WordPress is not that evil

Image: @GLady, 2016, Pixabay

WordPress from past to future

WordPress is a CMS (content management system) based on PHP and MySQL and licensed with GPL. WordPress is fresh software, but its roots and development go back to 2001. Though largely developed by the community surrounding it, WordPress is closely associated with Automattic. Automattic handed the WordPress trademark to the newly created WordPress Foundation, which is an umbrella organization supporting WordPress.org, bbPress and BuddyPress. WordPress is a mature and stable software that actively developed and integrated with current technologies. * *

Since the early 2000s, when CMS battles took place between software like PHP-Nuke, Post-Nuke and many others, only a few of them have been able to survive, such as WordPress, Drupal and Joomla. With the help of CMS features gained in time, WordPress is now dominating between the survivors. WordPress, which has more than 58% market share among content management systems as of 2017, is being used by about 27% of all web sites on the Internet. * * *

Can we use WordPress for large companies?

Of course you can. CNN, BBC America, Microsoft News Center, Forbes, Sony, Best Buy, Time Magazine, New York Post, Logitech, Xerox, Walt Disney are not small companies. You can find many others at the links: * *


Is WordPress safe?

It is an highly assertive argument that open source code is less secure than closed source code. I will only give some specific information on WordPress, PHP and will not comment on this issue as there are thousands of resources on security of open source code.

Wordpess has been offering automatic background updates since version 3.7. In other words, your website can be protected against many security vulnerabilities, even some zero-day vulnerabilities, by updating itself.

Note that a proprietary CMS software written for you is not that proprietary at all. A company that you buy proprietary CMS software does not actually write every single line of the entire software itself. They will probably use many libraries, frameworks and other 3rd party software on their end product. At this point you should ask yourself this question: Do they always publish an instant patch and update your server for a zero-day security vulnerability discovered in an included library? Now, see WordPress security updates.

Another aspect of the issue is that some of the chronic problems became a thing of the past and some coding bugs are less important than before. There are security vulnerabilities due to coding bugs, but none of them are WordPress-specific. The SQL injection security vulnerability in the years of CMS battles, which was mentioned in the above sentence, has been largely eliminated thanks; to the “prepared statements” support in PHP’s new MySQL extension. We have said “Good bye” to some of PHP’s idiotic SQL escape functions. XSS is still a security breach, but Web Application Firewalls are now more widely used.

In conclusion, WordPress will be responsible for the security of the integrated libraries and zero-day vulnerabilities, that can be controlled without spreading. Actually the more insecure sections are the themes and plugins used in the web site. To ensure the safety of themes and plugins, it is necessary to apply the updates published by their authors regularly.


Are there enough support for WordPress?

WordPress has a huge community. Only the version 4.6 has been downloaded 21.7 million times. There are thousands of plugins (actually more than 50K on official repository as of today), thousands of themes, thousands of support forums around the Internet. Also there are many local companies giving enterprise support for WordPress. On the other hand, you will have only one source of support when you buy a proprietary CMS software from your local company.


How do I make WordPress safer?

As I mentioned earlier, WordPress automatically applies security updates in background. In addition, updates to the themes and active plugins should be made regularly, and unnecessary and unused plugins should disabled or removed.

In terms of security, administration related files have been placed in a separate folder called /wp-admin. This folder should be protected by IP limitation or a second password through the server configuration.

Especially in enterprise applications, besides the standard firewall, a Web Application Firewall (WAF) must be used.

Plugins and themes downloaded from unknown sources should not be used, especially nulled (cracked) themes and plugins must be avoided.

Also there are some security plugins for WordPress but I would prefer a web application firewall and a well configured server over plugin type protection.


Is WordPress old?

Certainly not. As I mentioned before, WordPress is a mature and stable software but it is actually a fresh software. It is continuously supported and actively developed, integrating up-to-date technologies. Though the “new” and “old” words are relative concepts, WordPress is still the market leader and is still being actively developed.

We have been watching the integration of relatively new HTML5 into WordPress step by step. Many libraries that include it have been updated over time. The dashboard, the plugin interface always improved, themes have gained many features over time and were always kept up to date. I think they have done a good job in this regard and always kept the software fresh and up to date.

So, what is bad with WordPress ?

WordPress is perfect for blogging. The problem is that, you need more plugins and custom code as you move away from blogging and CMS concept and try to use WordPress as a PHP framework. Using more plugins means more security risk. On the other hand, WordPress itself is free but plugins may not be always free. Some plugins have paid/pro versions.

WordPress has action and filter hooks but adding a simple functionality may still require complicated code.

WordPress has a huge community of plugin developers, theme developers, sellers and users. A simple change in codebase effects millions.

In conclusion,

We can certainly say that WordPress brought a standard to the blogging business, which is the backbone of the Internet, especially when we remember the very first years of developing of content management systems and technically & visually bad practices.

Update (01/13/2019):

WordPress 5 came with a new editor. There was a need for some kind of official page builder alternative and “Block Editor” (aka Gutenberg) came (not a page builder). Altough it has some drawbacks and some of us had difficulty getting used to the new editor, it is still being developed. On the other hand, here we can see the strategy of WordPress’s renewal and adaptation to the era. Now, block editor is our new scapegoat!



Source: https://volkan.xyz


You can share this blog post only by giving appropriate credit as described at Terms & Conditions.


Leave a Reply

Your email address will not be published. Required fields are marked *