|
You make a good point here, and it's true that I shop around for "the right kind" of client. I read an article some years ago (on HN) about firing terrible clients at the same time we were having trouble with one client in particular. I resolved to never even negotiate with a client that I think is going to cause problems for myself or my team. We haven't looked back, and it's been one of the best decisions I've ever made for the company. When a potential client starts insisting on this magic time/money saving thing called WordPress even after I explain my concerns, I know that they're probably not a good fit and start recommending other developers in the area that we know that do quality work with WordPress. And there is absolutely no shortage of those kinds of developers, so the client will end up getting what they want. On security, the custom code we have written and deploy for our customers is stuff that I trust, because it's something we built ourselves and are extremely familiar with. Our products also come with a built-in automated "security service" that helps tremendously in keeping us from being the lowest-hanging fruit. Importantly, not even using WordPress immediately shuts down the near-constant traffic on the internet devoted to finding insecure WP deployments. While I completely agree that a WordPress deployment in the right hands can be as secure as anything out there, I don't trust the codebase in general, and certainly not as much as I trust my own code, despite there being a large number of coders sifting through WP. And all bets are always off if an attacker gains entry into the hosting provider. As a specific example, WordPress doesn't use PDO at all, instead using the mysql_ functions (not even mysqli_). This is a pretty glaring problem from my point of view. The excuse WP core developers have used is that it's basically too tightly-coupled to use anything but MySQL (and specifically the mysql_ functions). That's a pretty big red flag to me, when a developer says that their product is too tightly-coupled to stop using functions that have been officially deprecated in the language for quite a long time. In fact, the feature request for PDO in WP is a kind of in-joke to outsiders (http://core.trac.wordpress.org/ticket/21663). Also (and importantly), I don't sell myself as a WordPress developer, but as a custom web and mobile applications developer. I have done this intentionally so that I won't succumb to the temptation to start rolling out quick and dirty WP deployments, but instead focusing on providing a custom-built, quality product that I can honestly say they can trust to function well and function securely for a long time to come. |