If another choice was better, it would break out in the last 25 years of the Internet. All kinds of frameworks, cmses and actual SaaS services with 'better code quality', 'better security' and 'better programming paradigms' competed and attempted to take its place. If after 25 years, none of those 'better' ones was able to prove itself !actually! better to the end users in any visible way, then it means that WordPress WAS the better one.
At this point you will definitely think "Oh, but the people dont know about good code quality".
They don't. And they don't have to know. They know what reflects on their websites, businesses, actual livelihoods. Those who use WordPress are not disattached MBAs managing gigantic organizations. They are people whose lives actually hang on those websites and ecommerce sites. What the software does actually dictate their income, their livelihoods.
For that reason they absolutely don't care about any esoteric programming paradigm or code quality which is !supposed! to impact their livelihoods greatly, but for some reason, it just doesn't. Definitely not to the degree that the proponents of criticism like yours think it does.
Only WordPress came forward as the software that cares about those end users' websites, businesses, livelihoods, by prioritizing them instead of 'good quality code' or programming paradigms and protecting backwards compatibility as if the existence of the world depended on it.
Whereas all the other competing software and even actual services including large tech giants on the other hand, literally played with people's livelihoods by introducing backwards incompatible versions in the name of 'better code and programming' - breaking the websites and shops that those people's lives depended on.
And it turns out that you can break someone's website or ecommerce site by introducing backwards incompatible updates once, twice, and a third time you wont be able to do that because that person will have moved on to a software that doesn't play with his livelihood like it was a little hobby project.
That's precisely why WordPress won. While in mid 2000s all the competitors were breaking their users' websites by pushing out backwards-incompatible versions, WordPress fought tooth and nail to protect backwards incompatibility.
The result is trusting users and a gigantic ecosystem of plugins and themes that allows anyone to do literally anything they want. People became able to just click a button to install a plugin and make literally complex features happen.
What was happening on the side of competitors during that period? Well, they were forcing people to write entire freaking modules just to add one measly form on their websites. Because, 'coding paradigms'.
That's why the flower shop owner somewhere in Oregon runs his local flower business on his WordPress site and the notable anime blogger somewhere in Tokyo is on WordPress more than 15 years. WordPress treats their websites with care, knowing that those sites and shops are actually those people's homes on the Internet, and refrains from breaking anything or doing anything that could impact those people negatively in the name of 'better paradigms'.
Speaking of better paradigms, is there any yet?
Back in mid 2000s OOP was the end-all-be-all. Everything had to be OOP. All the cacophony even forced WordPress to introduce objects everwhere around its code. Because, 'better paradigms', right.
And then a few years later suddenly functional programming is much better! Or, half of the programmers say so. Suddenly everyone is going in the other direction, whereas the die-hards of OOP still insist that it is 'the thing'.
It was just a few years ago that hooks in React were going to change everything. Everybody! Move to hooks! Then it just turns out that hooks aren't so good after all. Literaly 2 year fad. Also everyone has to move to React or some other bloated framework, because, you know, you have to have a 'modern' frontend, right. Then suddenly people start saying that maybe not everything needs that much dom manipulation after all, and rendering everything on the server and serving the user something that his or her device can handle is much better. Who would have thought. But all of these cacophony forced even WordPress to adopt some React. Because, 'modern', you know...
So this kind of programming fads even impacted WordPress, but WordPress still spent the effort to avoid any of those fads from breaking people's websites.
And that's why its 50% of the web and 30% of all ecommerce today. Because it prioritizes its users and their livelihoods. As opposed to programming fads and elitism.
...
Make no mistake - this paradigm does not only cripple the competitors of WordPress. It also cripples software industry in general, including tech giants. Living in our own world, thinking that the paradigms we have in programming are all important for everyone as opposed to just a fraction of our modern tech jobs, we prioritize the wrong things instead of prioritizing the actual users of the software and their livelihoods. Leading to literally crippling people's websites, apps and kicking their livelihood in the butt, losing them to whichever ecosystem that does not do such neglectful and out-of-touch things. An excellent example of this is shown by Google. It turns out even being a top tech giant does not allow one to avoid the repercussions of not prioritizing the users and instead playing with their livelihoods as if they were pet projects.
You repeat the same things over and over again, but I’m afraid I didn’t make myself clear enough: this is not about Wordpress not adhering to some coding standard. All those shop owners and bloggers you talk about have been affected, often badly, by crass vulnerabilities, SQL injections, malware, and security issues in obscure features enabled by default. In a lot of cases, this was the direct result of straight-out incompetence on behalf of the Wordpress maintainers and plug-in authors.
Wordpress is a single, glaring, liability. It indirectly prevents improvements to other people’s code; encourages proliferation of outdated and insecure code outside of the WP ecosystem; and causes increasing friction with the rest of the world (just look at projects like this one, which attempts to contain all of Wordpress‘ weirdness as much as possible). Just because Wordpress filled the CMS niche decades back and has a huge ecosystem moat now, still doesn’t mean it’s a good solution. It’s a chicken and egg problem, and all this fussing about caring about their users misses the point. Other people care about their users and deliver rock-solid software too, they just don’t fit in your narrative.
This isn’t about adhering to some highly ideal, but protecting those very people you care about.
I’m not going into the rant on cloud providers you seem to veer to, however. I’ve also made my points in other comments already.
> All those shop owners and bloggers you talk about have been affected, often badly, by crass vulnerabilities, SQL injections, malware, and security issues in obscure features enabled by default
That goes for all software that reaches a certain usage. There are no exceptions, including WordPress competitors.
Is there any actual study backed by actual data which demonstrates that WordPress is any more vulnerable than ANY other software that is widely used? Like, taking into account Windows computers that may be rarely connected to the Internet or taking into account how the entire Linux server ecosystem is run by sysadmins and not end users like WordPress? And then comparing the security cases in all of those software to the WordPress and actually demonstrating by data that WordPress is more vulnerable?
OF course not. All this criticism stems from the fact that WordPress security situations are more frequently encountered and publicized instead of any objective comparison. Which should have indicated that the entire ecosystem has a very good practice of vigorously tracking, publicizing and fixing these vulnerabilities and that should have been a point of praise, but no. Instead, baseless criticism is directed at it without taking into account that it is used in HALF of all the websites on the planet and even more importantly, actual end users.
Additionally most of those vulnerabilities come from the plugins in the ecosystem. Not WordPress. This is without counting in the fact that WordPress is hosted mostly on consumer web hosts whose security may affect the software itself.
And there is a very good reason for that - WordPress allows users freedom to do whatever they want. More than allowing it, people DEMAND it and they get it. Because that's how they can do what they want to do with their website or shop. Therefore its pretty common for a user to configure his or her website in an insecure fashion despite all warnings, guides and setup wizards that advise against such things. You cannot prevent people's freedom in their own website when they are hosting it themselves.
In contrast, Wordpress sites and shops that are hosted in managed services run without such security issues. Neither CNN's website or Reuters' website that runs on managed WP hosting gets hacked. Nor the millions of websites that run on other managed services.
There is a tradeoff in letting users do what they want and limiting what they do. Letting users do what they want looks like it introduces risk, but it also enables anyone to do anything.
And that's precisely why all those users are STILL on WordPress. Including the ones who got their sites hacked multiple times. They didnt move on to a 'more secure' software. They didnt move on to a 'more secure' SaaS, they didnt move anywhere.
> In a lot of cases, this was the direct result of straight-out incompetence on behalf of the Wordpress maintainers and plug-in authors.
This looks like singling out WordPress ecosystem in totally discriminatory fashion. How was the security situation with Windows? Top tech giant's software? What about actual intelligence agencies that conduct actual cyberwarfare and spend trillions on it?
All of them got hacked. All of them got security vulnerabilities. Despite the latter being a very specific, very narrow band of activity to boot. Nothing like WordPress enabling innumerable things to be done on its platform.
> Just because Wordpress filled the CMS niche decades back and has a huge ecosystem moat now
If WordPress was not good enough, it would not have filled the CMS 'niche' DECADES back and it wouldnt have a huge ecosystem now.
Leaving aside that it sounds outright absurd to call 50% of the web and 30% of ecommerce 'niche'...
> Wordpress is a single, glaring, liability. It indirectly prevents improvements to other people’s code; encourages proliferation of outdated and insecure code outside of the WP ecosystem
All of those are patently false. Sorry, but if you dont know enough about the ecosystem, dont make grandstanding statements on it:
The majority of the plugins in WP ecosystem do not interact with WP code directly and instead use hooks and filters. Thats it. Nothing else. They are freaking hooks and filters that allow you to do things with whatever passes through them. So there is nothing about 'Wordpress code enabling insecurities'. In reality, WordPress actively encourages people to use hooks and filters and to avoid doing anything directly with the WordPress code itself.
...
At this point Ill leave this discussion. You are basically ranting on literally scarce knowledge of the topic you have very strong sentiments about. That's not a basis for rational discussion.
A lot of Wordpress' problems are negative externalities that impact others more than the site owner and there is no liability for the site owners if their compromised site starts serving malware, SEO spam or leaks their e-commerce orders DB with all customers' details, thus such impact is not considered when choosing this disgrace of a platform.
Same goes for Windows. Same goes for every single major tech service. We read major security flops that expose millions' data from every major tech service every other day. Why should WordPress be singled out for anything other than just baseless elitist ire.
> this disgrace of a platform
It looks like this needs to be hammered home: That disgrace of a platform is running 50% of the web and 30% of all ecommerce websites. And every year it adds 3% on top of those percentages.
If 50% of the internet runs on something, its not the platform that runs it that's the disgrace - its the baseless elitism that targets it. The very emotional nature of the selection of your words demonstrate the irrationality of the criticism.
...
If its good for CNN's websites, its good for anyone's website. That's that.
Windows has significantly improved since its early days - the Windows you're talking about would be at best unpatched Windows XP.
> Same goes for every single major tech service. We read major security flops that expose millions' data from every major tech service every other day.
Disagreed. Find me any tech service anywhere similar to WP's scale that can be compromised in a fully automated manner and where the exploits are of the same kind over and over again? Wordpress is Windows XP scale of vulnerability in 2023.
> Why should WordPress be singled out for anything other than just baseless elitist ire.
I'm not sure anyone is singling out WP? Every stupid data breach gets called out. The problem with WP is that it's prone to the same kinds of vulnerabilities over and over again - outdated, bad development practices/standards that make writing secure code difficult and a language/runtime that is itself flawed in its most common configuration (uploading a malicious file is a non-issue in every non-PHP application because your app server doesn't automatically execute said file - except in PHP where if the file ends in .php and is in the web root your server will happily execute it).
> That disgrace of a platform is running 50% of the web and 30% of all ecommerce websites
A significant chunk of people smoke tobacco, doesn't necessary mean it's good for you. As I mentioned previously, if the drawbacks of WP mostly impact other people and there isn't a clear liability path to the original operator, those drawbacks won't be priced in and thus if WP appears cheaper it will be popular.
> Windows has significantly improved since its early days - the Windows you're talking about would be at best unpatched Windows XP.
Same for WordPress.
> the exploits are of the same kind over and over again?
There is nothing that anyone can do for websites that people put up and abandon. They are not updated, and they would naturally get compromised.
> Disagreed. Find me any tech service anywhere similar to WP's scale that can be compromised in a fully automated manner
Find me any totally customizable service or software that is under your own total control, which you can just set up anywhere on the Internet as your OWN property and abandon it if you would just feel like it...
> I'm not sure anyone is singling out WP? Every stupid data breach gets called out
There are multitudes of comments that specifically single out WP in the post's comment thread. Including this very thread that you are on.
> The problem with WP is that it's prone to the same kinds of vulnerabilities over and over again
That's just flat out false.
> outdated, bad development practices/standards that make writing secure code difficult and a language/runtime that is itself flawed
Ah, its not just WordPress animosity, its also PHP animosity. Which, runs 80% of all websites on the planet in turn. And with hollow arguments of 'good practices'.
There absolutely isnt one single software that gets THIS widely used without noticeable amount of security cases. This includes 'good practice' software.
And again, I said this before and Im saying it again: WHERE is that objective study that compares WordPress with other software in regard to vulnerabilities, taking into account 'good practices' and use cases? Like taking into account Windows computers that are scarcely connected to the Internet or taking into account how the majority of Linux servers are run by sysadmins and not end users?
Nowhere.
There is one universal, dumb concept of 'security vulnerability' and it applies universally without taking into account anything. As a result, the random website that a site owner has abandoned getting compromised by an NON-UPDATED plugin is the same with a freaking internet-wide used web server software getting hacked or a major tech service leaking millions of users' data out.
Totally un-objective.
> (uploading a malicious file is a non-issue in every non-PHP application because your app server doesn't automatically execute said file - except in PHP where if the file ends in .php and is in the web root your server will happily execute it).
No it doesnt. Dont make up falsities. PHP executes files how you configure it to. Another case of configurability and total customizability. If you give the users to customize something, there will be those who customize it in bad ways. Its as simple as that.
> A significant chunk of people smoke tobacco, doesn't necessary mean it's good for you
Unintelligible comparison. Totally absurd.
> if the drawbacks of WP mostly impact other peopl
They dont. You are literally projecting your subjective opinions that are totally free of any objective, data-backed comparison.
> those drawbacks won't be priced in and thus if WP appears cheaper it will be popular.
That doesnt even make sense. All the legal liabilities of site owners, ecommerce site operators, any kind of business person are on them. They dont go away because some software is open source. And if all of those people are still on WordPress, it means that there is no such 'drawback to be priced in' as you so baselessly claim.
...
It just ended up as another string of uninformed, personal & subjective opinions posing as truisms. No data backed comparison, no self-contained, coherent logic, just bashing on what's popular. You even proposed things PHP doing certain things because people CONFIGURE it so as 'bad things'.
I'll just remind you that the case of WordPres is the same with any case in which you give people total control and total customizability - some people will f*ck up some segment of it whereas multidudes more people use it properly. It wouldn't be any different if you gave people totally customizable cars.
Ill leave you to your subjective biases at this point. Baseless arguments actually only backed by elitism and hate of what has become popular...
Not as much - WP favours backwards compatibility (or is it laziness?) even when doing so impacts security.
Another problem is that the environments Wordpress targets are inherently vulnerable - while it's not WP's fault directly, they do nothing to warn people against using them nor outright stop supporting broken, insecure configurations.
> There are multitudes of comments that specifically single out WP in the post's comment thread. Including this very thread that you are on.
I was talking about publicized data breaches in general. But if we specifically talk about CMSes, I'm not sure anything else beats Wordpress and similar PHP-based CMSes of that era when it comes to not just the amount of vulnerabilities, but especially the nature of them - the same, dumb, basic problems resolved in every other language (including modern PHP with a framework such as Laravel) repeated over and over again.
> WHERE is that objective study that compares WordPress with other software in regard to vulnerabilities
Someone posted the following excerpt of the Wordpress codebase: https://github.com/WordPress/WordPress/blob/master/wp-includ... which appears to be some custom attempt at simulating SQL query parameterization instead of using the actual, database-driver-provided function. If this is indeed the purpose of that function and it is indeed used, then I'm not sure there is any valid excuse for this in today's day and age.
Someone else mentioned password hashing still relying on MD5 - if that is actually true, I'm not sure that is excusable either? I haven't done PHP for many years now, but surely even if the native functions aren't available, couldn't they use a "polyfill" such as https://github.com/ircmaxell/password_compat ?
I'm sure there are many other issues but frankly the first one should be enough for any competent developer to run away.
> No it doesnt. Dont make up falsities. PHP executes files how you configure it to.
I was with you until this, but now I think you're arguing in bad faith.
Yes, if you want to be pedantic, PHP and your web server execute files like how you configure them to. In practice, the environment where the vast majority of Wordpress sites are deployed (your typical shared hosting environment) will execute anything that ends with .php and is in the web root.
This is inherently a legacy PHP problem (which WP encourages by supporting it) - no other language that I know of does this by default. If I accidentally store a malicious file in Python, Ruby, Node.js, etc applications, the worst that will happen is that I serve it back. At no point what so ever the server itself will execute that file.
Yet in the PHP environments Wordpress targets, this is a massive issue which means every single feature handling file uploads (both in WP core and any plugins) should anticipate your server's misconfiguration (maybe it's not limited to .php files, but .html files too?) and try to protect against it, eventually failing and then you get yet another Wordpress vulnerability.
At this point you will definitely think "Oh, but the people dont know about good code quality".
They don't. And they don't have to know. They know what reflects on their websites, businesses, actual livelihoods. Those who use WordPress are not disattached MBAs managing gigantic organizations. They are people whose lives actually hang on those websites and ecommerce sites. What the software does actually dictate their income, their livelihoods.
For that reason they absolutely don't care about any esoteric programming paradigm or code quality which is !supposed! to impact their livelihoods greatly, but for some reason, it just doesn't. Definitely not to the degree that the proponents of criticism like yours think it does.
Only WordPress came forward as the software that cares about those end users' websites, businesses, livelihoods, by prioritizing them instead of 'good quality code' or programming paradigms and protecting backwards compatibility as if the existence of the world depended on it.
Whereas all the other competing software and even actual services including large tech giants on the other hand, literally played with people's livelihoods by introducing backwards incompatible versions in the name of 'better code and programming' - breaking the websites and shops that those people's lives depended on.
And it turns out that you can break someone's website or ecommerce site by introducing backwards incompatible updates once, twice, and a third time you wont be able to do that because that person will have moved on to a software that doesn't play with his livelihood like it was a little hobby project.
That's precisely why WordPress won. While in mid 2000s all the competitors were breaking their users' websites by pushing out backwards-incompatible versions, WordPress fought tooth and nail to protect backwards incompatibility.
The result is trusting users and a gigantic ecosystem of plugins and themes that allows anyone to do literally anything they want. People became able to just click a button to install a plugin and make literally complex features happen.
What was happening on the side of competitors during that period? Well, they were forcing people to write entire freaking modules just to add one measly form on their websites. Because, 'coding paradigms'.
That's why the flower shop owner somewhere in Oregon runs his local flower business on his WordPress site and the notable anime blogger somewhere in Tokyo is on WordPress more than 15 years. WordPress treats their websites with care, knowing that those sites and shops are actually those people's homes on the Internet, and refrains from breaking anything or doing anything that could impact those people negatively in the name of 'better paradigms'.
Speaking of better paradigms, is there any yet?
Back in mid 2000s OOP was the end-all-be-all. Everything had to be OOP. All the cacophony even forced WordPress to introduce objects everwhere around its code. Because, 'better paradigms', right.
And then a few years later suddenly functional programming is much better! Or, half of the programmers say so. Suddenly everyone is going in the other direction, whereas the die-hards of OOP still insist that it is 'the thing'.
It was just a few years ago that hooks in React were going to change everything. Everybody! Move to hooks! Then it just turns out that hooks aren't so good after all. Literaly 2 year fad. Also everyone has to move to React or some other bloated framework, because, you know, you have to have a 'modern' frontend, right. Then suddenly people start saying that maybe not everything needs that much dom manipulation after all, and rendering everything on the server and serving the user something that his or her device can handle is much better. Who would have thought. But all of these cacophony forced even WordPress to adopt some React. Because, 'modern', you know...
So this kind of programming fads even impacted WordPress, but WordPress still spent the effort to avoid any of those fads from breaking people's websites.
And that's why its 50% of the web and 30% of all ecommerce today. Because it prioritizes its users and their livelihoods. As opposed to programming fads and elitism.
...
Make no mistake - this paradigm does not only cripple the competitors of WordPress. It also cripples software industry in general, including tech giants. Living in our own world, thinking that the paradigms we have in programming are all important for everyone as opposed to just a fraction of our modern tech jobs, we prioritize the wrong things instead of prioritizing the actual users of the software and their livelihoods. Leading to literally crippling people's websites, apps and kicking their livelihood in the butt, losing them to whichever ecosystem that does not do such neglectful and out-of-touch things. An excellent example of this is shown by Google. It turns out even being a top tech giant does not allow one to avoid the repercussions of not prioritizing the users and instead playing with their livelihoods as if they were pet projects.
https://steve-yegge.medium.com/dear-google-cloud-your-deprec...