 years of the Internet. All kinds of frameworks, cmses and actual SaaS services with 'better code quality', 'better security' and 'better programming paradigms' competed and attempted to take its place. If after 25 years, none of those 'better' ones was able to prove itself !actually! better to the end users in any visible way, then it means that WordPress WAS the better one.

At this point you will definitely think "Oh, but the people dont know about good code quality".

They don't. And they don't have to know. They know what reflects on their websites, businesses, actual livelihoods. Those who use WordPress are not disattached MBAs managing gigantic organizations. They are people whose lives actually hang on those websites and ecommerce sites. What the software does actually dictate their income, their livelihoods.

For that reason they absolutely don't care about any esoteric programming paradigm or code quality which is !supposed! to impact their livelihoods greatly, but for some reason, it just doesn't. Definitely not to the degree that the proponents of criticism like yours think it does.

Only WordPress came forward as the software that cares about those end users' websites, businesses, livelihoods, by prioritizing them instead of 'good quality code' or programming paradigms and protecting backwards compatibility as if the existence of the world depended on it.

Whereas all the other competing software and even actual services including large tech giants on the other hand, literally played with people's livelihoods by introducing backwards incompatible versions in the name of 'better code and programming' - breaking the websites and shops that those people's lives depended on.

And it turns out that you can break someone's website or ecommerce site by introducing backwards incompatible updates once, twice, and a third time you wont be able to do that because that person will have moved on to a software that doesn't play with his livelihood like it was a little hobby project.

That's precisely why WordPress won. While in mid 2000s all the competitors were breaking their users' websites by pushing out backwards-incompatible versions, WordPress fought tooth and nail to protect backwards incompatibility.

The result is trusting users and a gigantic ecosystem of plugins and themes that allows anyone to do literally anything they want. People became able to just click a button to install a plugin and make literally complex features happen.

What was happening on the side of competitors during that period? Well, they were forcing people to write entire freaking modules just to add one measly form on their websites. Because, 'coding paradigms'.

That's why the flower shop owner somewhere in Oregon runs his local flower business on his WordPress site and the notable anime blogger somewhere in Tokyo is on WordPress more than 15 years. WordPress treats their websites with care, knowing that those sites and shops are actually those people's homes on the Internet, and refrains from breaking anything or doing anything that could impact those people negatively in the name of 'better paradigms'.

Speaking of better paradigms, is there any yet?

Back in mid 2000s OOP was the end-all-be-all. Everything had to be OOP. All the cacophony even forced WordPress to introduce objects everwhere around its code. Because, 'better paradigms', right.

And then a few years later suddenly functional programming is much better! Or, half of the programmers say so. Suddenly everyone is going in the other direction, whereas the die-hards of OOP still insist that it is 'the thing'.

It was just a few years ago that hooks in React were going to change everything. Everybody! Move to hooks! Then it just turns out that hooks aren't so good after all. Literaly 2 year fad. Also everyone has to move to React or some other bloated framework, because, you know, you have to have a 'modern' frontend, right. Then suddenly people start saying that maybe not everything needs that much dom manipulation after all, and rendering everything on the server and serving the user something that his or her device can handle is much better. Who would have thought. But all of these cacophony forced even WordPress to adopt some React. Because, 'modern', you know...

So this kind of programming fads even impacted WordPress, but WordPress still spent the effort to avoid any of those fads from breaking people's websites.

And that's why its 50% of the web and 30% of all ecommerce today. Because it prioritizes its users and their livelihoods. As opposed to programming fads and elitism.

...

Make no mistake - this paradigm does not only cripple the competitors of WordPress. It also cripples software industry in general, including tech giants. Living in our own world, thinking that the paradigms we have in programming are all important for everyone as opposed to just a fraction of our modern tech jobs, we prioritize the wrong things instead of prioritizing the actual users of the software and their livelihoods. Leading to literally crippling people's websites, apps and kicking their livelihood in the butt, losing them to whichever ecosystem that does not do such neglectful and out-of-touch things. An excellent example of this is shown by Google. It turns out even being a top tech giant does not allow one to avoid the repercussions of not prioritizing the users and instead playing with their livelihoods as if they were pet projects.

https://steve-yegge.medium.com/dear-google-cloud-your-deprec...

link
9dev 1210 days ago
You repeat the same things over and over again, but I’m afraid I didn’t make myself clear enough: this is not about Wordpress not adhering to some coding standard. All those shop owners and bloggers you talk about have been affected, often badly, by crass vulnerabilities, SQL injections, malware, and security issues in obscure features enabled by default. In a lot of cases, this was the direct result of straight-out incompetence on behalf of the Wordpress maintainers and plug-in authors.

Wordpress is a single, glaring, liability. It indirectly prevents improvements to other people’s code; encourages proliferation of outdated and insecure code outside of the WP ecosystem; and causes increasing friction with the rest of the world (just look at projects like this one, which attempts to contain all of Wordpress‘ weirdness as much as possible). Just because Wordpress filled the CMS niche decades back and has a huge ecosystem moat now, still doesn’t mean it’s a good solution. It’s a chicken and egg problem, and all this fussing about caring about their users misses the point. Other people care about their users and deliver rock-solid software too, they just don’t fit in your narrative.

This isn’t about adhering to some highly ideal, but protecting those very people you care about.

I’m not going into the rant on cloud providers you seem to veer to, however. I’ve also made my points in other comments already.

link
unity1001 1210 days ago
> All those shop owners and bloggers you talk about have been affected, often badly, by crass vulnerabilities, SQL injections, malware, and security issues in obscure features enabled by default

That goes for all software that reaches a certain usage. There are no exceptions, including WordPress competitors.

Is there any actual study backed by actual data which demonstrates that WordPress is any more vulnerable than ANY other software that is widely used? Like, taking into account Windows computers that may be rarely connected to the Internet or taking into account how the entire Linux server ecosystem is run by sysadmins and not end users like WordPress? And then comparing the security cases in all of those software to the WordPress and actually demonstrating by data that WordPress is more vulnerable?

OF course not. All this criticism stems from the fact that WordPress security situations are more frequently encountered and publicized instead of any objective comparison. Which should have indicated that the entire ecosystem has a very good practice of vigorously tracking, publicizing and fixing these vulnerabilities and that should have been a point of praise, but no. Instead, baseless criticism is directed at it without taking into account that it is used in HALF of all the websites on the planet and even more importantly, actual end users.

Additionally most of those vulnerabilities come from the plugins in the ecosystem. Not WordPress. This is without counting in the fact that WordPress is hosted mostly on consumer web hosts whose security may affect the software itself.

And there is a very good reason for that - WordPress allows users freedom to do whatever they want. More than allowing it, people DEMAND it and they get it. Because that's how they can do what they want to do with their website or shop. Therefore its pretty common for a user to configure his or her website in an insecure fashion despite all warnings, guides and setup wizards that advise against such things. You cannot prevent people's freedom in their own website when they are hosting it themselves.

In contrast, Wordpress sites and shops that are hosted in managed services run without such security issues. Neither CNN's website or Reuters' website that runs on managed WP hosting gets hacked. Nor the millions of websites that run on other managed services.

There is a tradeoff in letting users do what they want and limiting what they do. Letting users do what they want looks like it introduces risk, but it also enables anyone to do anything.

And that's precisely why all those users are STILL on WordPress. Including the ones who got their sites hacked multiple times. They didnt move on to a 'more secure' software. They didnt move on to a 'more secure' SaaS, they didnt move anywhere.

> In a lot of cases, this was the direct result of straight-out incompetence on behalf of the Wordpress maintainers and plug-in authors.

This looks like singling out WordPress ecosystem in totally discriminatory fashion. How was the security situation with Windows? Top tech giant's software? What about actual intelligence agencies that conduct actual cyberwarfare and spend trillions on it?

All of them got hacked. All of them got security vulnerabilities. Despite the latter being a very specific, very narrow band of activity to boot. Nothing like WordPress enabling innumerable things to be done on its platform.

> Just because Wordpress filled the CMS niche decades back and has a huge ecosystem moat now

If WordPress was not good enough, it would not have filled the CMS 'niche' DECADES back and it wouldnt have a huge ecosystem now.

Leaving aside that it sounds outright absurd to call 50% of the web and 30% of ecommerce 'niche'...

> Wordpress is a single, glaring, liability. It indirectly prevents improvements to other people’s code; encourages proliferation of outdated and insecure code outside of the WP ecosystem

All of those are patently false. Sorry, but if you dont know enough about the ecosystem, dont make grandstanding statements on it:

The majority of the plugins in WP ecosystem do not interact with WP code directly and instead use hooks and filters. Thats it. Nothing else. They are freaking hooks and filters that allow you to do things with whatever passes through them. So there is nothing about 'Wordpress code enabling insecurities'. In reality, WordPress actively encourages people to use hooks and filters and to avoid doing anything directly with the WordPress code itself.

...

At this point Ill leave this discussion. You are basically ranting on literally scarce knowledge of the topic you have very strong sentiments about. That's not a basis for rational discussion.

link
Nextgrid 1210 days ago
A lot of Wordpress' problems are negative externalities that impact others more than the site owner and there is no liability for the site owners if their compromised site starts serving malware, SEO spam or leaks their e-commerce orders DB with all customers' details, thus such impact is not considered when choosing this disgrace of a platform.
link
unity1001 1210 days ago
Same goes for Windows. Same goes for every single major tech service. We read major security flops that expose millions' data from every major tech service every other day. Why should WordPress be singled out for anything other than just baseless elitist ire.

> this disgrace of a platform

It looks like this needs to be hammered home: That disgrace of a platform is running 50% of the web and 30% of all ecommerce websites. And every year it adds 3% on top of those percentages.

If 50% of the internet runs on something, its not the platform that runs it that's the disgrace - its the baseless elitism that targets it. The very emotional nature of the selection of your words demonstrate the irrationality of the criticism.

...

If its good for CNN's websites, its good for anyone's website. That's that.

link
Nextgrid 1210 days ago
> Same goes for Windows.

Windows has significantly improved since its early days - the Windows you're talking about would be at best unpatched Windows XP.

> Same goes for every single major tech service. We read major security flops that expose millions' data from every major tech service every other day.

Disagreed. Find me any tech service anywhere similar to WP's scale that can be compromised in a fully automated manner and where the exploits are of the same kind over and over again? Wordpress is Windows XP scale of vulnerability in 2023.

> Why should WordPress be singled out for anything other than just baseless elitist ire.

I'm not sure anyone is singling out WP? Every stupid data breach gets called out. The problem with WP is that it's prone to the same kinds of vulnerabilities over and over again - outdated, bad development practices/standards that make writing secure code difficult and a language/runtime that is itself flawed in its most common configuration (uploading a malicious file is a non-issue in every non-PHP application because your app server doesn't automatically execute said file - except in PHP where if the file ends in .php and is in the web root your server will happily execute it).

> That disgrace of a platform is running 50% of the web and 30% of all ecommerce websites

A significant chunk of people smoke tobacco, doesn't necessary mean it's good for you. As I mentioned previously, if the drawbacks of WP mostly impact other people and there isn't a clear liability path to the original operator, those drawbacks won't be priced in and thus if WP appears cheaper it will be popular.

link
mpol 1210 days ago
WordPress uses the PHP-mysqli extension. The PHP-mysql extension is unused since WordPress 3.9, quite some years ago. You might mean PHP-pdo is advised. Can you explain why it is better in this regard?

Also $wpdb->prepare() uses parametrised values. Not everywhere in WordPress core is it being used. Most plugins use it for direct queries (not that common), but I don't know if the plugin team refuses plugins when they are not using it.

link
9dev 1210 days ago
Read this article for a primer on why PDO is a vastly better choice: https://phpdelusions.net/pdo#why

And the fact that it’s 2023 and we’re somehow ok with the biggest web application there is not using parametrised queries in its core completely stumps me. Time and time again, SQL injection attacks in Wordpress or it’s plugins pop up. PDO with parametrised queries simply eliminates this issue.

link
luckylion 1210 days ago
> PDO with parametrised queries simply eliminates this issue.

True, but plugin authors not caring about using them is the primary issue, and that doesn't change just because wpdb uses a different API under the hood.

link
9dev 1210 days ago
No, but nobody will encourage them to. Wordpress has fostered an ecosystem of bad practices that is mostly resistant to change.
link
tyingq 1210 days ago
>Also $wpdb->prepare() uses parametrised values.

They appear to be a hand-rolled PHP version of imitation client-side parameterized values, not the actual database library ones.

https://github.com/WordPress/WordPress/blob/master/wp-includ...

link
berkle4455 1210 days ago
Wow. That is so much code just to avoid calling mysqli_prepare(). And they insist on using a weird printf inspired syntax instead of ? or :field.
link
tyingq 1210 days ago
I suppose it's pretty battle-hardened by now, but I'd be afraid to ever touch that code for fear of introducing a SQL injection.
link
sdze 1210 days ago
Why would you change a successful product just because the "language evolves"? PHP is so successful precisely because it lets all the legacy code live.

To the contrary, with each PHP iteration, "bad code" is executed faster with fewer energy utilized.

link
9dev 1210 days ago
It’s not because the language evolves - which it does - but because Wordpress is built on bad patterns, abuse of legacy features, and simply heaps upon heaps of bad code.

This leads to PHP itself having to make bad compromises for the future to keep the Wordpress code of millions of websites running; this leads to developers wasting time trying to accommodate Wordpress in plugins and themes; this leads to new developers growing up with bad standards and outdated practices.

I’m not complaining Wordpress doesn’t follow the latest trends or won’t add arrow functions everywhere. I’m complaining they actively block the way to the future, like a senile senator with lots of unmerited influence and decade-old opinions.

link
pxtail 1210 days ago
It's hard to understand for me why Wordpress core maintainers and developers decided to not uplift developers working in the WP ecosystem and in the result improve all plugins and themes codebase. Just simply providing a few well documented plugins with modern coding practices showing how things SHOULD be done would to wonders, adding to that good documentation introducing guidelines and standardization, good API for admin interfaces would gradually, over time change WP ecosystem.

Instead it's just wild wild west, code review is a pain because every plugin and every developer working with WP has radically different structure and coding practices approach.

In regard to WordPlate project - I can guarantee that huge amount of plugins and themes won't work correctly with this modified, non-default project structure.

link
cynicalsecurity 1210 days ago
That's a cheap, emotional and factually incorrect statement.

Thank you, I'll happily keep working with WordPress.

link
9dev 1210 days ago
No, it’s not. My statement is grounded in years of working professionally with CMS systems for customers at an agency, as an engineer helping out our marketing department, and maintainer of a popular niche CMS.

If you’re happy with Wordpress, by all means, keep on going. My critique isn’t targeting you.

link
JodieBenitez 1210 days ago
The code is awful, but some plugins are even worse. And the database schema... such a nightmare.

I have the luxury to be able to refuse Wordpress projects. In fact whenever I can I replace Wordpress with Django.

link
MonaroVXR 1209 days ago
Django is also my go-to idea.
link