[MathMonkeyMan]

I wonder to what extent that can be attributed to its ubiquity versus its quality. I've never worked with WordPress.

For example, I notice that most of the automated "attacks" on my server are WordPress related. Is its defect rate significantly higher than other systems', or is it just that if you're going fishing you should bait for the most common fish? PHP and Apache come up a lot too.

[firecall]

Way back in 2013, Matt Cutts from Google said in a talk:

“WordPress takes care of 80-90% of the mechanics of Search Engine Optimization (SEO)”

Agencies really latched onto that!

SEO was the new hotness.

An industry was then built around WordPress.

Clients would hear that it was the best at SEO, and they wanted a CMS they could update themselves.

Agencies could churn out variations of the same WordPress site and plugin stack, and then charge clients for ongoing hosting and maintenance fees to keep it updated.

Then there are all the plugins that get added depending on the whims of the 'developer' at the time.

The WordPress website then languishes when the agency or dev vanishes, WordPress gets hacked, and the client gets charged again.

The WP GUI builder plugins are a whole separate hellscape all to themselves!

[dylan604]

It's like any other system designed to be used by people that are not technically savvy. Lots of things have default values that are not sane. That's why the script kiddies hit every server they can with known defaults and vulns. Otherwise, it's like any other publicly facing internet server in that it takes maintenance with patches and updates and being informed on what you're running and changes being made.

So because the majority of users are not savvy, it's become a cesspool. Then you read about it on a tech forum like HN and it is derided as an inferior product rather than allowing improper use by the user/operator.

[lnxg33k1]

I've had an interview last week for a company doing WordPress stuff, and their tech lead, computer science guy, said their next project was a monitoring tool running unit tests in production to understand the health of the app

It's not only the non-tech-savvy, even CS guys become trash when they go too close to WP

[smt88]

> I wonder to what extent that can be attributed to its ubiquity versus its quality

Its quality is astonishingly bad. It was clearly developed by someone who didn't even have a basic understanding of relational databases. Unless something has changed, plugins and themes can run arbitrary PHP on the server.

Anything ubiquitous is going to be hated. I agree. But WordPress is bad from a fundamentals perspective.

[joe_g_young]

I think your response can be said of any application made before now.

[smt88]

There are degrees of bad. All code bases are bad.

But I've been writing web software for 30 years and WordPress is among the worst mainstream applications. It's worse than its PHP competitors at the time, and it's worse than Ghost and many of the competitors that came after it.

You can't just dismiss all criticism of the past because it was the past. Some people wrote worse software than others in the past, just as they do today.

[manuelmoreale]

Personally I’m think a big issue is the insistence of wanting to keep everything as backwards compatible for as long as possible. It becomes a burden. At some point you have to accept to make substantial changes in order to improve the situation but it’s not going to happen in the WP ecosystem because that’s one of their selling points.

[ipaddr]

It shows the code base rarely matters compared to user adoption.

[rurban]

Excuse me. phpwiki did exist before mediawiki and wordpress, and allowed no custom php in plugins and themes. It was all safe. Already 20 years ago.

And as worse is better predicted, all new ones went insecure, with less features, but nicer looking themes.

[ufmace]

I run my own Wordpress server for a blog, and IMO it's basically fine if you use reasonable deployment management practices and don't install 500 random crap plugins and themes. The basic install is about as bulletproof as it gets in the mainstream web software business.

I don't particularly love PHP, but you don't need to touch it if you don't try to write any plugins. Yes, some of its practices are pretty wacky, like every plugin has full access to the filesystem and database to do basically anything, and the system expects to be able to update code files in place from web requests, but meh, just give it it's own $5 server and let it do its thing, and definitely be very careful which plugins you use and how you get them.

What you get in return for this is a perfectly fine CMS that anyone with basic computer skills can run. Yeah, static site generators are cool and all that from a tech expert's perspective, but nobody who isn't a tech expert can actually do anything with them, and oh, by the way, the ability to make any changes at all typically involves at the very least SSH access to the host server with full write permissions.