Because you sound like you know a bit about a11y, we could really use a hand. Accessibility meetings are weekly in the Make WordPress.org Slack instance. One of the problems is that Gutenberg's technology is very different than the rest of WordPress core, so some of the a11y contributors to WordPress Core are staying away from code-contributions to Gutenberg because of that (myself included). I've been playing around with node.js a bit to try and contribute, but it's very different than what I'm used to (PHP).
There's also a very nice library that can dump all the pages from Wagtail into a static site which you can then just copy to a CDN, giving you the best of both worlds: The ease of publishing of dynamic sites and the speed/ease of deployment of static sites.
If it is so awful, why is it on over 25% of sites?
It has helped alot of people make alot of money, and continues to do so.
I raise you another:
God help us; we're in the hands of engineers.However, Peachpie seems like an awesome showcase what is possible in modern environments and apps.
However, as software, Wordpress deserves the hate it gets. There is no real security or firewalling or permissions limiting of plugins, there is no hint of modern PHP practices like Composer integration, routing, or the use of a templating language (and no, PHP itself doesn't count) and the amount of cruft it carries with it for the sake of backwards compatibility makes it insanely complex and far more bloated than it needs to be.
Wordpress in principle is a wonderful, useful product, and anyone trying to compete with it needs to closely study what it gets right (ease of deployment, ease of extension, ease of configuration, auto-updates, plugins, etc.) as well as what it gets wrong. Wordpress in practice, though, needs to be tossed into a pit and burned.
I can't say all, but the huge bulk of security issues I've seen revolve around some exploit which ends up writing a new file, or overwriting an existing file, which is then publicly accessible. If your file system is not writable, the large majority of WP exploits go away. However, you lose the "press here to upgrade your entire site and all the plugins in one easy step!" functionality, and the "upload files via the browser" ease-of-use.
If you're truly modifying public media files on regular basis, a non-writeable file system kinda stinks (either make the FS writeable or use an external media host, which adds complexity and cost). MOST systems I run in to aren't doing this often - it's "put up the site and updates some pages every few months" (or, blogging, which is often just text). For these, I recommend turning off write permissions to the whole of the WP system, and periodically turning it back on to do updates, then turning it off again.
Yes, this doesn't cover 100% of exploit cases, but nothing does, and I've found this to go a moderately long way to reduce the impact of various exploit attempts.
So, to answer the question, I would say "it depends". If the .net hosted version also by default allows for writeable media that is also executable, then there would be problems. However, I don't expect a .net-based system would allow you to get a ".aspx" file in a publicly accessible URL and have it just execute when accessed (unless there's some deployment mode that would allow for that?)
The problems with Wordpress are mostly:
1. WP installations are often not properly configured or maintained.
2. The plugin ecosystem is a mess of vulnerable and/or malicious code, or simply dead code that isn't maintained yet still deployed in the wild.
That a POST param even was used to as the path to a file to delete without sanitizing it is not usually indicative of "secure coding practices".
I’d hate to see what you think is terrible then.
Wordpress is not and I imagine never will be anywhere close to “modern design patterns”.
It’s not even close to old design patterns, unless Heinz has a namesake software design pattern.
Wordpress uses practices that were considered a bad idea a decade or more ago, and still refuses to change.
However, not to disrespect the work that has gone into Wordpress, how hard can it be to write something better for the frontend and get marketplace adoption?
I do not like the frontend 'coding standards' and mess of plugins. Starting straight from the raw wp_ mySQL tables is a less insurmountable task than hacking some theme and bloating it out with 'jQuery' plugins that should never have been plugins. It seems that it is the ecosystem of design agencies with their lorem-ipsum big-up-front-designs and allegedly 'agile' workflows that have made Wordpress into something I do not like working with. Particularly when the add-ins make the backend far removed from sensible, making it a nightmare CMS for clients.
Hasn't anyone written a decent frontend for it that is not a tacky theme with ten thousand lines of CSS of which 97% is not used and a megabyte of scripts to get the carousel and share links working?
How's Linux for .NET hosting? Because Linux hosts are generally cheaper than Windows hosts.
For .NET Core there are binary packages [1] for Debian/Ubuntu, Fedora, Red Hat and SUSE, so you can apt-get/rpm/yum hosting environment in a matter of minutes. I'd say it's easier to set up and run ASP.NET Core app with Apache or nginx as reverse proxy than with IIS. For "old" .NET you are stuck with Mono [2] which works okay-ish if you don't use Windows-only dependencies.
[1] https://www.microsoft.com/net/download/linux-package-manager...
If McDonalds is so bad for you, why do they serve 550 million Big Macs every year?
WP is 'free', has a low barrier to entry, and for many years non-developers were able to relatively easily add custom functionality (sometimes done well, but often security and performance nightmares).
A lot of people make a lot of money from selling illegal drugs, or fatty foods, or bad investment/insurance products.
WP has its place, and in the right skilled hands, for the right projects, addresses many business needs decently well. Until it doesn't.
But this "right tool for the right job" argument has been beaten to death when it comes to WP. Biggest 'meta' issue I see with WP is that it doesn't do much to encourage most people "developing" on it to ever consider other tools; they just learn to fit more and more jobs in to the same ecosystem, whether it's a good fit or not. And due to the size of the ecosystem, it has enough gravity to keep attracting people to it.
Spot on. I do a fair amount of WP work. I'm a member of a number of WP groups on FB. I see this all the time. For most people WP is a hammer and everything is a nail.
Unfortunately, that's the Kool Aid served by Matt M all the way down. WP isn't an OSS application. It's a cult.
To the majority of the cult members there's nothing else. They know nothing other than WP. Truth be told, most of them don't even know WP.
This is an amazingly good comparison because in both cases the initial assumption is wrong.
Just like WP, McDonalds is not bad for you intrinsically. It’s poor discipline and usage that causes problems.
Think of any modern development best practice that you like (e.g. version control, or automated tests): Wordpress will make it harder, and if you take over an existing Wordpress site, there's a non-zero chance that the previous developer wasn't doing it, making the hairball of code underneath the shiny interface even harder to work with.
WP could address some of this by requiring plugin media/js assets to be copied over to public folders during an 'init' process, while requiring the core PHP code to be outside of the document root/public area. But it would break on certain hosting platforms (I know that years ago, Plesk templates would enforce that nothing could live outside the document root - every upgrade they'd change all PHP permissions to only allow PHP execution inside the document root, perpetuating poor security practices for anyone who wanted to host on plesk-managed servers).
Changing WP to use more modern design patterns (whatever that would entail) probably means breaking all themes and plugins, which isn't acceptable (and even if that wasn't an issue, I doubt the WP maintainers would just accept a PR that completely rewrites everything). This isn't really a thing random contributors can help with.
But, in response to your general theory: I can criticise a car as being fucking terrible without someone suggesting I “go build my own then”.
How close is it to 2.0 A, currently?
These are the issues that are remaining that we (the a11y team) want fixed prior to merge: https://github.com/WordPress/gutenberg/issues?q=is%3Aopen+is...
When these issues were added to the merge proposal, they were what were left for 2.0 level A. But accessibility regressions have gotten introduced many times now while other developers are working on things from other merge proposals. We were doing some tests with users of various assistive technologies, and these were also the problem areas for them.
Here are the open a11y issues for Gutenberg in general: https://github.com/WordPress/gutenberg/issues?page=1&q=is%3A...
A lot of these are still quite important. The UI is also super confusing, as it's an entirely new type of UI, and it's confusing to figure out where everything is if you can't see it. We are working on some documentation that describes it for assistive-technology users, as it's virtually impossible for them to infer how it works.
https://wordpress.org/about/accessibility/
The jump from A to AA is difficult and to put the statement of AA out there, is bold (and probably naive).
Hard.
Very hard. Especially because you first have to pick something as well installed and supported on hosts as PHP to even get traction. Good luck there.
Then you need to be at least as good in most or all features on launch to get any mindshare. Hope you have a few years to work on this side project before you release...
There have been plenty of attempts and of them all Ghost is about the only one to be taken seriously it seems and it’s niche at best (and not yet at the same level of features or ease of use & configuration).
So yeah, the answer is hard. Harder than you think.
Django is your GUI/imaging framework and libraries if you’re going to make that comparison.
I’ve heard the argument by many though that if someone needs WCAG AA, that they can just use the classic editor (which will be supported via a plugin maintained by wp.org). Will be interesting to see how it all plays out
But those are The Right __and__ The Wrong.
For example, adding Composer to the WP "stack" makes sense. But now you've eliminated 90% (?) of the WP "developers."
That is, in the Universe of WordPress Composer is more friction, not less (i.e., ease of use).
Long to short, for better or worse, WP is Justin Bieber. It will never be Radiohead.
Maybe, but it wouldn't be impossible to rebuild plugins around Composer and PSR standards. And doing so would make them better organized, and make it easier to manage third party dependencies. If you were going to build Wordpress from scratch, today, that's probably what you would do - just make plugins a special case of Composer dependencies.
The only question is, whether you would still have as robust an ecosystem with a more restrictive framework? Probably not, but the quality of plugins would probably be higher.
I filed a core bug report once. Long to short, if I passed (I think it was) false to a core function, I got very unexpected results. The dev that replied to me said, "Well then don't do that." Huh?
The idea that the function should check, that it should be aware that humans (and their code) make unexpected mistakes, was completely foreign to her / him. I lost a lot of faith that day. I lose a bit more every time I go poking around in core code. I'm no Super DevMan. So when __I__ see bad patterns you know something is wrong.
p.s. Fwiw, even the lead dog (i.e., Automattic) has some nasty code habits. Simply dumbfounding.
What wordpress does is basically glorified printf, substituting values into a string.
If you can’t see how this is a danger, you’re in no position to comment on the quality of the code.
My point stands. The worst problems in Wordpress are the plugin ecosystem and poorly maintained instances.
if you're not big in to development, you're reliant on a plethora of plugins, and you need to hope that the dozens of plugins you tie together know how to play nicely together. I'd run in to multiple situations where poorly built plugins for plugins were hacked on and then conflicted with other plugins - everyone pointed the finger at someone else. and then the standard support line from a couple vendors (these were plugins with paid support, btw) - "disable 100% of all your plugins, then enable them one by one to see where the problem is". Sweet.
And when I tell people I inherited a wp site with just shy of 60 plugins, few people actually believe me. "I would never do that! I would never built anything with more than 4 (substitute with various numbers representing experience levels of people) plugins - that's all anyone ever needs!"
When it works well, it works well. When it doesn't, it's a bloody nightmare.
I have seen sites with 60+ WP plugins enabled. Many outdated, many hacked upon (and poorly, with no documentation). Even the WP instances were modified just slightly and had convoluted build processes that nobody on the current teams could explain (again, with no documentation. Or rather documentation was "TBD" circa 2010).
And all of those WP instances either shared configurations and root style sheets or ran as a multi-site on a single machine with Nginx in front of it only using a mix of Akamai, Cloudflare, and Brightcove to handle some, but not all, non-print media.
The sites were consistently being exploited and having porn uploaded. Issues like that were usually caught quickly enough, but that kind of operation kept the teams busy with patching holes rather than improving performance.
Last I checked their WP sites downloaded 20 Mb of scripts alone on a fresh load, and 6mb thereafter.
Bloody nightmare is right.
Go read https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb...
A couple of little snippets to highlight the point I'm trying to make:
> The current system is insecure-by-design. That doesn’t mean it’s always hackable, but it means you have to actively work to make it not attackable. It’s better to switch to a design that’s secure-by-default and make the insecure the exceptional case.
> The best path forward would be to switch to PDO/MySQLi and use real prepared statements and not emulate them in PHP land. That’s the best path forward.
But given that the core wordpress team basically ignore this type of suggestion from PHP core contributors, why would I expect you to believe me about it here?
People who've been raised on fast/processed foods, and may never have actually done any cooking themselves, honestly may not even understand the problems with the food they're eating, or what the alternatives are. Yeah, 'home cooking' is more initially expensive (need some basics tools, place to store ingredients, keep them fresh, etc), and certainly more time up front learning how to cook certain things. But... you know what's in the food you've prepared. And you have knowledge and skills that can serve you for a long time.