[montroser]

WordPress is plain crazy.

Marketing people insisted on WordPress so we reluctantly put it off in its own isolated network and expected bad things to happen. And, they did...

- WordPress consultant hired by marketing people while "editing the theme" introduced an infinite loop which caused OOM killer. That's when we learned you can point-click your way to editing actual php code in the admin web interface! Complete and total chaos and anarchy.

- Content manager "upgraded the SEO plugin" which downloaded from the Internet some hot-new code which used some language features beyond the version of php we were running, and bam, the whole thing was 500s, and everyone freaked out!

- Content people messed up the syntax editing the theme trying to change contact info in the footer, site wouldn't load anymore, they panicked and reverted the whole theme back to the stock default, and then ops people had to help them resurrect from the daily git check-in of the 1gb docroot they set up after the last time this happened.

It's a rough ride all around...

[rob]

Yes, WordPress gives administrators the ability to change their theme, edit theme and plugin code (which can be disabled in wp-config.php in two lines and should probably be standard if you're setting up a WordPress website for somebody), and make changes to their website — that's why their administrators.

You should probably think about giving certain users like 'content people' the 'Editor' role if you don't want them doing administrator stuff like editing the theme file directly.

I'd imagine most CMSs where you give your client full administrator access can cause issues with them doing things they shouldn't, like blindly upgrading plugins.

Which SEO plugin gave you that 500 error? Most WordPress plugins have a 'Requires PHP' header that specifies the minimum PHP version required and refuses to install otherwise.

[johnchristopher]

> - WordPress consultant hired by marketing people while "editing the theme" introduced an infinite loop which caused OOM killer. That's when we learned you can point-click your way to editing actual php code in the admin web interface! Complete and total chaos and anarchy.

Fear not, you can also introduce infinite loops with a good old code editor and ship through FTP or git or whatever. Also work with different CMS and languages.

Who was responsible for setting user roles on that site ? Who gave admin access to a consultant without having a conversation with ops ? If there's an op team, why isn't there a staging environment for that site ?

> - Content manager "upgraded the SEO plugin" which downloaded from the Internet some hot-new code which used some language features beyond the version of php we were running, and bam, the whole thing was 500s, and everyone freaked out!

Content manager shouldn't be given admin rights to a Wordpress installation. Why did op team allow content managers to upgrade software ?

> - Content people messed up the syntax editing the theme trying to change contact info in the footer, site wouldn't load anymore, they panicked and reverted the whole theme back to the stock default, and then ops people had to help them resurrect from the daily git check-in of the 1gb docroot they set up after the last time this happened.

Isn't that also one of op team's job ? Manage backup and restore ?

Seriously, you can replace WordPress with Joomla, Drupla, Ghost here and the story is the same.

[montroser]

> Fear not, you can also introduce infinite loops with a good old code editor

Well, when a developer writes code in an editor, they probably are working in a development environment with tests and version control, etc.

Why is there a web editor that changes the application's own running code? And why in the world would I expect that that would exist, and be on by default, for me to have to go and figure out how to turn off?

[johnchristopher]

> > Fear not, you can also introduce infinite loops with a good old code editor

> Well, when a developer writes code in an editor, they probably are working in a development environment with tests and version control, etc.

This can be done with WP, but you are totally right and I should also have pointed out that the consultant should have asked for a staging environment or at least set up his modifications on his local copy of the site. He/she worked on prod and that's a big no-no.

> Why is there a web editor that changes the application's own running code? And why in the world would I expect that that would exist, and be on by default, for me to have to go and figure out how to turn off?

Ah, I think I now see where you are coming from. but:

> Marketing people insisted on WordPress so we reluctantly put it off in its own isolated network and expected bad things to happen. And, they did...

Well, if op team was aware of WordPress's reputation (and rightly so) it's a little bit on them to preemptively mitigate some of the risks especially if marketing team isn't aware of it. I suppose there wasn't enough hands on deck to do so deep enough at the time it happened or maybe office politics got in the way, etc.

Anyway, some security practices for WordPress suggest to change some file ownership (so only sysadmin can do maintenance work for core, plugins and themes via wp-cli), see https://wordpress.org/documentation/article/hardening-wordpr... which lead me to suggest that git may not be the best option for backup (since it doesn't preserve user ownership). Something like Borg, Restic or a file system based backup/veam/etc. is a better option.

> Why is there a web editor that changes the application's own running code?

Well, in the before time, it would give anyone running the site the ability to modify theme/plugins if they didn't have access to FTP.

Totally agree, I don't see any reasons to keep this around. But any plugins or themes can add a section in the dashboard with a web editor able to modify anything the webserver can modify, so... it's mitigation more than prevention if themes and plugins upload aren't locked.

I hope I am not coming off too strong ? I would likely do the same kind of mistakes if I was asked to host a django something.

[montroser]

> Isn't that also one of op team's job ? Manage backup and restore ?

Yes, and that's what they did. But it seems a broken design when it takes all that to change some copy in the footer.

[johnchristopher]

Yeah. Big workflow failures here. The person who changed the code doesn't have a revision system in place or the skills/knowledge to put the site back up after such a minor edit :/.

[Nextgrid]

How do you even reliably version-control something that relies on editing its own code?

[johnchristopher]

There's some confusion here. WordPress themes and plug-ins don't rely on the built-in web editor. That's why it can be safely disabled.

What that guy did is no different from sshing into the prod server, live editing a Django plug-in and refreshing the browser.

Version control of the plug-in won't protect from that. But it's a handy tool to manage regressions.

Rolling back changes and editing a live plug-in are different problems.

[e12e]

Fwiw at a previous job we found that using blog vault backup gave us reasonable backups - a way to migrate setups (restore to new host) and workable (if a little clunky) staging environments:

https://blogvault.net/

In addition:

https://elementor.com/

Helped by providing a more reasonable editing experience (for a website - not "just" a blog).

Both of these are paid. I think I would have preferred a managed host that provided backup and staging - but that would probably cost a little more (cash, fewer hours) - than basic php+mysql web host.

Other than those two - I think we got rid of all third party plug-ins, except for a theme or two (different theme for different sites).

Made wp just about manageable.

Personally I still can't stand the wysiwyg "works 90% 80% of the time) editor - but then the marketing people were responsible for updates - and with wp they could do it themselves.

[noeltock]

Why do you give non-devs the ability to upgrade PHP plugins and edit theme syntax, shouldn't that be the site admin handling? Why are you not using staging to test? These don't seem like WP problems :/

[bottled_poe]

For better or worse, part of the appeal of Wordpress is ease of use for non-developers to update their website. Most small businesses definitely don’t employ a dedicated site admin/developer - if they had to they wouldn’t bother with a website. In fact, it looks like that’s the way things are going - pushing small businesses into walled gardens like FB, Insta, Wix, etc. And I don’t blame them, that’s probably the right decision for most businesses.

[gnz11]

"part of the appeal of Wordpress is ease of use for non-developers to update their website."

Seems like in every HN thread regarding Wordpress this is brought up, but later the thread fills up with horror stories of sites being melted down when non-technical users are left to manage these Wordpress sites. Just my two cents, but that supposed benefit of Wordpress seems more like wishful thinking.

[johnchristopher]

> Seems like in every HN thread regarding Wordpress this is brought up, but later the thread fills up with horror stories of sites being melted down when non-technical users are left to manage these Wordpress sites. Just my two cents, but that supposed benefit of Wordpress seems more like wishful thinking.

Nah, it could also mean we don't hear about all the Wordpress running without problems.

Personally I think it's a HN meme now, like the Signal thread with half the comments about Matrix.

[dazc]

Until some random violation gets the page suspended or removed. Had this happen a couple of times, latest was a result of changing over from Facebook Ad manager to Meta Ad manager (or whatever they call it) which triggered the suspicious activity, give us your Govt ID busllshit.

Sorry Facebook, you can go and... you know what!

[CM30]

Probably because in many cases the assumption is that the dev and main editor are the same person?

It's not a great assumption anymore (since many WordPress installs are now set up by agencies and dev teams for non technical clients), but it's likely a holdover from the days when most people installing it were also the main designer, developer, content writer, etc (read, bloggers).

[montroser]

Why can a "theme" editor edit application code? Why do I need a developer in order to change what it looks like? Why is plug-in code not sandboxed? These are WordPress problems.

At the end of the day, if you tell me that WordPress is an application framework, that themes are code and plugins are dependencies, then okay -- devs own it and there's code reviews and staging environments and deployments and migrations and all the rest.

But if you tell me it's a CMS so marketing people can have a blog, I just ... thought it would be simpler.

[johnchristopher]

> Why can a "theme" editor edit application code? Why do I need a developer in order to change what it looks like?

Because CSS, because HTML tags are rendered server side and that H1 should be a H2 or that tailwind div soup is funky, or the company team member pages needs ACF to keep tracks of member profiles because editing the page by hand takes too much time,etc.. webdev :/

The other option is things like Elementor or Divi which aim to give content team the ability to modify layouts (and even links to dynamic elements in db) but it's a whole another mess (but it wouldn't be your, yeah !).

Someone at WP is aware of it though, hence all the work on gutenberg and front-side editing (FSE) which ultimately should turn WP into a complete headless CMS.

> Why is plug-in code not sandboxed? These are WordPress problems.

Definitely ! Wait until you have a plugin breaking wp-cli so you can't deactivate it... rm wp-content/plugins/foobar-plugin -rf to the rescue.

> At the end of the day, if you tell me that WordPress is an application framework, that themes are code and plugins are dependencies, then okay -- devs own it and there's code reviews and staging environments and deployments and migrations and all the rest.

> But if you tell me it's a CMS so marketing people can have a blog, I just ... thought it would be simpler.

Yeah, if marketing just wanted a blog and no forms to collect resumes, polls etc. I'd have given them a ghost or a very reduced/amputated WP and signed binding agreements that no plugins or themes would ever be installed on it.

[jrm4]

Web development is plain crazy and WordPress adapted itself to that?

[nicbou]

I found Craft CMS to be WordPress made by sensible people. Well worth the licence. You can simply disable admin changes in production, or set fine grained permissions.

[splatzone]

You could have avoided all of these problems by having a developer set up a staging environment, version the site in Git and disallow file editing on the site.

[montroser]

Fair enough, and now I know.

But would you also agree it's a totally insane capability, let alone default, for a CMS to offer a web interface to edit its own running application code? With no VCS integrated or rollback mechanism...

I was too naive to know I should look for a thing like that to disallow.

[splatzone]

Yes, those are totally legitimate criticisms.

IMO WordPress' big flaw (and key asset) is its commitment to backwards compatibility. The upside of this is that it was very easy for people to pick up and deploy it on PHP hosting in the 2000s, leading to its massive growth. The downside is that, as a WordPress developer, you're saddled with sticking to decisions made years ago.

It's definitely not your fault that this is unclear, the WP.org documentation does a poor job of explaining the pitfalls. After 5-10 years of working with it you come to understand the weird kinks...

Sorry for piling on your comment.