All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WP Alternative, Surely something a CMS that's more secure could be made by now?
Just a question given there's a good amount of general web knowledge around here.
WP, been around for 10 years+, anyone can add themes/plugins/PHP of an insecure nature which make it insecure, and it's popular enough to become a specific hack target.
In 2018, do you think something better could replace the ubiquity of Wordpress?
Personally I avoid it at all costs, being an old school coder. It's not hard for me to maintain a site without the needyness of WP, and I'd prefer to avoid the headache of maintaining it.
Surely something extensible could replace it, or by nature is the extensibility insecure?
I ask because I come from a web developer/market background, and my impression nowadays is that WP just 'generally saves time doing stuff' and is a low barrier to entry for the non-tech folk, but given that you're technically minded, perhaps there's a better all round solution.
Comments
TextPattern has been around just as long, and even though some of the code has been shitty (and mostly subsequently fixed) over the years, it's not that bad. It's more customizable, and has so many plugins that you could vomit. Templating and building simple functions isn't as easy as WP- you have to understand basic logic, and make wrappers for any custom things, but anyone with a couple years of PHP is more than capable.
I rolled my own CMS back in the day, and moved to TXP around 2005, when I decided I no longer wanted to maintain my dated code, which I created before I decided that external templating was a good idea. I've never had a problem with security on anything I've used it on.
That is the root of all problems. Adding all kinds of weird stuff will make any CMS insecure.
Yep.
Wordpress itself is pretty secure and well tested, in vanilla form. To have fully-secure extensions, you'll need a custom WP coding language, which you can write plugins with, and wordpress parses the plugin and converts it to actual code. Also, it needs some sort of artificial intelligence to analyze the code because a plugin that helps you "upload files easily" isn't much different than a plugin that "upload files secretly".
Until then, plugins are only as secure as the intelligence of people using it. I don't see how any other CMS can be coded that doesn't allow any insecure plugins.
Windows isn't all that bad when there's no networking, either.
Thing is with the extensibility, can't it be formalised enough to the point where 3rd parties cannot introduce insecure code?
Input validation, templates with variables, acceptable files, calls over the web, process some stuff... in the end the plugins do a finite amount of things. There's 25 years of lessons learned where these problems shouldn't exist anymore. XML specs of APIs deal well with this kind of thing.
I suppose I've just expected something a little more formal coming along that nails down all the previous mistakes and has a formalism that's user friendly and reasonably extensible.
Yes, and no. As long as you add any plugin to have any function which isn't explicitly validated or locked down, there's a good possibility of exploitation.
Ugh. If you're suggestion XSLT, you've completely lost me. That was godawful to live through.
Yet again, much like with x86 hardware, you can't exactly throw out everything, unless you can afford to start over. So, you still have idiots with "nulled themes" which are rife with builtins which expose that info to the
What I do today is this....
I create a wordpress on my local computer.... then I use a plugin to export to static html, then serve the static to my hosting. I think nothing beats the security of static html site
So, you've somewhat recreated a post-parser Grav in a really roundabout way..
Well, I'm used to WP. I don't need to learn anything new. Also I could use all those awesome themes and plugins I want. So I love it.
@Harzem
Come on, you know better.
@ricardo
Sure, better software can be written. I happen to know because I'm doing it. But there's a but: 90+% of the people out there don't care a rats ass and wp is well known, a big player, free, lots of themes and plugins and shit. Mine, however, isn't any of that and I doubt that there are many qualified engineers out there to create a "safe and secure wp" for free. About the best that is available (from what little I know; after all I'm not too interested in that segment) seems to be diverse "kits" which still require way more know-how and work than the vast majority out there can and wants to invest.
Oh, and: turn it any way you want, there isn't nor will be there be anytime soon a reasonably safe and secure system based on scripting (or more precisely, on dynamically typed and interpreted) languages (php not even being counted as a language but as a tumor, btw).
A reasonably safe and secure system would consist (and that's taking it easy) of a well engineered compiled core and possibly some (statically typed) scripted extensions. Don't hold your breath, the chances for that are slim (i.a. because there aren't that many engineers having the necessary know-how and experience).
And hey, the herd seems to quite happily feed on wp and similar crap.
I don't know if anyone uses Drupal any more, but it was an alternative for a while. It has its own security problems of course. Again the problem isn't writing a CMS application per se, but in reproducing the huge plugin ecosystem that WP and Drupal have accreted.
https://github.com/paragonie/airship
What if I wanted a simple platform that included the stupid CMS parts that I could then extend with whatever I want? I'm done creating user management systems, or reusing classes. I'm tired of the mundane stuff.
Everyone seems to be able to write a better system than WP on LET, apparently. But also everyone has missed the point. Here, quoted in bold:
ubiquity of Wordpress
is the keyword.
@WSS : By your own words, for Textpattern Templating and building simple functions isn't as easy as WP.
Guess what, 90% of WP plugin "developers" can only create simple functions or templates. That's what makes WP most popular.
@ricardo yes extensions can be formalized, restricted, patterned. Then you lose most of the extensibility (see Firefox 57) and lose 80% of users who aren't simply rolling out personal blogs.
In the last 25+ years many lessons have been learned on how to make secure code and extensions. But if you want something to replace WP, you'll need to focus on the novice developers too. Without them, what you have is a very secure CMS that only 5 websites use.
@bsdguy I know how security conscience you are, but what percentage of developers are as experienced as you? There are developers out there who can create something more secure than WP, even in the PHP language that you hate (have you seen PHP 7?) but what those good developers create will have serious restrictions on plugin development, or severely limit the extensibility of the core, and overall will be hard to modify.
WP is popular not because it's secure. In fact, 95% of people using it has no idea how secure it is. Those 95% give no fucks about how secure it is.
How many people do you see abandoning Windows to move to Debian, because it's more secure? How many people delete the vendor-hacked Android on their phones to install vanilla Android?
WP is popular because people can easily extend it. Even novice developers can create a simple function, however insecure, and implement it on their site, and be proud of being able to do that.
All your own in-house custom-coded CMSs written in super-secure Crypto-script language are absolutely no match for simplicity of Wordpress's extension and templating system, which makes WP plugins insecure but popular.
Without that simplicity, what you have is a niche software. Probably more secure, but doomed to stay dormant.
Whatever replaces Wordpress will be even easier to extend and create templates for. Every security-oriented limitation other CMSs put through, is helping WP get even more market share.
I'm also writing my own CMS, which is something I have in common with everyone on this thread, apparently. It's more secure than WP because you simply can't write any plugins for it. It can only run vanilla, because it will be used only on my own websites. It doesn't make it a better developed system than Wordpress.
Let's go back again to the original question and remind ourselves why our own super-secure systems will never be as good as WP:
There simply isn't a way to create a software that:
No way, sorry.
Most of the reason people I know got their WP hacked were because of nulled plugins/themes. Since you know how to code, you can always code your own plugins or themes. You can review the code of 3rd party plugins/themes before installation tho.
@Harzem I'm only saying so, because it doesn't do the "drop this in 'plugins', and go" deal, and the same for the visual templating. It's layered. It's not awfully difficult, and dealing with making a plugin isn't hard. However, it takes you more than an hour to start coding for it.
@Harzem
Well, we seem to say similar things, albeit from different perspectives and in different words (except for php which I - with good reason - continue to call "turbo-crap").
But things get quite different when you walk a couple of steps from wp to, say whcms. When the former is crappy, oh well, a site owner gets fucked; if however the latter is crappy then millions of innocent customers get fucked.
(Btw. I wasn't even talking about strange languages with/plus Hoare triples and FOL but about quite accessible and not sooo complicated ones like, say Ocaml or Ada.)
Your spelling error would be a better name for WHMCS. "web hosting customer management system" is a lot better than "web host manager complete solution" which doesn't even sound grammatically correct.
I know you get the general principle though. The 'semantic web' concept was eclectic as everyone who took part but BS aside, there's some nails to be nailed wrt validation, calls to other sites, the usual suspects that fall down. It all boils down to strings and ints for a lot of the BS that causes problems.
Which language are you writing it in?
Essentially the problem though, right?
@bsdguy The biggest issue with your statement comparing WHMCS vs WP, is that people who are stuck with WHMCS at least hide the admin behind one or two layers of security, and don't download random skins from anywhere.internet for deployment. At least not the ones that aren't nulled.
Well, yeah, or just a templating system that doesn't cause you to just throw up your hands and say "Fuck this shit, I'm out." Smarty is fucking awful, but XSLT is on the other side of the damaged coin.
Although I enjoy @bsdguy's rhetoric, he still likes to go after C (probably because he prefers the garbage collection in Node).
Signed.
The problem, and the source of popularity. You either have novice developers' support or a great CMS with 0.05% market share.
Have I told you about TextPattern, Brother?
@Harzem I'd propose that your idea is nice in theory, but generally WP users will more likely follow an 80/20 rule. As long as it supports nice things A/B and C, they couldn't give a shit about ability for X Y and Z.
You have. You can use it, but can the rest of the world? Haven't looked enough to know.
It actually took me about two weeks to figure it out. That said, the last time I changed my theme design (a port of a WP theme) was over a decade ago. Started making a newer-style design, but these days- work and masturbating take up all of my spare time.
I know textpattern actually, I've even installed it once, years ago. It wasn't a mission critical project, just some testing. Even back then it was known to be better than WP at some stuff but it never got the market share, for reasons above.
Attention is your worst enemy my brother but keep up the good fight
I'm going to take a look at the CMS tomorrow. TBH struggling to fathom why WP is still the main player.
WP is secure if you don't leave it open by neglect.
Those kind of non-answers are best left to tell your grandparents.