| > All those shop owners and bloggers you talk about have been affected, often badly, by crass vulnerabilities, SQL injections, malware, and security issues in obscure features enabled by default That goes for all software that reaches a certain usage. There are no exceptions, including WordPress competitors. Is there any actual study backed by actual data which demonstrates that WordPress is any more vulnerable than ANY other software that is widely used? Like, taking into account Windows computers that may be rarely connected to the Internet or taking into account how the entire Linux server ecosystem is run by sysadmins and not end users like WordPress? And then comparing the security cases in all of those software to the WordPress and actually demonstrating by data that WordPress is more vulnerable? OF course not. All this criticism stems from the fact that WordPress security situations are more frequently encountered and publicized instead of any objective comparison. Which should have indicated that the entire ecosystem has a very good practice of vigorously tracking, publicizing and fixing these vulnerabilities and that should have been a point of praise, but no. Instead, baseless criticism is directed at it without taking into account that it is used in HALF of all the websites on the planet and even more importantly, actual end users. Additionally most of those vulnerabilities come from the plugins in the ecosystem. Not WordPress. This is without counting in the fact that WordPress is hosted mostly on consumer web hosts whose security may affect the software itself. And there is a very good reason for that - WordPress allows users freedom to do whatever they want. More than allowing it, people DEMAND it and they get it. Because that's how they can do what they want to do with their website or shop. Therefore its pretty common for a user to configure his or her website in an insecure fashion despite all warnings, guides and setup wizards that advise against such things. You cannot prevent people's freedom in their own website when they are hosting it themselves. In contrast, Wordpress sites and shops that are hosted in managed services run without such security issues. Neither CNN's website or Reuters' website that runs on managed WP hosting gets hacked. Nor the millions of websites that run on other managed services. There is a tradeoff in letting users do what they want and limiting what they do. Letting users do what they want looks like it introduces risk, but it also enables anyone to do anything. And that's precisely why all those users are STILL on WordPress. Including the ones who got their sites hacked multiple times. They didnt move on to a 'more secure' software. They didnt move on to a 'more secure' SaaS, they didnt move anywhere. > In a lot of cases, this was the direct result of straight-out incompetence on behalf of the Wordpress maintainers and plug-in authors. This looks like singling out WordPress ecosystem in totally discriminatory fashion. How was the security situation with Windows? Top tech giant's software? What about actual intelligence agencies that conduct actual cyberwarfare and spend trillions on it? All of them got hacked. All of them got security vulnerabilities. Despite the latter being a very specific, very narrow band of activity to boot. Nothing like WordPress enabling innumerable things to be done on its platform. > Just because Wordpress filled the CMS niche decades back and has a huge ecosystem moat now If WordPress was not good enough, it would not have filled the CMS 'niche' DECADES back and it wouldnt have a huge ecosystem now. Leaving aside that it sounds outright absurd to call 50% of the web and 30% of ecommerce 'niche'... > Wordpress is a single, glaring, liability. It indirectly prevents improvements to other people’s code; encourages proliferation of outdated and insecure code outside of the WP ecosystem All of those are patently false. Sorry, but if you dont know enough about the ecosystem, dont make grandstanding statements on it: The majority of the plugins in WP ecosystem do not interact with WP code directly and instead use hooks and filters. Thats it. Nothing else. They are freaking hooks and filters that allow you to do things with whatever passes through them. So there is nothing about 'Wordpress code enabling insecurities'. In reality, WordPress actively encourages people to use hooks and filters and to avoid doing anything directly with the WordPress code itself. ... At this point Ill leave this discussion. You are basically ranting on literally scarce knowledge of the topic you have very strong sentiments about. That's not a basis for rational discussion. |