[arp242]

WordPress isn't that bad. Okay, the code is kinda messy in some places, but which 25 year old project isn't? And yes, in the early days it was cowboy coding, but those days have been over for more than 15 years.

What "broken and malware ridden WordPress site" typically means is "customer installed a bunch of random plugins from random sites written by teenagers or bozos who don't know what they're doing". And yes, that can screw things up, but that's not really WordPress's fault IMHO.

Maybe it can do more to protect users from this; I don't know. But obviously the plugin ecosystem is a hugely important part of the WordPress platform and you can't just lock that down technically. Just make sure you only install plugins from authors who aren't teenagers or bozos.

I'll add that personally I don't especially like WordPress for various reasons. But at the same time I don't think this is really a fair criticism.

[chiefalchemist]

The WP Community - as led by leadership (i.e., MM, Automattic, etc) is fond of bragging about the plugin and theme ecosystem. What they conveniently neglect to mention is how many are shite, many are ok but poorly coded, and only a very few are worth their weight. Even plenty of the premium plugins have performance issue, are sloppy, lack hooks, etc.