[firecall]

> Automattic CEO and WordPress co-creator Matt Mullenweg unleashed a scathing attack on a rival firm this week, calling WP Engine a “cancer to WordPress.”

In my experience, WordPress itself could be called a Cancer to the Web.

The amount of new clients I've picked up who needed help rescuing broken and malware ridden WordPress sites is... well, it's more than I'd like as I really do not enjoy WordPress LOL

[busterarm]

That's on the customers. I used to work at a shop that used WP and it was a huge force multiplier. We were WP Engine customers and at some point we moved to Pantheon.io and then we moved to a static site with an internal-only WP frontend for content editors.

We had 2 developers, a PM, 20-30 content writers and $5B ARR. Websites were strictly for marketing/leadgen. Even when we switched to building a static site, we still had our content editors write markdown in WordPress because it was easier to do that and pull all of the content from the database on deploy than train them.

The absolute worst part of being a WP Engine customer was being on Linode and the yearly Christmas Eve DDOS.

[manuelmoreale]

> That's on the customers

No that’s on the various design agencies that sell “custom websites” and instead they just slap together a 59$ theme and a dozen plug-ins. Most customers don’t know shit about the web and they just trust the agency to do a professional job. And in my 10+ years of experience as a freelancer I’ve seen plenty of agencies taking advantage of clients.

[pluc]

WordPress has the same problem as PHP: it's too easy to do what you want the wrong way. The right way is great, but the wrong way is easier, cheaper, more common, more documented, etc.

[manuelmoreale]

Totally agree.

Wordpress used as a CMS where you build everything from scratch using built in functions and the absolute minumum number of plugins (in my experience it was exactly 1, ACF) can generate sites that are solid.

I have projects I built a decade ago that are still online, are still running and haven't been hacked.

The problem is that the overwhelming majority of WP sites aren't built like that. Because "there's a plugin for that". And you end up with these monster sites with dozen of plugins, each importing their own scripts and styles, all injecting their own crap, all bringing in their own issues. And you use those on kitchen-sink style themes that are designed to do everything and end up doing nothing well.

But that's the inevitable result when you lower the barrier to the point where one can just click buttons and install whatever.

[busterarm]

Supply and demand.

These businesses exist and operate the way they do because of customer desires. The customers could hire better agencies but for a number of reasons don't.

[manuelmoreale]

Sorry but saying that it’s “customer desire” is nonsense. Most customers don’t have the skills to judge the work they receive. They know they need something done. They trust someone. How are they supposed to know if what they got was subpar? It’s like that in every profession. You have to trust that the person on the other side is professional and more often than not they’re not.

[nottorp]

> Websites were strictly for marketing/leadgen.

So they weren't web sites but spam.

What I'm curious about though is if your former workplace still exists or is now AI generating the spam...

[manuelmoreale]

That’s pretty unfair. Most of the work I do can be considered “marketing” since it’s corporate sites and portfolios. Businesses need to have an online presence of some sort and someone has to create one for them. Not everything is SEO spam.

[nottorp]

> it’s corporate sites and portfolios

Oh wait. You used "corporate sites and portofolios". The OP used the generic "content" though. There's a difference.

[manuelmoreale]

OP said “Websites were strictly for marketing/leadgen” which is just marketing sites. But pretty much all business sites are marketing. If you don’t have an e-commerce and you’re not a saas of some sort, you have a marketing site. It’s there for visibility and to provide information.

[busterarm]

Not spam at all. I just don't want to be so obvious about what the business was, even though I've mentioned it in the past.

Think top 10 keywords space and spanning about 4-5 of them.

It's the largest business in its space and a major national advertiser both digitally and traditionally. You have seen their ads on the street, on TV, on websites and on Youtube.

Even internationally, you have seen their ads on TV. Big hint.

[nottorp]

:) I don't watch TV and run ad blockers online, sorry.

When you're using terms like marketing, leads and content writers, it sounds like a content mill with zero substance. Even if it's "top 10 keywords".

[andruby]

> 2 developers, a PM, 20-30 content writers and $5B ARR

Please tell me that these 30 people weren't the full company generating $5B in annually recurring revenue?

[busterarm]

No we had an army of call center folks, case managers, etc. But given the nature of the business there is no sales, only marketing generating revenue.

Basically, no our marketing team didn't turn the coal into diamonds, but obtaining the coal was our team's primary function and 100% our output. We spent several hundred million annually on advertising (roughly the GDP of Tonga!).

[anonzzzies]

> as I really do not enjoy WordPress LOL

me neither but it pays; when we get called, bad things already happened, so it's always an emergency which means we can ask for 400-500$/hr to fix it. And there are so many bad wp sites that we can retire on that alone. But let me tell you about OpenCart, Drupal, etc which also are all lovely targets and more niche so higher hourlies!

As someone with a formal verification and static typing background, it is the most terrible crap there is, but it is very good business.

[mmarian]

Any recommendations on how you can find that kind of work? I'd personally enjoy it, but I don't know how to break into it without working as a WP dev at an unsustainably-low wage.

[DaiPlusPlus]

> As someone with a formal verification and static typing background, it is the most terrible crap there is, but it is very good business.

May I ask how you find this kind of work? The kinds of orgs with hacked/broken/incompetently-run WP installs don’t tend to be the type of orgs you’d find via professional networking, but by going through the dregs of Craigslist’s gigs pages, no?

[MathMonkeyMan]

I wonder to what extent that can be attributed to its ubiquity versus its quality. I've never worked with WordPress.

For example, I notice that most of the automated "attacks" on my server are WordPress related. Is its defect rate significantly higher than other systems', or is it just that if you're going fishing you should bait for the most common fish? PHP and Apache come up a lot too.

[firecall]

Way back in 2013, Matt Cutts from Google said in a talk:

“WordPress takes care of 80-90% of the mechanics of Search Engine Optimization (SEO)”

Agencies really latched onto that!

SEO was the new hotness.

An industry was then built around WordPress.

Clients would hear that it was the best at SEO, and they wanted a CMS they could update themselves.

Agencies could churn out variations of the same WordPress site and plugin stack, and then charge clients for ongoing hosting and maintenance fees to keep it updated.

Then there are all the plugins that get added depending on the whims of the 'developer' at the time.

The WordPress website then languishes when the agency or dev vanishes, WordPress gets hacked, and the client gets charged again.

The WP GUI builder plugins are a whole separate hellscape all to themselves!

[dylan604]

It's like any other system designed to be used by people that are not technically savvy. Lots of things have default values that are not sane. That's why the script kiddies hit every server they can with known defaults and vulns. Otherwise, it's like any other publicly facing internet server in that it takes maintenance with patches and updates and being informed on what you're running and changes being made.

So because the majority of users are not savvy, it's become a cesspool. Then you read about it on a tech forum like HN and it is derided as an inferior product rather than allowing improper use by the user/operator.

[lnxg33k1]

I've had an interview last week for a company doing WordPress stuff, and their tech lead, computer science guy, said their next project was a monitoring tool running unit tests in production to understand the health of the app

It's not only the non-tech-savvy, even CS guys become trash when they go too close to WP

[smt88]

> I wonder to what extent that can be attributed to its ubiquity versus its quality

Its quality is astonishingly bad. It was clearly developed by someone who didn't even have a basic understanding of relational databases. Unless something has changed, plugins and themes can run arbitrary PHP on the server.

Anything ubiquitous is going to be hated. I agree. But WordPress is bad from a fundamentals perspective.

[joe_g_young]

I think your response can be said of any application made before now.

[smt88]

There are degrees of bad. All code bases are bad.

But I've been writing web software for 30 years and WordPress is among the worst mainstream applications. It's worse than its PHP competitors at the time, and it's worse than Ghost and many of the competitors that came after it.

You can't just dismiss all criticism of the past because it was the past. Some people wrote worse software than others in the past, just as they do today.

[manuelmoreale]

Personally I’m think a big issue is the insistence of wanting to keep everything as backwards compatible for as long as possible. It becomes a burden. At some point you have to accept to make substantial changes in order to improve the situation but it’s not going to happen in the WP ecosystem because that’s one of their selling points.

[ipaddr]

It shows the code base rarely matters compared to user adoption.

[rurban]

Excuse me. phpwiki did exist before mediawiki and wordpress, and allowed no custom php in plugins and themes. It was all safe. Already 20 years ago.

And as worse is better predicted, all new ones went insecure, with less features, but nicer looking themes.

[ufmace]

I run my own Wordpress server for a blog, and IMO it's basically fine if you use reasonable deployment management practices and don't install 500 random crap plugins and themes. The basic install is about as bulletproof as it gets in the mainstream web software business.

I don't particularly love PHP, but you don't need to touch it if you don't try to write any plugins. Yes, some of its practices are pretty wacky, like every plugin has full access to the filesystem and database to do basically anything, and the system expects to be able to update code files in place from web requests, but meh, just give it it's own $5 server and let it do its thing, and definitely be very careful which plugins you use and how you get them.

What you get in return for this is a perfectly fine CMS that anyone with basic computer skills can run. Yeah, static site generators are cool and all that from a tech expert's perspective, but nobody who isn't a tech expert can actually do anything with them, and oh, by the way, the ability to make any changes at all typically involves at the very least SSH access to the host server with full write permissions.

[sixtyj]

And so nice it looked at the beginning…

Instead of WordPress, what solutions do you use?

Wix, Squarespace, Webflow, Webnode and other wysiwyg ones are even worse imho.

Are there any non-Nodejs or non-React open source CMS that don’t vendor lock you?

Because I feel that WP somehow sucks in details and maintenance, but I can’t find anything comparable without being sucked into development hell. :)

Thanks for suggestions.

[manuelmoreale]

After a few years building on WP I switched to https://getkirby.com/ and never looked back.

[sixtyj]

Thanks. It seems really good. PHP, files and folders instead of db, easy templating, plugins, admin interface built on Vue.js, open source at GitHub and a commercial license as well. Since 2012.

The only issue is to have more themes available, at getkirby-themes_com there are 22 only.

[manuelmoreale]

Because it's not designed with a theme approach. It's designed to build custom sites. Themes aren't really a thing inside kirby because of the tight relationship between content itself and admin interface. I like to think at it as an in between something like Laravel and WordPress.

[sixtyj]

I got it. But explain this to people who are spoiled by $59 themes :)

More themes that you can choose from -> more Kirby users -> stability -> more users coming from other solutions etc…

[manuelmoreale]

It's an entirely different target audience. Kirby is a tool that's designed mostly for developers, and not really for end users. There's no one-click install, there's no pressing a button to install plugins. And that's by design.

[pjerem]

Are the good old PHP CMS dead ? Things like Joomla, Dotclear, Drupal …

[sixtyj]

They are not dead. The reason why WP took web by storm and Joomla and Drupal became less visible is that WP did a lot of work in instant usability - their 2 minutes’ installation changed the game imho.

[arp242]

WordPress isn't that bad. Okay, the code is kinda messy in some places, but which 25 year old project isn't? And yes, in the early days it was cowboy coding, but those days have been over for more than 15 years.

What "broken and malware ridden WordPress site" typically means is "customer installed a bunch of random plugins from random sites written by teenagers or bozos who don't know what they're doing". And yes, that can screw things up, but that's not really WordPress's fault IMHO.

Maybe it can do more to protect users from this; I don't know. But obviously the plugin ecosystem is a hugely important part of the WordPress platform and you can't just lock that down technically. Just make sure you only install plugins from authors who aren't teenagers or bozos.

I'll add that personally I don't especially like WordPress for various reasons. But at the same time I don't think this is really a fair criticism.

[chiefalchemist]

The WP Community - as led by leadership (i.e., MM, Automattic, etc) is fond of bragging about the plugin and theme ecosystem. What they conveniently neglect to mention is how many are shite, many are ok but poorly coded, and only a very few are worth their weight. Even plenty of the premium plugins have performance issue, are sloppy, lack hooks, etc.

[gjsman-1000]

And yet, reality is that for many companies, an off-the-shelf CMS is all they need, and all they can afford, and all they can figure out without hiring IT.

Which means, if we want to kill WordPress, we need to offer a better solution. Not just for WordPress, but a coherent system that also reimplements the top hundred or so plugins.

If anyone wants to join me rewriting it in Laravel so we could add a WSL-like layer for WordPress cancer plugins… I don’t know. I wish someone would have the conversation. I don’t even care whether it’s Rust.

[bigiain]

> Which means, if we want to kill WordPress, we need to offer a better solution. Not just for WordPress, but a coherent system that also reimplements the top hundred or so plugins.

And a solution for which a typical non-tech business can ask around their family/friends/employees and find someone who's experienced enough to come in for a few hours out a few hours a week to to typical CMS admin/editorial stuff. And for which there are heaps of easy to find tutorials and youtube videos which can get someone up to speed enough to keep their own site running, while still spending 95+% of their time making widgets or selling trinkets or whatever their actual business is.

I'm not _that_ much of a fan of WordPress, but WordPress on WPEngine is 100% my initial recommendation for anyone asking about how to run their business website.

(I'd be curious to see a Rust backend API replacement for the WP + top 100 plugins that uses the standard html/frontend, to have the type safety and security Rust is famed for, while being identical in use to WordPress so all the people currently admin-ing WP site wouldn't have to even know it's different. But not curious enough to expend any effort to make it. )

[iambateman]

Statamic for Laravel is pretty great for what it does.

I wrote a WYSIWYG CMS for Laravel called Prodigy that I really enjoy but it hasn’t gotten much market pick up.

There’s definitely some thinking in this area on how to move WP users toward Laravel.

[gjsman-1000]

Statamic is awesome; watching Jack McDade in person at Laracon last month was great.

However, Statamic is not a WordPress replacement. We need a system that can be installed, with hundreds of themes and plugins available, without touching code. An open-source Squarespace, basically.

Statamic has a role, but not as a WordPress replacement for most people unfortunately…

[ksenzee]

Drupal is trying for basically this with its Starshot project. It might just work, if they can get enough people to build third-party themes.

[bsder]

> And yet, reality is that for many companies, an off-the-shelf CMS is all they need

Except they don't. A static website would work for 99.9% of all businesses and could be hosted on a potato.

The problem is that marketing wants a website that "Doesn't look embarassing and has 5 nines uptime."

Translation: "Marketing wants a website that looks completely like our competitors(because reasons)! But make it completely different (because reasons)! And make sure it's on AWS (because reasons)!"

Response from IT: "Our website results in zero revenue to the company and is a gigantic security problem and spam magnet. And because marketing is involved it's also a headache of a political football. Here's the WP Engine credentials. Now fuck off."

[gjsman-1000]

> Response from IT

This is where the mistake was made. Tens, possibly hundreds, of thousands of small businesses do not have an IT department.

Even the business I work in - almost a dozen employees before a single IT guy.

WordPress and Squarespace, and software like them, are the off-the-shelf solutions for them. You sign up for GoDaddy or another shared hosting provider, what do you get? Right now though, Squarespace is eating WordPress’ lunch, and (if you don’t need plugins) is objectively superior in many ways.

We need a modern replacement for WordPress to fulfill that role which won’t make programmers swear, or let closed-source solutions shut out the open ones.

[bigiain]

> The problem is that marketing wants a website that

... they can publish and update content without having to get IT involved - just like they did at their last job where the website was WordPress.

Oh, and IT who thinks their company has a marketing department that adds zero revenue to the bottom line needs to go back to they mom's basement or academia. That's just not how the world works.

[bsder]

> Oh, and IT who thinks their company has a marketing department that adds zero revenue

Please reread. I said the website brought zero revenue.

The website for our company never broke 5 digits in total views. I could almost precisely correlate who was looking at our website with who marketing was currently talking to. Scaling was useless. Dynamism was useless. etc.

All resource spent on the website was worse than useless as it took marketing away from doing anything else which would could result in revenue.

A lot of businesses are in the same boat where the website brings in zero revenue. A static website would be more than good enough but somebody in mangement chain has a "Must Keep Up With The Joneses" streak. And then you wind up on WordPress.

[bongodongobob]

No they can't. You don't roll out technical solutions without IT involvement for obvious security and stability reasons from hosting, bandwidth charges, auth, security maintenance, cert renewals, https, etc, unless you don't care about any of those things. That's literally ITs job and why the dept exists.

[bigiain]

Those concerns are kinda the raison d'être for WPEngine.

For anywhere small enough to not have an IT department, or so large and where the IT department has effectively become obstructionist to other department's jobs, just buy marketing their own WPEngine subscription and let them do their thing.

I think people who work in an "IT Department" sometimes have a too narrow view of the rest of the world. Both ignoring that almost all small and most medium sized businesses do not have an IT department, and also that there are people and departments in their own organisations who's IT needs are real but are not considered a priority by the IT Department.

(Often understandably not the IT departments priority, the people in a bank IT department who're securing financial systems from continuous attacks almost certainly don't consider the HR departments need to set up a quick website for the company bbq or RUOK day to be a prioroty. But someone in HR is getting _super_ frustrated at not being able to do the "simple things" they know they could do if IT didn't keep pushing back.)

[bongodongobob]

I'll just ignore the "IT pushback comments", as if we don't have real actual reasons for pushing back against the stupid shit people with no experience think is a good idea.

The main problem, security aside, is when shit goes south (and it will at some point), IT will be asked to handle something they didn't set up, don't know anything about, and will be looked down upon when they can't get it working quickly.

As long as there is ownership of any problems by whomever set it up, yeah, go nuts, but experience also tells me that's never how it works.

[bongodongobob]

Hahaha, I've been in this exact situation. Marketing set up an entire WordPress website unbeknownst to IT. Over a year's worth of effort and they never even mentioned to us they work working on it.

I'm in a monthly directors meeting of all depts and marketing unveils their wonderful website to much applause and oohs and ahhs. They then say, looking at me, "Yes we should be ready to launch in a couple weeks after IT sets up authentication and integrates it with our CRM and mail blast system."

I was so lost for words I just kind of nodded my head, wide-eyed.

The way they had it set up did not allow us to use the same SSO/auth we used for everything else. So users would need a separate account. Their auth system didn't support any kind of MFA. Their plugins were not compatible with our CRM. External accounts would need to be set up manually. They used a different domain thinking they could just change it later but it got so baked into everything that changing it everywhere would be extremely difficult. Their hosting solution was going to cost us a shit ton of money because none of the graphics were optimized for web. Every image was like a 50MB PNG. It did look nice, but nothing was set up in a way that made it compatible with anything we already had in place.

I told marketing there was no way I could make this work and they'd wasted a year's worth of effort by not pulling me in from the get go to at least help them find some sane compatible solutions. "Well, if we can't use SSO, couldn't we just build a spreadsheet with everyone's logins so you could plug that in?" Jfc no.

The CEO/owner sends me a meeting invite and asks me why I'm refusing to work with marketing on their website. I explain that they had decided not mention any of this to me from the get go and explained the reasons why I couldn't make it work.

I said, "well, technically we could make anything work, but you're going to have to hire a small dev team to integrate this with our CRM. We're going to have to pay a lot more monthly for our CRM because now we need API access (we'd need that either way even if the plugins were compatible) and if you want a team to write some custom integrations for this, you'll need some kind of retainer to make sure they can support it when the plugins change and break everything in unpredictable intervals or the plugins are no longer maintained."

He refused to believe me and basically said "Well I'm not sure why I'm paying you if you can't even get a website to work."

I quiet quit and resigned about a month later. You can imagine the other kind of shenanigans that went on if that was considered acceptable.

[johng]

This really doesn't sound believable, on your part. You can't run pngquant on the images directory to shrink down the images? Should take 2 seconds of shell script. Honestly a lot of things you mention seem like pretty trivial to do... Wordpress is so well understood and there are so many utilities and integrations for it, it's one of the simplest things to integrate with something else. This comment sounds like you were mad they made something that the rest of the company wanted and got mad and didn't want to play ball.... could just be misinterpretation over text, who knows.

[bongodongobob]

* yes the images would be an easy fix

* their CRM plugins did not support Salesforce

* even if it did, they didn't realize that was like an extra $1500/month for API connection (something like that), which was also balked at, but just a plain fact

* they already built everything out and changing plugins was not an option

* I have almost no experience with WordPress and 0 time to figure it out alongside the myriad of other projects on my plate

* 0 thought went into authentication and that was also something I couldn't change

* this was not built by a team with WordPress experience, or any technical experience

They said "it's set up like this, make it work". I couldn't, not without dropping everything and hiring someone to do it, and managing a contractor(s) which was also not an option.

[gnu8]

> He refused to believe me and basically said "Well I'm not sure why I'm paying you if you can't even get a website to work."

I would quit the moment I was spoken to in that way, if not sooner.

[chris_wot]

I personally don't like block themes.

[lightlyused]

Similar experience here. Poorly documented and inflexible.

[theyknowitsxmas]

Yeah I run wp2static on clients, cancel the hosting then push the files to vercel/cloudflare pages/github pages.

A PHP version is vulnerable. If you upgrade it, some plugin breaks. If you manually upgrade the offending plugin, the pesky developer now wants a subscription. Just a nono. I build on Hugo.

[anonzzzies]

Many (some very large) companies would not allow that route; their marketing team is trained on wp and they specifically implemented it (in the EU this is per country generally) to sidestep the head office enterprise cms that is unusable and takes days of workflow steps to get anything published; they want more dynamic, not less and they want less techy not more.

[theyknowitsxmas]

Why? Hugo is Markdown, child's play. You can use GitHub as a CMS.

[joenot443]

I think your question answers itself if you look from the perspective of a non-technical marketing person who's used to WYSIWYG tools, rather than a programmer who's reading a site called Hacker News.

[vundercind]

“I need to add an image gallery”

“I need to add and edit multistep forms that send an email to me”

“I need to change one of our social media links”

That can be mostly or entirely self-serve for marketing folks on Wordpress, with all the work happening in their browser. Plus tons of other stuff.

[anonzzzies]

Yes, I know, I use it too. But github is hardly usable by non technical users , nor is markdown. We are talking about marketing deps of billion$ companies.

[stvltvs]

There are other plugins that generate static sites. Not sure if they would work for your use case, but worth looking into if you haven't.

[theyknowitsxmas]

Must clarify: not wp2static, but a random plugin breaking on php upgrade, sometimes requiring a subscription in new versions.

[econcon]

We had that problem in barebones WP with no plugins at all.

Once we installed a few security plugins, it worked out just fine!

[breck]

I'd love to get your feedback on https://hub.scroll.pub/. Create new sites in 0.1 seconds. No signup required.

It's a new stack, but it's pretty revolutionary foundation, and as we get some good templates and imrpove the UX, I think it should bring a lot of joy to people who currently suffer with wordpress. It's all open source/public domain. Having started my programming career in Wordpress ~17 years ago, I have been able to take my favorite parts from it and get rid of all the annoying parts (like requiring a database, php/javascript hybrid, etc).